security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/tools/config/winlogbeat-modules-enabled.yml
T

648 lines
27 KiB
YAML
Raw Normal View History

create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js) sigmac conversion
2019-10-01 10:16:42 -04:00
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
order: 20
backends:
feat: update config files
2023-01-17 01:00:24 +01:00
- es-qs
- es-dsl
- es-rule
- es-rule-eql
- es-eql
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js) sigmac conversion
2019-10-01 10:16:42 -04:00
logsources:
feat: update config files
2023-01-17 01:00:24 +01:00
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
winlog.channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
winlog.channel: 'MSExchange Management'
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
winlog.channel: 'Microsoft-ServiceBus-Client'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
winlog.channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
winlog.channel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
winlog.channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
winlog.channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
winlog_channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
winlog_channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js) sigmac conversion
2019-10-01 10:16:42 -04:00
defaultindex: winlogbeat-*
fixed various spelling errors all over rules and source code
2021-02-24 14:43:13 +00:00
# Extract all field names with yq:
create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js) sigmac conversion
2019-10-01 10:16:42 -04:00
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
Update winlogbeat-modules-enabled.yml
2021-07-14 11:01:45 +08:00
EventID: event.code
Add eventid 4624
2021-08-05 11:20:22 +02:00
Channel: winlog.channel
Add missing system field
2021-08-06 10:52:24 +02:00
#Keywords: from "<System><Keywords>Value</Keywords></System><EventData>" is lost with winlogbeat exist in nxlog
rename the field 'Provider Name' to 'Provider_Name'
2021-10-13 13:04:11 +02:00
Provider_Name: winlog.provider_name
Add some missing fields mapping
2021-07-06 15:56:33 +02:00
CallingProcessName: winlog.event_data.CallingProcessName
Update winlogbeat-modules-enabled.yml
2021-10-20 17:06:55 +03:00
ComputerName: winlog.computer_name
Add some missing fields mapping
2021-07-06 15:56:33 +02:00
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: file.path
HiveName: winlog.event_data.HiveName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
SecurityID: winlog.event_data.SecurityID
Source: winlog.event_data.Source
# Channel: WLAN-Autoconfig AND EventID: 8001
AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
BSSID: winlog.event_data.BSSID
BSSType: winlog.event_data.BSSType
CipherAlgorithm: winlog.event_data.CipherAlgorithm
ConnectionId: winlog.event_data.ConnectionId
ConnectionMode: winlog.event_data.ConnectionMode
InterfaceDescription: winlog.event_data.InterfaceDescription
InterfaceGuid: winlog.event_data.InterfaceGuid
OnexEnabled: winlog.event_data.OnexEnabled
PHYType: winlog.event_data.PHYType
ProfileName: winlog.event_data.ProfileName
SSID: winlog.event_data.SSID
Accesses: winlog.event_data.Accesses
Fix more windows fields name
2021-07-07 12:28:00 +02:00
ClassName: winlog.event_data.ClassName
Add some missing fields mapping
2021-07-06 15:56:33 +02:00
ClassId: winlog.event_data.ClassId
DeviceDescription: winlog.event_data.DeviceDescription
Fix more windows fields name
2021-07-07 12:28:00 +02:00
# ErrorCode => printservice-admin EventID: 4909 or 808
Fix duplicate
2022-12-15 17:54:34 +01:00
ErrorCode:
service=windefend: winlog.event_data.Error\ Code
default: winlog.event_data.ErrorCode
Add some missing fields mapping
2021-07-06 15:56:33 +02:00
FilePath: winlog.event_data.FilePath
refactor: make antivirus a category
2022-03-24 11:59:33 +01:00
# Filename => category: antivirus
feat: update config files
2023-01-17 01:00:24 +01:00
Filename: winlog.event_data.Filename
