tools/config/generic/windows-audit.yml

title: Conversion for Windows Native Auditing Events
order: 10
logsources:
    process_creation:
        category: process_creation
        product: windows
        conditions:
            EventID: 4688
        rewrite:
            product: windows
            service: security
    registry_event:
        category: registry_event
        product: windows
        conditions:
            EventID: 4657
            OperationType:
                - 'New registry value created'
                - 'Existing registry value modified'
        rewrite:
            product: windows
            service: security
fieldmappings:
    Image: NewProcessName
    ParentImage: ParentProcessName
    Details: NewValue
    ParentCommandLine: ProcessCommandLine
    LogonId: SubjectLogonId
feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00			`title: Conversion for Windows Native Auditing Events`
Configuration order checking 2019-04-23 00:54:10 +02:00			`order: 10`
Added generic Windows audit log configuration 2019-01-16 22:41:42 +01:00			`logsources:`
			`process_creation:`
			`category: process_creation`
			`product: windows`
			`conditions:`
			`EventID: 4688`
			`rewrite:`
			`product: windows`
			`service: security`
feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00			`registry_event:`
			`category: registry_event`
			`product: windows`
			`conditions:`
			`EventID: 4657`
feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00			`OperationType:`
			`- 'New registry value created'`
			`- 'Existing registry value modified'`
feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00			`rewrite:`
			`product: windows`
			`service: security`
Added generic Windows audit log configuration 2019-01-16 22:41:42 +01:00			`fieldmappings:`
			`Image: NewProcessName`
Improved configurations 2019-01-16 23:37:18 +01:00			`ParentImage: ParentProcessName`
feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00			`Details: NewValue`
$frack113$ Fix LogonId - SubjectLogonId 2021-11-10 19:12:51 +01:00			`ParentCommandLine: ProcessCommandLine`
			`LogonId: SubjectLogonId`