security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3931 from nasbench/nasbench-rule-devel

Browse Source 
feat: update and enhancements
This commit is contained in:
Nasreddine Bencherchali
2023-01-18 11:45:43 +01:00
committed by GitHub
parent f5da775995 ff9844b8d7
commit 00310c487e
51 changed files with 3747 additions and 3187 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml
+4 -5
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
modified: 2023/01/13
modified: 2023/01/17
tags:
- attack.discovery
- attack.t1049
@@ -22,10 +22,9 @@ detection:
- '/lsof'
- '/netstat'
filter_landscape_sysinfo:
ParentCommandLine|contains|all: # "/usr/bin/python /usr/bin/landscape-sysinfo "
- '/usr/bin/python'
- '/usr/bin/landscape-sysinfo'
condition: selection and not filter_landscape_sysinfo
ParentCommandLine|contains: '/usr/bin/landscape-sysinfo'
Image|endswith: '/who'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate activities
level: low
rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml
+27
View File
@@ -0,0 +1,27 @@
title: Sysinternals Tools AppX Versions Execution
id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
status: experimental
description: Detects execution of Sysinternals tools via an AppX package. Attackers could instal the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
references:
- Internal Research
author: Nasreddine Bencherchali
date: 2023/01/16
tags:
- attack.defense_evasion
- attack.execution
logsource:
product: windows
service: appmodel-runtime
detection:
selection:
EventID: 201
ImageName:
- 'procdump.exe'
- 'psloglist.exe'
- 'psexec.exe'
- 'livekd.exe'
- 'ADExplorer.exe'
condition: selection
falsepositives:
- Legitimate usage of the applications from the Windows Store
level: medium
rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml
+24
View File
@@ -0,0 +1,24 @@
title: Suspicious Digital Signature Of AppX Package
id: b5aa7d60-c17e-4538-97de-09029d6cd76b
status: experimental
description: Detects execution of AppX packages with known suspicious or malicious signature
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali
date: 2023/01/16
tags:
- attack.defense_evasion
- attack.execution
logsource:
product: windows
service: appxpackaging-om
detection:
selection:
EventID: 157
# Add more known suspicious/malicious certificates used in different attacks
subjectName: 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization'
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml
+32
View File
@@ -0,0 +1,32 @@
title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
related:
- id: f356a9c4-effd-4608-bbf8-408afd5cd006
type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Nasreddine Bencherchali
date: 2023/01/16
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection_eid:
EventID: 3008
selection_query_1:
QueryName|startswith:
- 'aaa.stage.'
- 'post.1'
selection_query_2:
QueryName|contains: '.stage.123456.'
condition: selection_eid and 1 of selection_query_*
falsepositives:
- Unknown
level: critical
rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml
+26
View File
@@ -0,0 +1,26 @@
title: DNS Query for Anonfiles.com Domain - DNS Client
id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
related:
- id: 065cceea-77ec-4030-9052-fc0affea7110
type: similar
status: experimental
description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: Nasreddine Bencherchali
date: 2023/01/16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: '.anonfiles.com'
condition: selection
falsepositives:
- Rare legitimate access to anonfiles.com
level: high
rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml
+26
View File
@@ -0,0 +1,26 @@
title: DNS Query for MEGA.io Upload Domain - DNS Client
id: 66474410-b883-415f-9f8d-75345a0a66a6
related:
- id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
type: similar
status: test
description: Detects DNS queries for subdomains used for upload to MEGA.io
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Nasreddine Bencherchali
date: 2023/01/16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: 'userstorage.mega.co.nz'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Mega
level: high
rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml
+26
View File
@@ -0,0 +1,26 @@
title: Query Tor Onion Address - DNS Client
id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
related:
- id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
type: similar
status: experimental
description: Detects DNS resolution of an .onion address related to Tor routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
author: Nasreddine Bencherchali
date: 2022/02/20
tags:
- attack.command_and_control
- attack.t1090.003
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: '.onion'
condition: selection
falsepositives:
- Unlikely
level: high
rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml
+26
View File
@@ -0,0 +1,26 @@
title: DNS Query for Ufile.io Upload Domain - DNS Client
id: 090ffaad-c01a-4879-850c-6d57da98452d
related:
- id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
type: similar
status: experimental
description: Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: Nasreddine Bencherchali
date: 2023/01/16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: 'ufile.io'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Ufile
level: high
rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml
+4 -5
View File
@@ -1,19 +1,18 @@
title: Added Rule in Windows Firewall with Advanced Security
title: New Firewall Rule Added In Windows Firewall Exception List
id: cde0a575-7d3d-4a49-9817-b8004a7bf105
status: experimental
description: A rule has been modified in the Windows Firewall exception list
description: Detects when a rule has been added to the Windows Firewall exception list
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022/02/19
modified: 2022/11/01
modified: 2023/01/17
logsource:
product: windows
service: firewall-as
# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2
detection:
selection:
EventID: 2004
EventID: 2004 # A rule has been added to the Windows Defender Firewall exception list
filter_block:
Action: 2
filter_installations:
rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml
+6 -6
View File
@@ -1,21 +1,21 @@
title: Modified Rule in Windows Firewall with Advanced Security
title: Firewall Rule Modified In The Windows Firewall Exception List
id: 5570c4d9-8fdd-4622-965b-403a5a101aa0
status: experimental
description: A rule has been modified in the Windows Firewall exception list
description: Detects when a rule has been modified in the windows firewall exception list
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022/02/19
modified: 2023/01/17
logsource:
product: windows
service: firewall-as
# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2
detection:
selection:
EventID: 2005
filter:
EventID: 2005 # A rule has been modified in the Windows Defender Firewall exception list
filter_generic:
ModifyingApplication|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
condition: selection and not 1 of filter*
condition: selection and not 1 of filter_*
level: low
rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml
+25
View File
@@ -0,0 +1,25 @@
title: All Rules Have Been Deleted From The Windows Firewall Configuration
id: 79609c82-a488-426e-abcf-9f341a39365d
status: experimental
description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali
date: 2023/01/17
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID: 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
filter_generic:
ModifyingApplication|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_svchost:
ModifyingApplication: 'C:\Windows\System32\svchost.exe'
filter_msmpeng:
ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ModifyingApplication|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_*
level: high
rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml
+9 -11
View File
@@ -1,28 +1,26 @@
title: Delete Rule in Windows Firewall with Advanced Security
title: A Rule Has Been Deleted From The Windows Firewall Exception List
id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
status: experimental
description: A rule has been deleted in the Windows Firewall exception list.
description: Detects when a singe rules or all of the rules have been deleted from the Windows Defender Firewall
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022/02/19
modified: 2022/10/18
modified: 2023/01/17
logsource:
product: windows
service: firewall-as
# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2
detection:
selection:
EventID:
- 2006
- 2033 #All rules
filter:
- ModifyingApplication: 'C:\Windows\System32\svchost.exe'
- ModifyingApplication|startswith:
EventID: 2006 # A rule has been deleted in the Windows Defender Firewall exception list
filter_generic:
ModifyingApplication|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_svchost:
ModifyingApplication: 'C:\Windows\System32\svchost.exe'
filter_msmpeng:
ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ModifyingApplication|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter*
condition: selection and not 1 of filter_*
level: medium
rules/windows/builtin/firewall_as/win_firewall_as_failed.yml → rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml
+4 -4
View File
@@ -1,17 +1,17 @@
title: Failed to Load Policy in Windows Firewall with Advanced Security
title: The Windows Defender Firewall Service Failed To Load Group Policy
id: 7ec15688-fd24-4177-ba43-1a950537ee39
status: experimental
description: The Windows Firewall service failed to load Group Policy.
description: Detects activity when The Windows Defender Firewall service failed to load Group Policy
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022/02/19
modified: 2023/01/17
logsource:
product: windows
service: firewall-as
# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2
detection:
selection:
EventID: 2009
EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy
condition: selection
level: low
rules/windows/builtin/firewall_as/win_firewall_as_reset.yml → rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml
+4 -4
View File
@@ -1,17 +1,17 @@
title: Reset to Default Configuration Windows Firewall with Advanced Security
title: Windows Defender Firewall Has Been Reset To Its Default Configuration
id: 04b60639-39c0-412a-9fbe-e82499c881a3
status: experimental
description: Windows Firewall has been reset to its default configuration.
description: Detects activity when Windows Defender Firewall has been reset to its default configuration
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022/02/19
modified: 2023/01/17
logsource:
product: windows
service: firewall-as
# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2
detection:
selection:
EventID: 2032
EventID: 2032 # Windows Defender Firewall has been reset to its default configuration
condition: selection
level: low
rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml
+4 -5
View File
@@ -1,21 +1,20 @@
title: Setting Change in Windows Firewall with Advanced Security
title: Windows Firewall Settings Have Been Changed
id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064
status: experimental
description: Setting have been change in Windows Firewall
description: Detects activity when the settings of the Windows firewall have been changed
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022/02/19
modified: 2022/03/28
modified: 2023/01/17
logsource:
product: windows
service: firewall-as
# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2
detection:
selection:
EventID:
- 2002 # A Windows Firewall setting has changed.
- 2003 # A Windows Firewall setting in the %1 profile has changed.