Add some missing fields mapping
2021-07-06 15:56:33 +02:00
LDAPDisplayName: winlog.event_data.LDAPDisplayName
Fix more windows fields name
2021-07-07 12:28:00 +02:00
# Level => Source: MSExchange Control Panel EventID: 4
Level: winlog.event_data.Level
Add some missing fields mapping
2021-07-06 15:56:33 +02:00
TargetProcessAddress: winlog.event_data.TargetProcessAddress
Fix more windows fields name
2021-07-07 12:28:00 +02:00
# UserName => smbclient-security eventid:31017
UserName: winlog.event_data.UserName
add sysmon mapping
2021-08-05 10:54:58 +02:00
#
# Sysmon/Operational up to ID 25
#
RuleName: winlog.event_data.RuleName
ProcessGuid: process.entity_id
ProcessId: process.pid
Image: process.executable
feat: update config files
2023-01-17 01:00:24 +01:00
FileVersion:
add sysmon mapping
2021-08-05 10:54:58 +02:00
category=process_creation: process.pe.file_version
Update winlogbeat-modules-enabled.yml
2021-10-28 16:05:40 +01:00
category=image_load: file.pe.file_version
add sysmon mapping
2021-08-05 10:54:58 +02:00
default: winlog.event_data.FileVersion
Description:
category=process_creation: process.pe.description
Update winlogbeat-modules-enabled.yml
2021-10-28 16:05:40 +01:00
category=image_load: file.pe.description
add sysmon mapping
2021-08-05 10:54:58 +02:00
category=sysmon_error: winlog.event_data.Description
default: winlog.event_data.Description
Product:
category=process_creation: process.pe.product
Update winlogbeat-modules-enabled.yml
2021-10-28 16:05:40 +01:00
category=image_load: file.pe.product
add sysmon mapping
2021-08-05 10:54:58 +02:00
default: winlog.event_data.Product
feat: update config files
2023-01-17 01:00:24 +01:00
Company:
add sysmon mapping
2021-08-05 10:54:58 +02:00
category=process_creation: process.pe.company
Update winlogbeat-modules-enabled.yml
2021-10-28 16:05:40 +01:00
category=image_load: file.pe.company
add sysmon mapping
2021-08-05 10:54:58 +02:00
default: winlog.event_data.Company
feat: update config files
2023-01-17 01:00:24 +01:00
OriginalFileName:
Update winlogbeat-modules-enabled.yml
2021-10-28 16:05:40 +01:00
category=process_creation: process.pe.original_file_name
category=image_load: file.pe.original_file_name
default: winlog.event_data.OriginalFileName
feat: update config files
2023-01-17 01:00:24 +01:00
CommandLine:
add sysmon mapping
2021-08-05 10:54:58 +02:00
category=process_creation: process.command_line
Add most of security EventID
2021-08-05 13:31:39 +02:00
service=security: process.command_line
add sysmon mapping
2021-08-05 10:54:58 +02:00
service=powershell-classic: powershell.command.value
default: winlog.event_data.CommandLine
CurrentDirectory: process.working_directory
LogonGuid: winlog.event_data.LogonGuid
LogonId: winlog.event_data.LogonId
TerminalSessionId: winlog.event_data.TerminalSessionId
IntegrityLevel: winlog.event_data.IntegrityLevel
ParentProcessGuid: process.parent.entity_id
ParentProcessId: process.parent.pid
ParentImage: process.parent.executable
ParentCommandLine: process.parent.command_line
Add sysmon 13.30 ParentUser
2021-10-27 12:58:10 +02:00
ParentUser: winlog.event_data.ParentUser #Sysmon 13.30
Add SourceUser and TargetUser
2021-10-27 17:13:34 +02:00
SourceUser: winlog.event_data.SourceUser #Sysmon 13.30
TargetUser: winlog.event_data.TargetUser #Sysmon 13.30
add sysmon mapping
2021-08-05 10:54:58 +02:00
TargetFilename: file.path
CreationUtcTime: winlog.event_data.CreationUtcTime
PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime
feat: update config files
2023-01-17 01:00:24 +01:00
Protocol:
Add most of security EventID
2021-08-05 13:31:39 +02:00
category=network_connection: network.transport
default: winlog.event_data.Protocol
feat: update config files
2023-01-17 01:00:24 +01:00
Initiated:
add sysmon mapping
2021-08-05 10:54:58 +02:00
category=network_connection: network.direction
default: winlog.event_data.Initiated
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
SourceIp: source.ip
SourceHostname: source.domain
SourcePort: source.port