- 2003 # A Windows Firewall setting in the profile has changed
- 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied
# - 2010 # Network profile changed on an interface.
condition: selection
rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml
+1 -1
View File
@@ -8,7 +8,7 @@ related:
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
type: similar
status: experimental
description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities
description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
rules/windows/dns_query/dns_query_win_anonymfiles_com.yml
+8 -4
View File
@@ -1,11 +1,15 @@
title: DNS Query for Anonfiles.com Domain
title: DNS Query for Anonfiles.com Domain - Sysmon
id: 065cceea-77ec-4030-9052-fc0affea7110
related:
- id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
type: similar
status: experimental
description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T
date: 2022/07/15
modified: 2023/01/16
tags:
- attack.exfiltration
- attack.t1567.002
@@ -14,8 +18,8 @@ logsource:
category: dns_query
detection:
selection:
QueryName|contains: .anonfiles.com
QueryName|contains: '.anonfiles.com'
condition: selection
falsepositives:
- Legitimate access to anonfiles.com
- Rare legitimate access to anonfiles.com
level: high
rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml
+3 -3
View File
@@ -6,7 +6,7 @@ references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021/04/12
modified: 2022/10/09
modified: 2023/01/16
tags:
- attack.persistence
- attack.t1554
@@ -15,8 +15,8 @@ logsource:
category: dns_query
detection:
selection:
QueryName|contains: servicebus.windows.net
Image|contains: HybridConnectionManager
QueryName|contains: 'servicebus.windows.net'
Image|contains: 'HybridConnectionManager'
condition: selection
falsepositives:
- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml
+5 -2
View File
@@ -1,5 +1,8 @@
title: Suspicious Cobalt Strike DNS Beaconing
title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
- id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
@@ -7,7 +10,7 @@ references:
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth
date: 2021/11/09
modified: 2022/12/25
modified: 2023/01/16
tags:
- attack.command_and_control
- attack.t1071.004
rules/windows/dns_query/dns_query_win_mega_nz.yml
+7 -4
View File
@@ -1,12 +1,15 @@
title: DNS Query for MEGA.io Upload Domain
title: DNS Query for MEGA.io Upload Domain - Sysmon
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
related:
- id: 66474410-b883-415f-9f8d-75345a0a66a6
type: similar
status: test
description: Detects DNS queries for subdomains used for upload to MEGA.io
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021/05/26
modified: 2022/10/09
modified: 2023/01/16
tags:
- attack.exfiltration
- attack.t1567.002
@@ -15,8 +18,8 @@ logsource:
category: dns_query
detection:
selection:
QueryName|contains: userstorage.mega.co.nz
QueryName|contains: 'userstorage.mega.co.nz'
condition: selection
falsepositives:
- Legitimate Mega upload
- Legitimate DNS queries and usage of Mega
level: high
rules/windows/dns_query/dns_query_win_tor_onion.yml
+6 -2
View File
@@ -1,11 +1,15 @@
title: Query Tor Onion Address
title: DNS Query Tor Onion Address - Sysmon
id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
related:
- id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
type: similar
status: experimental
description: Detects DNS resolution of an .onion address related to Tor routing networks
description: Detects DNS queries to an ".onion" address related to Tor routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
author: frack113
date: 2022/02/20
modified: 2023/01/16
tags:
- attack.command_and_control
- attack.t1090.003
rules/windows/dns_query/dns_query_win_ufile_io.yml
+8 -4
View File
@@ -1,11 +1,15 @@
title: DNS Query for Ufile.io Upload Domain
title: DNS Query for Ufile.io Upload Domain - Sysmon
id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
related:
- id: 090ffaad-c01a-4879-850c-6d57da98452d
type: similar
status: experimental
description: Detects DNS queries for subdomains used for upload to ufile.io
description: Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: yatinwad and TheDFIRReport
date: 2022/06/23
modified: 2023/01/16
tags:
- attack.exfiltration
- attack.t1567.002
@@ -14,8 +18,8 @@ logsource:
category: dns_query
detection:
selection:
QueryName|contains: ufile.io
QueryName|contains: 'ufile.io'
condition: selection
falsepositives:
- Legitimate Ufile upload
- Legitimate DNS queries and usage of Ufile
level: high
rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
+3 -1
View File
@@ -21,9 +21,10 @@ references:
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein
date: 2018/04/07
modified: 2023/01/09
modified: 2023/01/16
tags:
- attack.execution
- attack.t1059.001
@@ -268,6 +269,7 @@ detection:
- '\Parse_Keys.ps1'
- '\Port-Scan.ps1'
- '\PowerBreach.ps1'
- '\PowerRunAsSystem.psm1'
- '\PowerSharpPack.ps1'
- '\PowerUp.ps1'
- '\PowerUpSQL.ps1'
rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml
+3 -1
View File
@@ -39,8 +39,10 @@ detection:
- 'C:\Windows\system32\efsui.exe'
- 'C:\Windows\system32\dsac.exe'
filter_citrix:
# Example:
# TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
condition: selection and not 1 of filter*
condition: selection and not 1 of filter_*
falsepositives:
- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: high
rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml
+11 -5
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113
date: 2021/06/07
modified: 2022/08/05
modified: 2023/01/12
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -18,9 +18,9 @@ logsource:
category: ps_classic_provider_start
definition: fields have to be extract from event
detection:
tamper_ps_action:
selection_tamper_ps_action:
HostApplication|contains: 'Set-MpPreference'
tamper_ps_option:
selection_tamper_ps_option:
HostApplication|contains:
- 'DisableRealtimeMonitoring 1'
- 'DisableBehaviorMonitoring 1'
@@ -42,7 +42,7 @@ detection:
- 'DisableRemovableDriveScanning $true'
- 'DisableScanningMappedNetworkDrivesForFullScan $true'
- 'DisableScanningNetworkFiles $true'
tamper_default_actions_allow:
selection_tamper_other_default_actions_allow:
HostApplication|contains|all:
- 'Set-MpPreference'
- Allow
@@ -50,7 +50,13 @@ detection:
- LowThreatDefaultAction
- ModerateThreatDefaultAction
- HighThreatDefaultAction
condition: all of tamper_ps_* or tamper_default_actions_allow
selection_tamper_other_alias:
HostApplication|contains:
- 'ltdefac '
- 'mtdefac '
- 'htdefac '
- 'stdefac '
condition: all of selection_tamper_ps_* or 1 of selection_tamper_other_*
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml
+36
View File
@@ -0,0 +1,36 @@
title: Potential Data Exfiltration Via Audio File
id: e4f93c99-396f-47c8-bb0f-201b1fa69034
status: experimental
description: Detects potential exfiltration attempt via audio file using PowerShell
references:
- https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1
author: Nasreddine Bencherchali
date: 2023/01/16
tags:
- attack.exfiltration
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_main:
ScriptBlockText|contains|all:
- '[System.Math]::'
- '[IO.FileMode]::'
- 'BinaryWriter'
selection_header_wav:
ScriptBlockText|contains|all:
# Byte chunks from the WAV header used in the example POC
# You can extend this for different audio formats by adding different selections
- '0x52'
- '0x49'
- '0x46'
- '0x57'
- '0x41'
- '0x56'
- '0x45'
- '0xAC'
condition: selection_main and 1 of selection_header_*
falsepositives:
- Unknown
level: medium
rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+8 -1
View File
@@ -3,6 +3,8 @@ id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
related:
- id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
type: similar
- id: 02030f2f-6199-49ec-b258-ea71b07e03dc
type: similar
- id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
type: obsoletes
- id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
@@ -23,9 +25,10 @@ references:
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017/03/05
modified: 2023/01/05
modified: 2023/01/16
tags:
- attack.execution
- attack.discovery
@@ -121,6 +124,9 @@ detection:
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
@@ -204,6 +210,7 @@ detection:
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml
+4 -4
View File
@@ -11,7 +11,7 @@ references:
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: frack113, elhoim, Tim Shelton (fps, alias support)
date: 2022/01/16
modified: 2023/01/06
modified: 2023/01/12
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -44,7 +44,7 @@ detection:
- 'DisableRemovableDriveScanning $true'
- 'DisableScanningMappedNetworkDrivesForFullScan $true'
- 'DisableScanningNetworkFiles $true'
selection_default_actions_allow:
selection_other_default_actions_allow:
ScriptBlockText|contains|all:
- 'Set-MpPreference'
- Allow
@@ -52,13 +52,13 @@ detection:
- LowThreatDefaultAction
- ModerateThreatDefaultAction
- HighThreatDefaultAction
selection_use_of_alias:
selection_other_use_of_alias:
ScriptBlockText|contains:
- 'ltdefac '
- 'mtdefac '
- 'htdefac '
- 'stdefac '
condition: all of selection_options_disabling* or selection_default_actions_allow or selection_use_of_alias
condition: all of selection_options_disabling* or 1 of selection_other_*
falsepositives:
- Legitimate PowerShell scripts
level: high
rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml
+2 -2
View File
@@ -7,7 +7,7 @@ references:
- https://twitter.com/nas_bench/status/1535431474429808642
author: 'oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali'
date: 2020/10/05
modified: 2022/06/11
modified: 2023/01/16
tags:
- attack.execution
- attack.defense_evasion
@@ -36,7 +36,7 @@ detection:
CommandLine|contains|all:
- ' -d '
- ' -e kill '
condition: all of selection* and not 1 of filter_*
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Automation and orchestration scripts may use this method execute scripts etc
- Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)
rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml
+6 -1
View File
@@ -19,9 +19,10 @@ references:
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
author: Nasreddine Bencherchali
date: 2023/01/02
modified: 2023/01/05
modified: 2023/01/16
tags:
- attack.execution
- attack.discovery
@@ -116,6 +117,9 @@ detection:
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
@@ -199,6 +203,7 @@ detection:
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml
+4 -1
View File
@@ -10,7 +10,7 @@ references:
- https://twitter.com/_st0pp3r_/status/1583914244344799235
author: frack113
date: 2022/01/16
modified: 2022/10/28
modified: 2023/01/16
tags:
- attack.defense_evasion
- attack.t1218.007
@@ -43,6 +43,9 @@ detection:
ParentImage|contains: '\AppData\Local\Temp\'
filter_system_temp:
ParentImage|startswith: 'C:\Windows\Temp\'
filter_ccm:
ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe'
IntegrityLevel: 'System'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Legitimate script
rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
+15 -8
View File
@@ -1,14 +1,15 @@
title: Suspicious Use of PsLogList
id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
status: experimental
description: Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.