SourcePortName: winlog.event_data.SourcePortName
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
DestinationIp: destination.ip
DestinationHostname: destination.domain
DestinationPort: destination.port
DestinationPortName: network.protocol
State: winlog.event_data.State
Version: winlog.event_data.Version
SchemaVersion: winlog.event_data.SchemaVersion
ImageLoaded: file.path
Signed: file.code_signature.signed
feat: update config files
2023-01-17 01:00:24 +01:00
Signature:
Add missing system field
2021-08-06 10:52:24 +02:00
category=driver_loaded: file.code_signature.subject_name
category=image_loaded: file.code_signature.subject_name
default: winlog.event_data.Signature
add sysmon mapping
2021-08-05 10:54:58 +02:00
SignatureStatus: file.code_signature.status
SourceProcessGuid: process.entity_id
SourceProcessId: process.pid
SourceImage: process.executable
TargetProcessGuid: winlog.event_data.TargetProcessGuid
TargetProcessId: winlog.event_data.TargetProcessId
TargetImage: winlog.event_data.TargetImage
NewThreadId: winlog.event_data.NewThreadId
StartAddress: winlog.event_data.StartAddress
StartModule: winlog.event_data.StartModule
StartFunction: winlog.event_data.StartFunction
Device: file.path
SourceThreadId: process.thread.id
GrantedAccess: winlog.event_data.GrantedAccess
CallTrace: winlog.event_data.CallTrace
TargetObject: registry.path
Details: winlog.event_data.Details
NewName: winlog.event_data.NewName
Configuration: winlog.event_data.Configuration
ConfigurationFileHash: winlog.event_data.ConfigurationFileHash
PipeName: file.name
User: winlog.event_data.User
EventNamespace: winlog.event_data.EventNamespace
Name: winlog.event_data.Name
Query: winlog.event_data.Query
Operation: winlog.event_data.Operation
Type: winlog.event_data.Type
Destination: process.executable
Consumer: winlog.event_data.Consumer
Filter: winlog.event_data.Filter
QueryName: dns.question.name
QueryStatus: sysmon.dns.status
QueryResults: winlog.event_data.QueryResults
IsExecutable: sysmon.file.is_executable
Archived: sysmon.file.archived
Session: winlog.event_data.Session
ClientInfo: winlog.event_data.ClientInfo
update SYSMON Hashes
2021-08-04 15:09:02 +02:00
# SYSMON Hashes
Hashes: winlog.event_data.Hashes
# extraction from Hashes NOT a original field but find in some rule
md5:
category=driver_load: hash.md5
category=image_load: file.hash.md5
default: process.hash.md5
sha1:
category=driver_load: hash.sha1
category=image_load: file.hash.sha1
default: process.hash.sha1
sha256:
category=driver_load: hash.sha256
category=image_load: file.hash.sha256
default: process.hash.sha256
feat: update config files
2023-01-17 01:00:24 +01:00
Imphash:
update SYSMON Hashes
2021-08-04 15:09:02 +02:00
category=driver_load: hash.imphash
category=image_load: file.hash.imphash
add security 7045
2021-08-04 15:46:05 +02:00
default: process.pe.imphash
add sysmon mapping
2021-08-05 10:54:58 +02:00
#
# Powershell
#
CommandName: powershell.command.name
CommandPath: powershell.command.path
CommandType: powershell.command.type
feat: update config files
2023-01-17 01:00:24 +01:00
EngineVersion:
add sysmon mapping
2021-08-05 10:54:58 +02:00
service=powershell-classic: powershell.engine.version
Fix duplicate
2022-12-15 17:54:34 +01:00
service=windefend: winlog.event_data.Engine\ Version
add sysmon mapping
2021-08-05 10:54:58 +02:00
default: winlog.event_data.EngineVersion
HostApplication: process.command_line
HostId: process.entity_id
HostName: process.title
HostVersion:
service=powershell-classic: powershell.process.executable_version
default: winlog.event_data.HostVersion
NewEngineState: powershell.engine.new_state
PipelineId: powershell.pipeline_id
PreviousEngineState: powershell.engine.previous_state
RunspaceId: powershell.runspace_id
ScriptName: file.path
SequenceNumber: event.sequence
NewProviderState: powershell.provider.new_state
ProviderName: powershell.provider.name
Payload: winlog.event_data.Payload
ContextInfo: winlog.event_data.ContextInfo
MessageNumber: powershell.sequence
MessageTotal: powershell.total
ScriptBlockText: powershell.file.script_block_text
ScriptBlockId: powershell.file.script_block_id
#
# Security
#
Add most of security EventID
2021-08-05 13:31:39 +02:00
AccessGranted: winlog.event_data.AccessGranted
AccessList: winlog.event_data.AccessList
AccessMask: winlog.event_data.AccessMask
AccessReason: winlog.event_data.AccessReason
AccessRemoved: winlog.event_data.AccessRemoved
AccountDomain: user.domain
AccountExpires: winlog.event_data.AccountExpires
AccountName: user.name
AdditionalInfo: winlog.event_data.AdditionalInfo
AdditionalInfo2: winlog.event_data.AdditionalInfo2
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AppCorrelationID: winlog.event_data.AppCorrelationID
Application: process.executable
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AttributeSyntaxOID: winlog.event_data.AttributeSyntaxOID
AttributeValue: winlog.event_data.AttributeValue
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuditSourceName: winlog.event_data.AuditSourceName
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallerProcessId: winlog.event_data.CallerProcessId
CallerProcessName: winlog.event_data.CallerProcessName
CategoryId: winlog.event_data.CategoryId
CertIssuerName: winlog.event_data.CertIssuerName
CertSerialNumber: winlog.event_data.CertSerialNumber
CertThumbprint: winlog.event_data.CertThumbprint
ClientAddress: source.ip
ClientName: source.domain
ClientProcessId: winlog.event_data.ClientProcessId
ClientProcessStartKey: winlog.event_data.ClientProcessStartKey
ComputerAccountChange: winlog.event_data.ComputerAccountChange
CrashOnAuditFailValue: winlog.event_data.CrashOnAuditFailValue
DestAddress: destination.ip
DestPort: destination.port
Direction: winlog.event_data.Direction
DisplayName: winlog.event_data.DisplayName
DnsHostName: winlog.event_data.DnsHostName
DomainBehaviorVersion: winlog.event_data.DomainBehaviorVersion
DomainName: winlog.event_data.DomainName
DomainPolicyChanged: winlog.event_data.DomainPolicyChanged
DomainSid: winlog.event_data.DomainSid
DSName: winlog.event_data.DSName
DSType: winlog.event_data.DSType
Dummy: winlog.event_data.Dummy
ElevatedToken: winlog.event_data.ElevatedToken
EventSourceId: winlog.event_data.EventSourceId
FailureReason: winlog.event_data.FailureReason
FilterRTID: winlog.event_data.FilterRTID
ForceLogoff: winlog.event_data.ForceLogoff
FQDN: winlog.event_data.FQDN
GroupTypeChange: winlog.event_data.GroupTypeChange
HandleId: winlog.event_data.HandleId
HomeDirectory: winlog.event_data.HomeDirectory
HomePath: winlog.event_data.HomePath
ImagePath: winlog.event_data.ImagePath
ImpersonationLevel: winlog.event_data.ImpersonationLevel
IpAddress: source.ip
IpPort: source.port
KeyLength: winlog.event_data.KeyLength
LayerName: winlog.event_data.LayerName
LayerRTID: winlog.event_data.LayerRTID
LmPackageName: winlog.event_data.LmPackageName
LockoutDuration: winlog.event_data.LockoutDuration
LockoutObservationWindow: winlog.event_data.LockoutObservationWindow
LockoutThreshold: winlog.event_data.LockoutThreshold
LogonHours: winlog.event_data.LogonHours
Add eventid 4624
2021-08-05 11:20:22 +02:00
SubjectLogonId:
service=security: winlog.logon.id
default: winlog.event_data.SubjectLogonId
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
Add most of security EventID
2021-08-05 13:31:39 +02:00
MachineAccountQuota: winlog.event_data.MachineAccountQuota
MandatoryLabel: winlog.event_data.MandatoryLabel
MasterKeyId: winlog.event_data.MasterKeyId
MaxPasswordAge: winlog.event_data.MaxPasswordAge
MemberName: winlog.event_data.MemberName
MemberSid: winlog.event_data.MemberSid
MinPasswordAge: winlog.event_data.MinPasswordAge
MinPasswordLength: winlog.event_data.MinPasswordLength
MixedDomainMode: winlog.event_data.MixedDomainMode
NewProcessId: process.pid
NewProcessName: process.executable
NewSd: winlog.event_data.NewSd
NewTargetUserName: winlog.event_data.NewTargetUserName
NewTime: winlog.event_data.NewTime
NewUacValue: winlog.event_data.NewUacValue