description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
references:
- https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
- https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
author: Nasreddine Bencherchali @nas_bench
- https://twitter.com/EricaZelic/status/1614075109827874817
author: Nasreddine Bencherchali
date: 2021/12/18
modified: 2022/06/16
modified: 2023/01/16
tags:
- attack.discovery
- attack.t1087
@@ -23,10 +24,12 @@ detection:
- Image|endswith:
- '\psloglist.exe'
- '\psloglist64.exe'
selection_flgs:
CommandLine|contains|all:
- 'security'
- 'accepteula'
selection_cli_eventlog:
CommandLine|contains:
- ' security'
- ' application'
- ' system'
selection_cli_flags:
CommandLine|contains:
- ' -d'
- ' /d'
@@ -34,7 +37,11 @@ detection:
- ' /x'
- ' -s'
- ' /s'
condition: 1 of selection*
- ' -c' # Clear event log after displaying
- ' /c'
- ' -g' # Export an event log as an evt file.
- ' /g'
condition: all of selection_*
falsepositives:
- Another tool that uses the command line switches of PsLogList
- Legitimate use of PsLogList by an administrator
rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml
+1 -1
View File
@@ -6,7 +6,7 @@ related:
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
type: similar
status: experimental
description: Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities
description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
references:
- Internal Research
author: Nasreddine Bencherchali
rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Disable Important Scheduled Task
id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
status: experimental
description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities
description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
- https://twitter.com/MichalKoczwara/status/1553634816016498688
tests/logsource.json
+118 -115
View File
@@ -1,76 +1,76 @@
{
"title": "Field name by logsource",
"version": "20221231",
"version": "20230113",
"legit":{
"windows":{
"commun": ["EventID","Provider_Name"],
"commun": ["EventID", "Provider_Name"],
"empty": [],
"category":{
"process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion",
"Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName",
"ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId",
"ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"],
"file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"],
"network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort",
"DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname",
"SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"],
"sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"],
"process_termination":["Image","ProcessGuid","ProcessId","User"],
"driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"],
"image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid",
"ProcessId","Product","Signature","SignatureStatus","Signed","User"],
"create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress",
"StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"],
"raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"],
"process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId",
"SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"],
"raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"],
"file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
"registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"],
"registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"],
"registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"],
"registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
"registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
"create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"],
"pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"],
"wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"],
"dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"],
"file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"],
"clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"],
"process_tampering":["Image","ProcessGuid","ProcessId","Type","User"],
"file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"],
"ps_module":["ContextInfo","UserData","Payload"],
"ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"],
"file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"],
"file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"],
"process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion",
"Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName",
"ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId",
"ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User"],
"file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort",
"DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname",
"SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"],
"process_termination":["Image", "ProcessGuid", "ProcessId", "User"],
"driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"],
"image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid",
"ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"],
"create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress",
"StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"],
"raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"],
"process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId",
"SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"],
"raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"],
"registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"],
"registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"],
"wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"],
"dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"],
"file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"],
"process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"],
"file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"ps_module":["ContextInfo", "UserData", "Payload"],
"ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"],
"file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"],
"file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"],
"ps_classic_start":[],
"ps_classic_provider_start":[],
"sysmon_error":[]
},
"service":{
"bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"],
"bits-client":["RemoteName","LocalName","processPath","processId"],
"codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer",
"RequestedPolicy","ValidatedPolicy","Status"],
"diagnosis-scripted": ["PackagePath","PackageId"],
"firewall-as":["Action","ApplicationPath","ModifyingApplication"],
"ldap_debug":["ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","ProcessId"],
"ntlm":["CallerPID","ClientDomainName","ClientLUID","ClientUserName","DomainName","MechanismOID",
"ProcessName","SChannelName","SChannelType","TargetName","UserName","WorkstationName"],
"openssh":["process","payload"],
"security-mitigations":["ProcessPathLength","ProcessPath","ProcessCommandLineLength","ProcessCommandLine",
"ProcessId","ProcessCreateTime","ProcessStartKey","ProcessSignatureLevel",
"ProcessSectionSignatureLevel","ProcessProtection","TargetThreadId","TargetThreadCreateTime",
"RequiredSignatureLevel","SignatureLevel","ImageNameLength","ImageName"],
"shell-core":["Name","AppID","Flags"],
"smbclient-security":["Reason","Status","ShareNameLength","ShareName","ObjectNameLength","ObjectName",
"UserNameLength","UserName","ServerNameLength","ServerName"],
"taskscheduler":["TaskName","UserContext","Path","ProcessID","Priority","UserName"],
"terminalservices-localsessionmanager":["User","SessionID","Address"],
"iis":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method",
"cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status",
"sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent",
"cs-referer","cs-cookie"],
"bits-client":["RemoteName", "LocalName", "processPath", "processId"],
"codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer",
"RequestedPolicy", "ValidatedPolicy", "Status"],
"diagnosis-scripted": ["PackagePath", "PackageId"],
"firewall-as":["Action", "ApplicationPath", "ModifyingApplication"],
"ldap_debug":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"],
"ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID",
"ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"],
"openssh":["process", "payload"],
"security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine",
"ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel",
"ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime",
"RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"],
"shell-core":["Name", "AppID", "Flags"],
"smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName",
"UserNameLength", "UserName", "ServerNameLength", "ServerName"],
"taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"],
"terminalservices-localsessionmanager":["User", "SessionID", "Address"],
"iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
"cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
"sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
"cs-referer", "cs-cookie"],
"application":[],
"sysmon":[],
"powershell":[],
@@ -89,44 +89,47 @@
"applocker":[],
"vhdmp":[],
"appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"],
"lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"]
"appxpackaging-om":["subjectName"],
"lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"],
"dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"],
"appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"]
}
},
"linux":{
"commun": [],
"empty": [],
"category":{
"process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName",
"CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes",
"ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"],
"network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname",
"SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort",
"process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
"CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
"ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
"network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
"SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
"DestinationPortName"],
"process_termination": ["ProcessGuid","ProcessId","Image","User"],
"raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"],
"file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
"sysmon_status": ["Configuration","ConfigurationFileHash"],
"file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"]
"process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
"raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
"file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash"],
"file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
},
"service":{
"auditd": ["a0","a1","a2","a3","a4","a5","a6","a7","a8","a9",
"acct","acl","action","added","addr","apparmor","arch","argc","audit_backlog_limit","audit_backlog_wait_time",
"audit_enabled","audit_failure","auid","banners","bool","bus","cap_fe,cap_fi","cap_fp","cap_fver","cap_pa","cap_pe","cap_pi",
"cap_pp","capability","category","cgroup","changed","cipher","class","cmd","code","comm","compat","cwd","daddr","data",
"default-context","dev","dev","device","dir","direction","dmac","dport","egid","enforcing","entries","errno","euid","exe",
"exit","fam","family","fd","fe","feature","fi","file","flags","format","fp","fsgid","fsuid","fver","gid","grantors","grp",
"hook","hostname","icmp_type","id","igid","img-ctx","inif","ino","inode","inode_gid","inode_uid","invalid_context","ioctlcmd",
"ip","ipid","ipx-net","item","items","iuid","kernel","key","kind","ksize","laddr","len","list","lport","mac","macproto","maj",
"major","minor","mode","model","msg","name","nametype","nargs","net","new","new_gid","new_lock","new_pe","new_pi","new_pp",
"new-chardev","new-disk","new-enabled","new-fs","new-level","new-log_passwd","new-mem","new-net","new-range","new-rng","new-role",
"new-seuser","new-vcpu","nlnk-fam","nlnk-grp","nlnk-pid","oauid","obj","obj_gid","obj_uid","ocomm","oflag","ogid","old","old_enforcing",
"old_lock","old_pa","old_pe","old_pi","old_pp","old_prom","old_val","old-auid","old-chardev","old-disk","old-enabled","old-fs",
"old-level","old-log_passwd","old-mem","old-net","old-range","old-rng","old-role","old-ses","old-seuser","old-vcpu","op","opid",
"oses","ouid","outif","pa","parent","path","pe","per","perm","perm_mask","permissive","pfs","pi","pid","pp","ppid","printer",
"proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid",
"scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid",
"sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user",
"uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"],
"auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9",
"acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time",
"audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi",
"cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data",
"default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe",
"exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp",
"hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd",
"ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj",
"major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp",
"new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role",
"new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing",
"old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs",
"old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid",
"oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer",
"proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid",
"scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid",
"sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
"uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"],
"vsftpd":[],
"sshd":[],
"syslog":[],
@@ -142,13 +145,13 @@
"commun": [],
"empty": ["not_found"],
"category":{
"proxy":["c-uri","c-uri-extension","c-uri-query","c-uri-stem","c-useragent","cs-bytes","cs-cookie",
"cs-host","cs-method","r-dns","cs-referrer","cs-version","sc-bytes","sc-status","src_ip","dst_ip",
"proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie",
"cs-host", "cs-method", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip",
"cs-uri"],
"webserver":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method",
"cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status",
"sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent",
"cs-referer","cs-cookie"],
"webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
"cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
"sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
"cs-referer", "cs-cookie"],
"antivirus":[],
"database":[],
"dns":[],
@@ -330,17 +333,17 @@
"commun": [],
"empty": [],
"category":{
"process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName",
"CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes",
"ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"],
"network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname",
"SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort",
"process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
"CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
"ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
"network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
"SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
"DestinationPortName"],
"process_termination": ["ProcessGuid","ProcessId","Image","User"],
"raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"],
"file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
"sysmon_status": ["Configuration","ConfigurationFileHash"],
"file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"]
"process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
"raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
"file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash"],
"file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
},
"service":{
}
@@ -350,16 +353,16 @@
"windows":{
"category":{
"process_creation": ["GrandparentCommandLine"],
"network_connection": ["CommandLine","ParentImage"],
"create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage",
"SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine",
"IsInitialThread","RemoteCreation"],
"file_delete": ["CommandLine","ParentImage","ParentCommandLine"],
"file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"],
"network_connection": ["CommandLine", "ParentImage"],
"create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage",
"SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine",
"IsInitialThread", "RemoteCreation"],
"file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"],
"file_event": ["CommandLine", "ParentImage", "ParentCommandLine", "MagicHeader"],
"image_load": ["CommandLine"],
"process_access": ["SourceCommandLine","CallTraceExtended"],
"file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"],
"file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"]
"process_access": ["SourceCommandLine", "CallTraceExtended"],
"file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"],
"file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"]
},
"service":{}
}
tools/config/elk-windows.yml
+144 -129
View File
@@ -1,132 +1,147 @@
title: ELK Windows Indices and Mappings
logsources:
windows:
product: windows
index: logstash-windows-*
windows-application:
product: windows
service: application
conditions:
EventLog: Application
windows-security:
product: windows
service: security
conditions:
EventLog: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
EventLog: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
EventLog: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
EventLog: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
EventLog:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
EventLog: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
EventLog: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
EventLog: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventLog: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
EventLog: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
EventLog: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
EventLog:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
EventLog: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
EventLog: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
EventLog: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
EventLog: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
EventLog: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: logstash-windows-*
windows-application:
product: windows
service: application
conditions:
EventLog: Application
windows-security:
product: windows
service: security
conditions:
EventLog: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
EventLog: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
EventLog: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
EventLog: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
EventLog:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
EventLog: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
EventLog: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
EventLog: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventLog: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
EventLog: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
EventLog: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
EventLog:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
EventLog: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
EventLog: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
EventLog: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
EventLog: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
EventLog: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
EventLog: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
EventLog: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
EventLog: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: logstash-*
tools/config/elk-winlogbeat-sp.yml
+144 -129
View File
@@ -1,134 +1,149 @@
title: ELK Ingested with Winlogbeat
logsources:
windows:
product: windows
index: <winlogbeat-{now/d}>
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
log_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
log_name: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
log_name: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
log_name:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
log_name: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
log_name: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
log_name: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
log_name: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: <winlogbeat-{now/d}>
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
log_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
log_name: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
log_name: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
log_name:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
log_name: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
log_name: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
log_name: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
log_name: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
log_name: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
log_name: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
log_name: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: <winlogbeat-{now/d}>
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
tools/config/elk-winlogbeat.yml
+144 -129
View File
@@ -1,134 +1,149 @@
title: ELK Ingested with Winlogbeat
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
log_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
log_name: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
logname: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
logname:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
logname: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
logname: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
logname: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
logname: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
logname: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
logname: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
logname: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
log_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
log_name: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
logname: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
logname:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
logname: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
logname: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
logname: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
logname: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
logname: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
logname: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
logname: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
logname: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
logname: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
logname: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
tools/config/fireeye-helix.yml
+15
View File
@@ -157,6 +157,21 @@ logsources:
service: lsa-server
conditions:
channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
linux:
product: linux
index: posix
tools/config/generic/windows-services.yml
+15
View File
@@ -208,3 +208,18 @@ logsources:
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
Channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
Channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
tools/config/hawk.yml
+937 -923
View File
@@ -1,928 +1,942 @@
title: HAWK
order: 20
backends:
- hawk
- hawk
logsources:
antivirus:
category: antivirus
conditions:
vendor_type: 'Antivirus'
apache:
service: apache
conditions:
product_name:
- 'apache*'
- 'httpd*'
webserver:
category: webserver
conditions:
vendor_type: 'Webserver'
cisco:
product: cisco
conditions:
vendor_name: 'Cisco'
django:
product: django
conditions:
vendor_name: 'Django'
okta:
service: okta
conditions:
vendor_name: "Okta"
product_name: "Identity and Access Management"
onedrive:
service: onedrive
conditions:
vendor_name: "Microsoft"
product_name: "Onedrive"
onelogin-events:
service: onelogin.events
conditions:
vendor_name: "Microsoft"
product_name: "Onelogin"
microsoft365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
m365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
google-workspace:
service: google_workspace.admin
conditions:
vendor_name: "Google"
product_name: "Workspace"
guacamole:
service: guacamole
product_name: "Guacamole"
conditions:
vendor_name: "Guacamole"
google-cloud:
service: gcp.audit
conditions:
vendor_name: "Google"
product_name: "Cloud"
sshd:
service: sshd
conditions:
process_name: "sshd*"
syslog:
service: syslog
conditions:
process_name: "syslog*"
spring:
category: application
product: spring
conditions:
vendor_name: "Spring"
linux-audit:
product: linux
service: auditd
conditions:
vendor_name: "Linux"
product_name: "Audit"
modsecurity:
service: modsecurity
conditions:
process_name: "modsec*"
msexchange-management:
service: msexchange-management
conditions:
product_name: "MSExchange Management"
windows:
product: windows
index: windows
conditions:
vendor_name: "Microsoft"
windows-stream-hash:
product: windows
category: create_stream_hash
conditions:
product_name: "Sysmon"
vendor_id: "15"
windows-create-remote-thread:
product: windows
category: create_remote_thread
conditions:
product_name: "Sysmon"
vendor_id: "8"
windows-process-access:
product: windows
category: process_access
conditions:
product_name: "Sysmon"
vendor_id: "10"
windows-process-creation:
product: windows
category: process_creation
conditions:
product_name: "Sysmon"
vendor_id: "1"
windows-bits-client:
product: windows
service: bits-client
conditions:
event_channel: "Microsoft-Windows-Bits-Client/Operational"
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
event_channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
event_channel: 'Microsoft-Windows-LSA/Operational'
windows-network-connection:
product: windows
category: network_connection
conditions:
product_name: "Sysmon"
vendor_id: "3"
windows-sysmon-status:
product: windows
category: sysmon_status
conditions:
product_name: "Sysmon"
vendor_id:
- 4
- 5
windows-sysmon-error:
product: windows
category: sysmon_error
conditions:
product_name: "Sysmon"
vendor_id: "255"
windows-raw-access-thread:
product: windows
category: raw_access_thread
conditions:
product_name: "Sysmon"
vendor_id: 9
windows-file-create:
product: windows
category: file_create
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-event:
product: windows
category: file_event
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-change:
product: windows
category: file_change
conditions:
product_name: "Sysmon"
vendor_id: "2"
windows-pipe-created:
product: windows
category: pipe_created
conditions:
product_name: "Sysmon"
vendor_id:
- 17
- 18
windows-dns-query:
product: windows
category: dns_query
conditions:
product_name: "Sysmon"
vendor_id: "22"
windows-file-delete:
product: windows
category: file_delete
conditions:
product_name: "Sysmon"
vendor_id: "23"
windows-kernel-file-rename:
product: windows
category: file_rename
conditions:
product_name: "Kernel-File"
windows-kernel-file-access:
product: windows
category: file_access
conditions:
product_name: "Kernel-File"
windows-wmi-sysmon:
product: windows
category: wmi_event
conditions:
product_name: "Sysmon"
vendor_id:
- 19
- 20
- 21
windows-ldap-debug:
product: windows
category: ldap_debug
conditions:
event_channel: "Microsoft-Windows-LDAP-Client/Debug"
windows-driver-load:
product: windows
category: driver_load
conditions:
product_name: "Sysmon"
vendor_id: "6"
windows-image-load:
product: windows
category: image_load
conditions:
product_name: "Sysmon"
vendor_id: "7"
clamav:
service: clamav
conditions:
process_name: "clamav*"
aws-cloudtrail:
service: cloudtrail
conditions:
vendor_name: "AWS CloudTrail"
zeek:
product: zeek
conditions:
vendor_name: "Zeek"
vendor_type: "IDS"
firewall:
category: firewall
conditions:
vendor_type:
- "Firewall"
- "Router"
- "WAP"
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
hawk_source: "conn.log"
zeek-conn_long:
product: zeek
service: conn_long
conditions:
hawk_source: "conn_long.log"
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
hawk_source: "dce_rpc.log"
zeek-dns:
product: zeek
service: dns
conditions:
hawk_source: "dns.log"
zeek-dnp3:
product: zeek
service: dnp3
conditions:
hawk_source: "dnp3.log"
zeek-dpd:
product: zeek
service: dpd
conditions:
hawk_source: "dpd.log"
zeek-files:
product: zeek
service: files
conditions:
hawk_source: "files.log"
zeek-ftp:
product: zeek
service: ftp
conditions:
hawk_source: "ftp.log"
zeek-gquic:
product: zeek
service: gquic
conditions:
hawk_source: "gquic.log"
zeek-http:
product: zeek
service: http
conditions:
hawk_source: "http.log"
zeek-http2:
product: zeek
service: http2
conditions:
hawk_source: "http2.log"
zeek-intel:
product: zeek
service: intel
conditions:
hawk_source: "intel.log"
zeek-irc:
product: zeek
service: irc
conditions:
hawk_source: "irc.log"
zeek-kerberos:
product: zeek
service: kerberos
conditions:
hawk_source: "kerberos.log"
zeek-known_certs:
product: zeek
service: known_certs
conditions:
hawk_source: "known_certs.log"
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
hawk_source: "known_hosts.log"
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
hawk_source: "known_modbus.log"
zeek-known_services:
product: zeek
service: known_services
conditions:
hawk_source: "known_services.log"
zeek-modbus:
product: zeek
service: modbus
conditions:
hawk_source: "modbus.log"
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
hawk_source: "modbus_register_change.log"
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
hawk_source: "mqtt_connect.log"
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
hawk_source: "mqtt_publish.log"
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
hawk_source: "mqtt_subscribe.log"
zeek-mysql:
product: zeek
service: mysql
conditions:
hawk_source: "mysql.log"
zeek-notice:
product: zeek
service: notice
conditions:
hawk_source: "notice.log"
zeek-ntlm:
product: zeek
service: ntlm
conditions:
hawk_source: "ntlm.log"
zeek-ntp:
product: zeek
service: ntp
conditions:
hawk_source: "ntp.log"
zeek-ocsp:
product: zeek
service: ntp
conditions:
hawk_source: "ocsp.log"
zeek-pe:
product: zeek
service: pe
conditions:
hawk_source: "pe.log"
zeek-pop3:
product: zeek
service: pop3
conditions:
hawk_source: "pop3.log"
zeek-radius:
product: zeek
service: radius
conditions:
hawk_source: "radius.log"
zeek-rdp:
product: zeek
service: rdp
conditions:
hawk_source: "rdp.log"
zeek-rfb:
product: zeek
service: rfb
conditions:
hawk_source: "rfb.log"
zeek-sip:
product: zeek
service: sip
conditions:
hawk_source: "sip.log"
zeek-smb_files:
product: zeek
service: smb_files
conditions:
hawk_source: "smb_files.log"
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
hawk_source: "smb_mapping.log"
zeek-smtp:
product: zeek
service: smtp
conditions:
hawk_source: "smtp.log"
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
hawk_source: "smtp_links.log"
zeek-snmp:
product: zeek
service: snmp
conditions:
hawk_source: "snmp.log"
zeek-socks:
product: zeek
service: socks
conditions:
hawk_source: "socks.log"
zeek-software:
product: zeek
service: software
conditions:
hawk_source: "software.log"
zeek-ssh:
product: zeek
service: ssh
conditions:
hawk_source: "ssh.log"
zeek-ssl:
product: zeek
service: ssl
conditions:
hawk_source: "tls.log"
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
product: zeek
service: tls
conditions:
hawk_source: "tls.log"
zeek-syslog:
product: zeek
service: syslog
conditions:
hawk_source: "syslog.log"
zeek-tunnel:
product: zeek
service: tunnel
conditions:
hawk_source: "tunnel.log"
zeek-traceroute:
product: zeek
service: traceroute
conditions:
hawk_source: "traceroute.log"
zeek-weird:
product: zeek
service: weird
conditions:
hawk_source: "weird.log"
zeek-x509:
product: zeek
service: x509
conditions:
hawk_source: "x509.log"
zeek-ip_search:
product: zeek
service: network
conditions:
hawk_source:
- "conn.log"
- "conn_long.log"
- "dce_rpc.log"
- "dhcp.log"
- "dnp3.log"
- "dns.log"
- "ftp.log"
- "gquic.log"
- "http.log"
- "irc.log"
- "kerberos.log"
- "modbus.log"
- "mqtt_connect.log"
- "mqtt_publish.log"
- "mqtt_subscribe.log"
- "mysql.log"
- "ntlm.log"
- "ntp.log"
- "radius.log"
- "rfb.log"
- "sip.log"
- "smb_files.log"
- "smb_mapping.log"
- "smtp.log"
- "smtp_links.log"
- "snmp.log"
- "socks.log"
- "ssh.log"
- "tls.log" #SSL
- "tunnel.log"
- "weird.log"
azure-signin:
product: azure
service: signinlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "signInAudits"
azure-auditlogs:
product: azure
service: auditlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "directoryAudits"
azure-activitylogs:
product: azure
service: activitylogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
azure-activity:
product: azure
service: azureactivity
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
event_channel: 'Microsoft-ServiceBus-Client'
windows-application:
product: windows
service: application
conditions:
event_channel: 'Application'
windows-security:
product: windows
service: security
conditions:
event_channel: 'Security'
windows-system:
product: windows
service: system
conditions:
event_channel: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
product_name: 'Sysmon'
windows-powershell:
product: windows
service: powershell
conditions:
product_name: 'PowerShell'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
product_name: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
product_name: 'TaskScheduler'
windows-wmi:
product: windows
service: wmi
conditions:
product_name: 'WMI-Activity'
windows-dns-server:
product: windows
service: dns-server
conditions:
product_name: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
product_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
product_name: 'DriverFrameworks-UserMode'
windows-ntlm:
product: windows
service: ntlm
conditions:
product_name: 'NTLM'
windows-dhcp:
product: windows
service: dhcp
conditions:
product_name: 'DHCP-Server'
windows-defender:
product: windows
service: windefend
conditions:
product_name: 'Windows Defender'
windows-applocker:
product: windows
service: applocker
conditions:
product_name:
- 'AppLocker'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
product_name: 'Windows Firewall With Advanced Security'
windows-ps-module:
product: windows
category: ps_module
conditions:
product_name: 'PowerShell'
vendor_id: 4103
windows-ps-script:
product: windows
category: ps_script
conditions:
product_name: 'PowerShell'
vendor_id: 4104
windows-ps-classic-start:
product: windows
category: ps_classic_start
conditions:
EventID: 400
product_name: 'Windows PowerShell'
windows-ps-classic-provider:
product: windows
category: ps_classic_provider_start
conditions:
vendor_id: 600
product_name: 'Windows PowerShell'
windows-ps-classic-script:
product: windows
category: ps_classic_script
conditions:
vendor_id: 800
product_name: 'Windows PowerShell'
windows-service-bus:
service: Microsoft-ServiceBus-Client
conditions:
product_name: "Microsoft-ServiceBus-Client"
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
product_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
product_name: 'PrintService'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
product_name: 'PrintService'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
product_name: 'TerminalServices-LocalSessionManager'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
product_name: 'CodeIntegrity'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
product_name: 'SmbClient'
windows-registry:
product: windows
category: registry_event
conditions:
product_name: "Sysmon"
vendor_id:
- 12
- 13
- 14
windows-registry-add:
product: windows
category: registry_add
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-delete:
product: windows
category: registry_delete
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-set:
product: windows
category: registry_set
conditions:
product_name: "Sysmon"
vendor_id: 13
windows-registry-rename:
product: windows
category: registry_rename
conditions:
product_name: "Sysmon"
vendor_id: 14
windows-file-block-executable:
product: windows
category: file_block
conditions:
product_name: "Sysmon"
vendor_id: 27
#dns:
# category: dns
# conditions:
qflow:
product: qflow
netflow:
service: netflow
ipfix:
product: ipfix
flow:
product: flow
antivirus:
category: antivirus
conditions:
vendor_type: 'Antivirus'
apache:
service: apache
conditions:
product_name:
- 'apache*'
- 'httpd*'
webserver:
category: webserver
conditions:
vendor_type: 'Webserver'
cisco:
product: cisco
conditions:
vendor_name: 'Cisco'
django:
product: django
conditions:
vendor_name: 'Django'
okta:
service: okta
conditions:
vendor_name: "Okta"
product_name: "Identity and Access Management"
onedrive:
service: onedrive
conditions:
vendor_name: "Microsoft"
product_name: "Onedrive"
onelogin-events:
service: onelogin.events