Fix duplicate
2022-12-15 17:54:34 +01:00
NewValue:
service=windefend: winlog.event_data.New\ Value
default: winlog.event_data.NewValue
Add most of security EventID
2021-08-05 13:31:39 +02:00
NewValueType: winlog.event_data.NewValueType
ObjectClass: winlog.event_data.ObjectClass
ObjectDN: winlog.event_data.ObjectDN
ObjectGUID: winlog.event_data.ObjectGUID
ObjectName: winlog.event_data.ObjectName
ObjectServer: winlog.event_data.ObjectServer
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
OemInformation: winlog.event_data.OemInformation
OldSd: winlog.event_data.OldSd
OldTargetUserName: winlog.event_data.OldTargetUserName
OldUacValue: winlog.event_data.OldUacValue
Fix duplicate
2022-12-15 17:54:34 +01:00
OldValue:
service=windefend: winlog.event_data.Old\ Value
default: winlog.event_data.OldValue
Add most of security EventID
2021-08-05 13:31:39 +02:00
OldValueType: winlog.event_data.OldValueType
OpCorrelationID: winlog.event_data.OpCorrelationID
OperationType: winlog.event_data.OperationType
PackageName: winlog.event_data.PackageName
ParentProcessName: process.parent.name
PasswordHistoryLength: winlog.event_data.PasswordHistoryLength
PasswordLastSet: winlog.event_data.PasswordLastSet
PasswordProperties: winlog.event_data.PasswordProperties
PreAuthType: winlog.event_data.PreAuthType
PreviousTime: winlog.event_data.PreviousTime
PrimaryGroupId: winlog.event_data.PrimaryGroupId
PrivilegeList: winlog.event_data.PrivilegeList
Fix duplicate
2022-12-15 17:54:34 +01:00
ProcessName:
service=windefend: winlog.event_data.Process\ Name
default: process.executable
Add most of security EventID
2021-08-05 13:31:39 +02:00
ProfilePath: winlog.event_data.ProfilePath
Properties: winlog.event_data.Properties
PuaCount: winlog.event_data.PuaCount
PuaPolicyId: winlog.event_data.PuaPolicyId
RecoveryKeyId: winlog.event_data.RecoveryKeyId
RecoveryServer: winlog.event_data.RecoveryServer
RelativeTargetName: winlog.event_data.RelativeTargetName
RemoteMachineID: winlog.event_data.RemoteMachineID
RemoteUserID: winlog.event_data.RemoteUserID
ResourceAttributes: winlog.event_data.ResourceAttributes
Add eventid 4624
2021-08-05 11:20:22 +02:00
RestrictedAdminMode: winlog.event_data.RestrictedAdminMode
Add most of security EventID
2021-08-05 13:31:39 +02:00
RestrictedSidCount: winlog.event_data.RestrictedSidCount
RpcCallClientLocality: winlog.event_data.RpcCallClientLocality
SamAccountName: winlog.event_data.SamAccountName
ScriptPath: winlog.event_data.ScriptPath
Service: winlog.event_data.Service
ServiceAccount: winlog.event_data.ServiceAccount
ServiceFileName: winlog.event_data.ServiceFileName
add sysmon mapping
2021-08-05 10:54:58 +02:00
ServiceName:
service=security: service.name
default: winlog.event_data.ServiceName
Add most of security EventID
2021-08-05 13:31:39 +02:00
ServicePrincipalNames: winlog.event_data.ServicePrincipalNames
ServiceSid: winlog.event_data.ServiceSid
ServiceStartType: winlog.event_data.ServiceStartType
add security 7045
2021-08-04 15:46:05 +02:00
ServiceType: winlog.event_data.ServiceType
Add most of security EventID
2021-08-05 13:31:39 +02:00
SessionId: winlog.event_data.SessionId
SessionName: winlog.event_data.SessionName
ShareLocalPath: winlog.event_data.ShareLocalPath
ShareName: winlog.event_data.ShareName
SidHistory: winlog.event_data.SidHistory
SidList: winlog.event_data.SidList
SourceAddress: source.ip
Status: winlog.event_data.Status
StartType: winlog.event_data.StartType
SubcategoryGuid: winlog.event_data.SubcategoryGuid
SubcategoryId: winlog.event_data.SubcategoryId
SubjectDomainName:
service=security: user.domain
default: winlog.event_data.SubjectDomainName
SubjectUserName:
service=security: user.name
default: winlog.event_data.SubjectUserName
SubjectUserSid:
service=security: user.id
default: winlog.event_data.SubjectUserSid
SubStatus: winlog.event_data.SubStatus
TargetDomainName: user.domain
TargetLinkedLogonId: winlog.event_data.TargetLinkedLogonId
Fix missing a space
2021-08-05 13:36:18 +02:00
TargetLogonId:
Add most of security EventID
2021-08-05 13:31:39 +02:00
service=security: winlog.logon.id
default: winlog.event_data.TargetLogonId
TargetOutboundDomainName: winlog.event_data.TargetOutboundDomainName
TargetOutboundUserName: winlog.event_data.TargetOutboundUserName
TargetServerName: winlog.event_data.TargetServerName
TargetSid: winlog.event_data.TargetSid
fix TargetUserName and TargetUserSid for detection
2021-09-27 09:27:01 +02:00
TargetUserName: winlog.event_data.TargetUserName
TargetUserSid: winlog.event_data.TargetUserSid
Add most of security EventID
2021-08-05 13:31:39 +02:00
TaskContent: winlog.event_data.TaskContent
TaskName: winlog.event_data.TaskName
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
TokenElevationType: winlog.event_data.TokenElevationType
TransactionId: winlog.event_data.TransactionId
TransmittedServices: winlog.event_data.TransmittedServices
UserAccountControl: winlog.event_data.UserAccountControl
UserParameters: winlog.event_data.UserParameters
UserPrincipalName: winlog.event_data.UserPrincipalName
UserWorkstations: winlog.event_data.UserWorkstations
VirtualAccount: winlog.event_data.VirtualAccount
Workstation: winlog.event_data.Workstation
WorkstationName: source.domain
Add missing system field
2021-08-06 10:52:24 +02:00
#
# System
#
DriveName: winlog.event_data.DriveName
DeviceName: winlog.event_data.DeviceName
HeaderFlags: winlog.event_data.HeaderFlags
Severity: winlog.event_data.Severity
Origin: winlog.event_data.Origin
Verb: winlog.event_data.Verb
Outcome: winlog.event_data.Outcome
SampleLength: winlog.event_data.SampleLength
SampleData: winlog.event_data.SampleData
SourceFile: winlog.event_data.SourceFile
SourceLine: winlog.event_data.SourceLine
SourceTag: winlog.event_data.SourceTag
CallStack: winlog.event_data.CallStack
Add Microsoft-Windows-Windows Defender/Operational
2021-08-06 11:12:34 +02:00
#
# Microsoft-Windows-Windows Defender/Operational
#
Space remove
2022-12-15 12:55:18 +01:00
ActionID: winlog.event_data.Action\ ID
ActionName: winlog.event_data.Action\ Name
AdditionalActionsID: winlog.event_data.Additional\ Actions\ ID
AdditionalActionsString: winlog.event_data.Additional\ Actions\ String
CategoryID: winlog.event_data.Category\ ID
CategoryName: winlog.event_data.Category\ Name
DetectionID: winlog.event_data.Detection\ ID
DetectionTime: winlog.event_data.Detection\ Time
DetectionUser: winlog.event_data.Detection\ User
ErrorDescription: winlog.event_data.Error\ Description
ExecutionID: winlog.event_data.Execution\ ID
ExecutionName: winlog.event_data.Execution\ Name
Add Microsoft-Windows-Windows Defender/Operational
2021-08-06 11:12:34 +02:00
FWLink: winlog.event_data.FWLink
Space remove
2022-12-15 12:55:18 +01:00
OriginID: winlog.event_data.Origin\ ID
OriginName: winlog.event_data.Origin\ Name
Add Microsoft-Windows-Windows Defender/Operational
2021-08-06 11:12:34 +02:00
Path: winlog.event_data.Path
Space remove
2022-12-15 12:55:18 +01:00
PostCleanStatus: winlog.event_data.Post\ Clean\ Status
PreExecutionStatus: winlog.event_data.Pre\ Execution\ Status
ProductName: winlog.event_data.Product\ Name
ProductVersion: winlog.event_data.Product\ Version
RemediationUser: winlog.event_data.Remediation\ User
SecurityintelligenceVersion: winlog.event_data.Security\ intelligence\ Version
SeverityID: winlog.event_data.Severity\ ID
SeverityName: winlog.event_data.Severity\ Name
SourceID: winlog.event_data.Source\ ID
SourceName: winlog.event_data.Source\ Name
StatusCode: winlog.event_data.Status\ Code
StatusDescription: winlog.event_data.Status\ Description
ThreatID: winlog.event_data.Threat\ ID
ThreatName: winlog.event_data.Threat\ Name
TypeID: winlog.event_data.Type\ ID
TypeName: winlog.event_data.Type\ Name
Add missing fields
2022-03-01 15:36:39 +01:00
#
# Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
#
ApplicationPath: winlog.event_data.ApplicationPath
ModifyingApplication: winlog.event_data.ModifyingApplication
Action: winlog.event_data.Action
Reference in New Issue Copy Permalink