conditions:
vendor_name: "Microsoft"
product_name: "Onelogin"
microsoft365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
m365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
google-workspace:
service: google_workspace.admin
conditions:
vendor_name: "Google"
product_name: "Workspace"
guacamole:
service: guacamole
product_name: "Guacamole"
conditions:
vendor_name: "Guacamole"
google-cloud:
service: gcp.audit
conditions:
vendor_name: "Google"
product_name: "Cloud"
sshd:
service: sshd
conditions:
process_name: "sshd*"
syslog:
service: syslog
conditions:
process_name: "syslog*"
spring:
category: application
product: spring
conditions:
vendor_name: "Spring"
linux-audit:
product: linux
service: auditd
conditions:
vendor_name: "Linux"
product_name: "Audit"
modsecurity:
service: modsecurity
conditions:
process_name: "modsec*"
msexchange-management:
service: msexchange-management
conditions:
product_name: "MSExchange Management"
windows:
product: windows
index: windows
conditions:
vendor_name: "Microsoft"
windows-stream-hash:
product: windows
category: create_stream_hash
conditions:
product_name: "Sysmon"
vendor_id: "15"
windows-create-remote-thread:
product: windows
category: create_remote_thread
conditions:
product_name: "Sysmon"
vendor_id: "8"
windows-process-access:
product: windows
category: process_access
conditions:
product_name: "Sysmon"
vendor_id: "10"
windows-process-creation:
product: windows
category: process_creation
conditions:
product_name: "Sysmon"
vendor_id: "1"
windows-bits-client:
product: windows
service: bits-client
conditions:
event_channel: "Microsoft-Windows-Bits-Client/Operational"
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
event_channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
event_channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
event_channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
event_channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
event_channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
windows-network-connection:
product: windows
category: network_connection
conditions:
product_name: "Sysmon"
vendor_id: "3"
windows-sysmon-status:
product: windows
category: sysmon_status
conditions:
product_name: "Sysmon"
vendor_id:
- 4
- 5
windows-sysmon-error:
product: windows
category: sysmon_error
conditions:
product_name: "Sysmon"
vendor_id: "255"
windows-raw-access-thread:
product: windows
category: raw_access_thread
conditions:
product_name: "Sysmon"
vendor_id: 9
windows-file-create:
product: windows
category: file_create
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-event:
product: windows
category: file_event
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-change:
product: windows
category: file_change
conditions:
product_name: "Sysmon"
vendor_id: "2"
windows-pipe-created:
product: windows
category: pipe_created
conditions:
product_name: "Sysmon"
vendor_id:
- 17
- 18
windows-dns-query:
product: windows
category: dns_query
conditions:
product_name: "Sysmon"
vendor_id: "22"
windows-file-delete:
product: windows
category: file_delete
conditions:
product_name: "Sysmon"
vendor_id: "23"
windows-kernel-file-rename:
product: windows
category: file_rename
conditions:
product_name: "Kernel-File"
windows-kernel-file-access:
product: windows
category: file_access
conditions:
product_name: "Kernel-File"
windows-wmi-sysmon:
product: windows
category: wmi_event
conditions:
product_name: "Sysmon"
vendor_id:
- 19
- 20
- 21
windows-ldap-debug:
product: windows
category: ldap_debug
conditions:
event_channel: "Microsoft-Windows-LDAP-Client/Debug"
windows-driver-load:
product: windows
category: driver_load
conditions:
product_name: "Sysmon"
vendor_id: "6"
windows-image-load:
product: windows
category: image_load
conditions:
product_name: "Sysmon"
vendor_id: "7"
clamav:
service: clamav
conditions:
process_name: "clamav*"
aws-cloudtrail:
service: cloudtrail
conditions:
vendor_name: "AWS CloudTrail"
zeek:
product: zeek
conditions:
vendor_name: "Zeek"
vendor_type: "IDS"
firewall:
category: firewall
conditions:
vendor_type:
- "Firewall"
- "Router"
- "WAP"
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
hawk_source: "conn.log"
zeek-conn_long:
product: zeek
service: conn_long
conditions:
hawk_source: "conn_long.log"
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
hawk_source: "dce_rpc.log"
zeek-dns:
product: zeek
service: dns
conditions:
hawk_source: "dns.log"
zeek-dnp3:
product: zeek
service: dnp3
conditions:
hawk_source: "dnp3.log"
zeek-dpd:
product: zeek
service: dpd
conditions:
hawk_source: "dpd.log"
zeek-files:
product: zeek
service: files
conditions:
hawk_source: "files.log"
zeek-ftp:
product: zeek
service: ftp
conditions:
hawk_source: "ftp.log"
zeek-gquic:
product: zeek
service: gquic
conditions:
hawk_source: "gquic.log"
zeek-http:
product: zeek
service: http
conditions:
hawk_source: "http.log"
zeek-http2:
product: zeek
service: http2
conditions:
hawk_source: "http2.log"
zeek-intel:
product: zeek
service: intel
conditions:
hawk_source: "intel.log"
zeek-irc:
product: zeek
service: irc
conditions:
hawk_source: "irc.log"
zeek-kerberos:
product: zeek
service: kerberos
conditions:
hawk_source: "kerberos.log"
zeek-known_certs:
product: zeek
service: known_certs
conditions:
hawk_source: "known_certs.log"
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
hawk_source: "known_hosts.log"
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
hawk_source: "known_modbus.log"
zeek-known_services:
product: zeek
service: known_services
conditions:
hawk_source: "known_services.log"
zeek-modbus:
product: zeek
service: modbus
conditions:
hawk_source: "modbus.log"
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
hawk_source: "modbus_register_change.log"
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
hawk_source: "mqtt_connect.log"
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
hawk_source: "mqtt_publish.log"
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
hawk_source: "mqtt_subscribe.log"
zeek-mysql:
product: zeek
service: mysql
conditions:
hawk_source: "mysql.log"
zeek-notice:
product: zeek
service: notice
conditions:
hawk_source: "notice.log"
zeek-ntlm:
product: zeek
service: ntlm
conditions:
hawk_source: "ntlm.log"
zeek-ntp:
product: zeek
service: ntp
conditions:
hawk_source: "ntp.log"
zeek-ocsp:
product: zeek
service: ntp
conditions:
hawk_source: "ocsp.log"
zeek-pe:
product: zeek
service: pe
conditions:
hawk_source: "pe.log"
zeek-pop3:
product: zeek
service: pop3
conditions:
hawk_source: "pop3.log"
zeek-radius:
product: zeek
service: radius
conditions:
hawk_source: "radius.log"
zeek-rdp:
product: zeek
service: rdp
conditions:
hawk_source: "rdp.log"
zeek-rfb:
product: zeek
service: rfb
conditions:
hawk_source: "rfb.log"
zeek-sip:
product: zeek
service: sip
conditions:
hawk_source: "sip.log"
zeek-smb_files:
product: zeek
service: smb_files
conditions:
hawk_source: "smb_files.log"
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
hawk_source: "smb_mapping.log"
zeek-smtp:
product: zeek
service: smtp
conditions:
hawk_source: "smtp.log"
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
hawk_source: "smtp_links.log"
zeek-snmp:
product: zeek
service: snmp
conditions:
hawk_source: "snmp.log"
zeek-socks:
product: zeek
service: socks
conditions:
hawk_source: "socks.log"
zeek-software:
product: zeek
service: software
conditions:
hawk_source: "software.log"
zeek-ssh:
product: zeek
service: ssh
conditions:
hawk_source: "ssh.log"
zeek-ssl:
product: zeek
service: ssl
conditions:
hawk_source: "tls.log"
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
product: zeek
service: tls
conditions:
hawk_source: "tls.log"
zeek-syslog:
product: zeek
service: syslog
conditions:
hawk_source: "syslog.log"
zeek-tunnel:
product: zeek
service: tunnel
conditions:
hawk_source: "tunnel.log"
zeek-traceroute:
product: zeek
service: traceroute
conditions:
hawk_source: "traceroute.log"
zeek-weird:
product: zeek
service: weird
conditions:
hawk_source: "weird.log"
zeek-x509:
product: zeek
service: x509
conditions:
hawk_source: "x509.log"
zeek-ip_search:
product: zeek
service: network
conditions:
hawk_source:
- "conn.log"
- "conn_long.log"
- "dce_rpc.log"
- "dhcp.log"
- "dnp3.log"
- "dns.log"
- "ftp.log"
- "gquic.log"
- "http.log"
- "irc.log"
- "kerberos.log"
- "modbus.log"
- "mqtt_connect.log"
- "mqtt_publish.log"
- "mqtt_subscribe.log"
- "mysql.log"
- "ntlm.log"
- "ntp.log"
- "radius.log"
- "rfb.log"
- "sip.log"
- "smb_files.log"
- "smb_mapping.log"
- "smtp.log"
- "smtp_links.log"
- "snmp.log"
- "socks.log"
- "ssh.log"
- "tls.log" #SSL
- "tunnel.log"
- "weird.log"
azure-signin:
product: azure
service: signinlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "signInAudits"
azure-auditlogs:
product: azure
service: auditlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "directoryAudits"
azure-activitylogs:
product: azure
service: activitylogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
azure-activity:
product: azure
service: azureactivity
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
event_channel: 'Microsoft-ServiceBus-Client'
windows-application:
product: windows
service: application
conditions:
event_channel: 'Application'
windows-security:
product: windows
service: security
conditions:
event_channel: 'Security'
windows-system:
product: windows
service: system
conditions:
event_channel: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
product_name: 'Sysmon'
windows-powershell:
product: windows
service: powershell
conditions:
product_name: 'PowerShell'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
product_name: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
product_name: 'TaskScheduler'
windows-wmi:
product: windows
service: wmi
conditions:
product_name: 'WMI-Activity'
windows-dns-server:
product: windows
service: dns-server
conditions:
product_name: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
product_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
product_name: 'DriverFrameworks-UserMode'
windows-ntlm:
product: windows
service: ntlm
conditions:
product_name: 'NTLM'
windows-dhcp:
product: windows
service: dhcp
conditions:
product_name: 'DHCP-Server'
windows-defender:
product: windows
service: windefend
conditions:
product_name: 'Windows Defender'
windows-applocker:
product: windows
service: applocker
conditions:
product_name: 'AppLocker'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
product_name: 'Windows Firewall With Advanced Security'
windows-ps-module:
product: windows
category: ps_module
conditions:
product_name: 'PowerShell'
vendor_id: 4103
windows-ps-script:
product: windows
category: ps_script
conditions:
product_name: 'PowerShell'
vendor_id: 4104
windows-ps-classic-start:
product: windows
category: ps_classic_start
conditions:
EventID: 400
product_name: 'Windows PowerShell'
windows-ps-classic-provider:
product: windows
category: ps_classic_provider_start
conditions:
vendor_id: 600
product_name: 'Windows PowerShell'
windows-ps-classic-script:
product: windows
category: ps_classic_script
conditions:
vendor_id: 800
product_name: 'Windows PowerShell'
windows-service-bus:
service: Microsoft-ServiceBus-Client
conditions:
product_name: "Microsoft-ServiceBus-Client"
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
product_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
product_name: 'PrintService'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
product_name: 'PrintService'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
product_name: 'TerminalServices-LocalSessionManager'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
product_name: 'CodeIntegrity'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
product_name: 'SmbClient'
windows-registry:
product: windows
category: registry_event
conditions:
product_name: "Sysmon"
vendor_id:
- 12
- 13
- 14
windows-registry-add:
product: windows
category: registry_add
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-delete:
product: windows
category: registry_delete
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-set:
product: windows
category: registry_set
conditions:
product_name: "Sysmon"
vendor_id: 13
windows-registry-rename:
product: windows
category: registry_rename
conditions:
product_name: "Sysmon"
vendor_id: 14
windows-file-block-executable:
product: windows
category: file_block
conditions:
product_name: "Sysmon"
vendor_id: 27
#dns:
# category: dns
# conditions:
qflow:
product: qflow
netflow:
service: netflow
ipfix:
product: ipfix
flow:
product: flow
fieldmappings:
dst:
- ip_dst_host
dst_ip:
- ip_dst
src:
- ip_src_host
src_ip:
- ip_src
IPAddress: ip_src
DNSAddress: dns_address
DCIPAddress: ip_src
category: vendor_category
error: error_code
key: event_key
payload: event_payload
weight: event_weight
account type: account_type
PrivilegeList: process_privileges
pid_user: event_username
sid: correlation_session_id
UserSid: correlation_session_id
TargetSid: target_session_id
TargetUserName: target_username
SamAccountName: target_username
AccountName: target_username
TargetDomainName: target_domain
DnsServerIpAddress: dns_address
QueryName: dns_query
AuthenticationPackageName: package_name
HostProcess: image
Application: image
ProcessName: image
TargetImage: target_image
ParentImage: parent_image
CallerProcessName: parent_image
ParentProcessName: parent_image
CommandLine: command
ProcessCommandLine: command
ParentCommandLine: parent_command
Imphash: file_hash_imphash
sha256: file_hash_sha256
md5: file_hash_md5
sha1: file_hash_sha1
SubjectUserSid: correlation_session_id
SubjectSid: correlation_session_id
SubjectUserName: correlation_username
SubjectDomainName: correlation_domain
SubjectLogonId: correlation_logon_id
pid: event_pid
ProccessId: pid
NewProcessName: image
ServiceName: service_name
Service: service_name
ServiceFileName: filename
EventID: vendor_id
SourceImage: parent_image
ImageLoaded: image_loaded
Description: image_description
ScriptBlockText: value
Product: image_product
Company: image_company
CurrentDirectory: path
ShareName: path
RelativeTargetName: filename
TargetName: value
Initiated: value
Accesses: access_mask
LDAPDisplayName: distinguished_name
AttributeLDAPDisplayName: distinguished_name
AttributeValue: value
ParentProcessId: parent_pid
SourceProcessId: source_pid
TargetProcessId: target_pid
Signed: signature
Status: value
TargetFilename: filename
FileName: filename
TargetObject: object_target
ObjectClass: object_type
ObjectValueName: object_name
ObjectName: object_name
DeviceClassName: object_name
CallTrace: calltrace
IpAddress: ip_src
WorkstationName: ip_src_host
Workstation: ip_src_host
DestinationIp: ip_dst
DestinationHostname: ip_dst_host
DestinationPort: ip_dport
DestAddress: ip_dst
DestPort: ip_dport
SourceAddress: ip_src
SourcePort: ip_sport
GrantedAccess: access_mask
StartModule: target_process_name
TargetProcessAddress: process_address
TicketOptions: sys.ticket.options
TicketEncryptionType: sys.ticket.encryption.type
DetectionSource: value
Priority: event_priority
event_type_id: vendor_id
destination.port: ip_dport
user: correlation_username
User: correlation_username
# Provider_Name: channel
c-referer: http_referer
cs-referer: http_referer
cs-host: http_host
cs-method: http_method
c-uri: http_path
c-uri-stem: http_path
cs-uri: http_path
cs-uri-stem: http_path
c-agent: http_user_agent
cs-agent: http_user_agent
c-useragent: http_user_agent
cs-useragent: http_user_agent
cs-user-agent: http_user_agent
c-ip: ip_src
cs-ip: ip_src
s-ip: ip_dst
sc-ip: ip_dst
c-username: correlation_username
cs-username: correlation_username
s-computername: ip_dst_host
cs-uri-query: http_query
c-uri-query: http_query
sc-status: http_status_code
sc-bytes: http_content_length
user-agent: http_user_agent
cs-User-Agent: http_user_agent
r-dns: http_host
id.orig_h: ip_src
id.orig_p: ip_sport
id.resp_h: ip_dst
id.resp_p: ip_dport
host: ip_src
hostname: ip_src_host
port_num: ip_dport
dst_port: ip_dport
query: dns_query
orig_ip_bytes: net_if_out_bytes
resp_ip_bytes: net_if_in_bytes
QNAME: qname
Channel: event_channel
dst:
- ip_dst_host
dst_ip:
- ip_dst
src:
- ip_src_host
src_ip:
- ip_src
IPAddress: ip_src
DNSAddress: dns_address
DCIPAddress: ip_src
category: vendor_category
error: error_code
key: event_key
payload: event_payload
weight: event_weight
account type: account_type
PrivilegeList: process_privileges
pid_user: event_username
sid: correlation_session_id
UserSid: correlation_session_id
TargetSid: target_session_id
TargetUserName: target_username
SamAccountName: target_username
AccountName: target_username
TargetDomainName: target_domain
DnsServerIpAddress: dns_address
QueryName: dns_query
AuthenticationPackageName: package_name
HostProcess: image
Application: image
ProcessName: image
TargetImage: target_image
ParentImage: parent_image
CallerProcessName: parent_image
ParentProcessName: parent_image
CommandLine: command
ProcessCommandLine: command
ParentCommandLine: parent_command
Imphash: file_hash_imphash
sha256: file_hash_sha256
md5: file_hash_md5
sha1: file_hash_sha1
SubjectUserSid: correlation_session_id
SubjectSid: correlation_session_id
SubjectUserName: correlation_username
SubjectDomainName: correlation_domain
SubjectLogonId: correlation_logon_id
pid: event_pid
ProccessId: pid
NewProcessName: image
ServiceName: service_name
Service: service_name
ServiceFileName: filename
EventID: vendor_id
SourceImage: parent_image
ImageLoaded: image_loaded
Description: image_description
ScriptBlockText: value
Product: image_product
Company: image_company
CurrentDirectory: path
ShareName: path
RelativeTargetName: filename
TargetName: value
Initiated: value
Accesses: access_mask
LDAPDisplayName: distinguished_name
AttributeLDAPDisplayName: distinguished_name
AttributeValue: value
ParentProcessId: parent_pid
SourceProcessId: source_pid
TargetProcessId: target_pid
Signed: signature
Status: value
TargetFilename: filename
FileName: filename
TargetObject: object_target
ObjectClass: object_type
ObjectValueName: object_name
ObjectName: object_name
DeviceClassName: object_name
CallTrace: calltrace
IpAddress: ip_src
WorkstationName: ip_src_host
Workstation: ip_src_host
DestinationIp: ip_dst
DestinationHostname: ip_dst_host
DestinationPort: ip_dport
DestAddress: ip_dst
DestPort: ip_dport
SourceAddress: ip_src
SourcePort: ip_sport
GrantedAccess: access_mask
StartModule: target_process_name
TargetProcessAddress: process_address
TicketOptions: sys.ticket.options
TicketEncryptionType: sys.ticket.encryption.type
DetectionSource: value
Priority: event_priority
event_type_id: vendor_id
destination.port: ip_dport
user: correlation_username
User: correlation_username
# Provider_Name: channel
c-referer: http_referer
cs-referer: http_referer
cs-host: http_host
cs-method: http_method
c-uri: http_path
c-uri-stem: http_path
cs-uri: http_path
cs-uri-stem: http_path
c-agent: http_user_agent
cs-agent: http_user_agent
c-useragent: http_user_agent
cs-useragent: http_user_agent
cs-user-agent: http_user_agent
c-ip: ip_src
cs-ip: ip_src
s-ip: ip_dst
sc-ip: ip_dst
c-username: correlation_username
cs-username: correlation_username
s-computername: ip_dst_host
cs-uri-query: http_query
c-uri-query: http_query
sc-status: http_status_code
sc-bytes: http_content_length
user-agent: http_user_agent
cs-User-Agent: http_user_agent
r-dns: http_host
id.orig_h: ip_src
id.orig_p: ip_sport
id.resp_h: ip_dst
id.resp_p: ip_dport
host: ip_src
hostname: ip_src_host
port_num: ip_dport
dst_port: ip_dport
query: dns_query
orig_ip_bytes: net_if_out_bytes
resp_ip_bytes: net_if_in_bytes
QNAME: qname
Channel: event_channel
tools/config/logpoint-windows.yml
+142 -127
View File
@@ -1,134 +1,149 @@
title: Logpoint
order: 20
backends:
- logpoint
- logpoint
logsources:
windows-security:
product: windows
service: security
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-system:
product: windows
service: system
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-dns-server:
product: windows
service: dns-server
conditions:
event_source: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
event_source: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
event_source: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
event_source:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
event_source: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
event_source: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
event_source: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
event_source: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
event_source: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
event_source: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
event_source:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
event_source: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
event_source: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
event_source: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
event_source: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
event_source: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
event_source: 'Microsoft-Windows-LSA/Operational'
windows-security:
product: windows
service: security
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-system:
product: windows
service: system
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-dns-server:
product: windows
service: dns-server
conditions:
event_source: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
event_source: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
event_source: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
event_source:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
event_source: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
event_source: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
event_source: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
event_source: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
event_source: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
event_source: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
event_source:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
event_source: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
event_source: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
event_source: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
event_source: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
event_source: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
event_source: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
event_source: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
event_source: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
event_source: 'Microsoft-Windows-AppModel-Runtime/Admin'
fieldmappings:
EventID: event_id
FailureCode: result_code
tools/config/logstash-windows.yml
+163 -148
View File
@@ -1,153 +1,168 @@
title: Logstash Windows common log sources
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
windows:
product: windows
index: logstash-windows-*
windows-application:
product: windows
service: application
conditions:
Channel: Application
windows-security:
product: windows
service: security
conditions:
Channel: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
Channel: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
Channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
Channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-defender:
product: windows
service: windefend
conditions:
Channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
Channel: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
Channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
Channel: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
Channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
Channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
Channel: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
Channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
Channel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
Channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
Channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
Channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
Channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
Channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: logstash-windows-*
windows-application:
product: windows
service: application
conditions:
Channel: Application
windows-security:
product: windows
service: security
conditions:
Channel: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
Channel: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
Channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
Channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-defender:
product: windows
service: windefend
conditions:
Channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
Channel: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
Channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
Channel: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
Channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
Channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
Channel: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
Channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
Channel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
Channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
Channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
Channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
Channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
Channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
Channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
Channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: logstash-*
tools/config/powershell.yml
+184 -169
View File
@@ -1,173 +1,188 @@
title: Logsource to LogName mappings for PowerShell backend
order: 20
backends:
- powershell
- powershell
logsources:
windows-application:
product: windows
service: application
conditions:
LogName: 'Application'
windows-security:
product: windows
service: security
conditions:
LogName: 'Security'
windows-system:
product: windows
service: system
conditions:
LogName: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
LogName: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
LogName:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
LogName: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
LogName: 'Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
LogName: 'Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
LogName: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
LogName: 'Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
LogName: 'Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
LogName: 'Microsoft-Windows-DHCP-Server/Operational'
windows-defender:
product: windows
service: windefend
conditions:
LogName: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
LogName:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
LogName: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
LogName: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
LogName: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
LogName: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
LogName: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
LogName: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
LogName:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
LogName: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
LogName: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
LogName: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
LogName: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
LogName: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
LogName: 'Microsoft-Windows-LSA/Operational'
windows-application:
product: windows
service: application
conditions:
LogName: 'Application'
windows-security:
product: windows
service: security
conditions:
LogName: 'Security'
windows-system:
product: windows
service: system
conditions:
LogName: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
LogName: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
LogName:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
LogName: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
LogName: 'Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
LogName: 'Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
LogName: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
LogName: 'Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
LogName: 'Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
LogName: 'Microsoft-Windows-DHCP-Server/Operational'
windows-defender:
product: windows
service: windefend
conditions:
LogName: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
LogName:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
LogName: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
LogName: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
LogName: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
LogName: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
LogName: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
LogName: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
LogName:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
LogName: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
LogName: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
LogName: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
LogName: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
LogName: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
LogName: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
LogName: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
LogName: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
LogName: 'Microsoft-Windows-AppModel-Runtime/Admin'
tools/config/splunk-windows.yml
+204 -189
View File
@@ -1,195 +1,210 @@
title: Splunk Windows log source conditions
order: 20
backends:
- splunk
- splunkxml
- splunkdm
- splunk
- splunkxml
- splunkdm
logsources:
windows-application:
product: windows
service: application
conditions:
source: 'WinEventLog:Application'
windows-security:
product: windows
service: security
conditions:
source: 'WinEventLog:Security'
windows-system:
product: windows
service: system
conditions:
source: 'WinEventLog:System'
windows-sysmon:
product: windows
service: sysmon
conditions:
source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
windows-process-creation:
product: windows
service: sysmon
category: process_creation
# Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data.
# This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here.
search: 'ParentProcessGuid EventCode=1'
windows-file-creation:
product: windows
service: sysmon
category: file_creation
search: 'TargetFilename EventCode=11'
windows-powershell:
product: windows
service: powershell
conditions:
source:
- 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
- 'WinEventLog:PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
source: 'WinEventLog:Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
category: dns
conditions:
source: 'WinEventLog:DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
source: 'WinEventLog:Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
source:
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
source: 'WinEventLog:MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
source: 'WinEventLog:Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
source: 'WinEventLog:Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
source: 'WinEventLog:Microsoft-Windows-SmbClient/Security'
windows-rpc-firewall:
product: rpc_firewall
category: application
conditions:
source: 'WinEventLog:RPCFW'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
source:
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
source: 'WinEventLog:OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
windows-defender:
product: windows
service: windefend
conditions:
source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
source: 'WinEventLog:Microsoft-Windows-LSA/Operational'
windows-application:
product: windows
service: application
conditions:
source: 'WinEventLog:Application'
windows-security:
product: windows
service: security
conditions:
source: 'WinEventLog:Security'
windows-system:
product: windows
service: system
conditions:
source: 'WinEventLog:System'
windows-sysmon:
product: windows
service: sysmon
conditions:
source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
windows-process-creation:
product: windows
service: sysmon
category: process_creation
# Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data.
# This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here.
search: 'ParentProcessGuid EventCode=1'
windows-file-creation:
product: windows
service: sysmon
category: file_creation
search: 'TargetFilename EventCode=11'
windows-powershell:
product: windows
service: powershell
conditions:
source:
- 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
- 'WinEventLog:PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
source: 'WinEventLog:Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
category: dns
conditions:
source: 'WinEventLog:DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
source: 'WinEventLog:Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
source:
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
source: 'WinEventLog:MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
source: 'WinEventLog:Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
source: 'WinEventLog:Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
source: 'WinEventLog:Microsoft-Windows-SmbClient/Security'
windows-rpc-firewall:
product: rpc_firewall
category: application
conditions:
source: 'WinEventLog:RPCFW'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
source:
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
source: 'WinEventLog:OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
windows-defender:
product: windows
service: windefend
conditions:
source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
source: 'WinEventLog:Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
source: 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
source: 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
source: 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'
fieldmappings:
EventID: EventCode
tools/config/sumologic.yml
+232 -191
View File
@@ -1,200 +1,241 @@
title: SumoLogic
order: 20
backends:
- sumologic
- sumologic
afl_fields:
- _index
- EventID
- CommandLine
- NewProcessName
- Image
- ParentImage
- ParentCommandLine
- ParentProcessName
- _index
- EventID
- CommandLine
- NewProcessName
- Image
- ParentImage
- ParentCommandLine
- ParentProcessName
# Sumulogic mapping depends on customer configuration. Adapt to your context!
# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
# supposing existing FER for service, EventChannel, EventID
logsources:
unix:
product: unix
index: UNIX
linux:
product: linux
index: LINUX
linux-sshd:
product: linux
service: sshd
index: LINUX
linux-auth:
product: linux
service: auth
index: LINUX
linux-clamav:
product: linux
service: clamav
index: LINUX
windows:
product: windows
index: WINDOWS
windows-sysmon:
product: windows
service: sysmon
conditions:
EventChannel: Microsoft-Windows-Sysmon
index: WINDOWS
windows-security:
product: windows
service: security
conditions:
EventChannel: Security
index: WINDOWS
windows-powershell:
product: windows
service: powershell
conditions:
EventChannel:
- Microsoft-Windows-Powershell
- PowerShellCore
index: WINDOWS
windows-system:
product: windows
service: system
conditions:
EventChannel: System
index: WINDOWS
windows-dhcp:
product: windows
service: dhcp
conditions:
EventChannel: Microsoft-Windows-DHCP-Server
index: WINDOWS
windows-ntlm:
product: windows
service: ntlm
conditions:
EventChannel: 'Microsoft-Windows-NTLM/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
EventChannel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
EventChannel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
EventChannel: 'Microsoft-Windows-SmbClient/Security'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
EventChannel: 'MSExchange Management'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
EventChannel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
EventChannel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
EventChannel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
EventChannel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
source: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
source: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
source: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
source: 'Microsoft-Windows-AppXDeploymentServer/Operational'
apache:
service: apache
index: WEBSERVER
apache2:
service: apache
index: WEBSERVER
webserver:
category: webserver
index: WEBSERVER
firewall:
category: firewall
index: FIREWALL
firewall2:
product: firewall
index: FIREWALL
network-dns:
category: dns
index: DNS
network-dns2:
product: dns
index: DNS
proxy:
category: proxy
index: PROXY
antivirus:
category: antivirus
index: ANTIVIRUS
application-sql:
product: sql
index: DATABASE
application-python:
product: python
index: APPLICATIONS
application-django:
product: django
index: DJANGO
application-rails:
product: rails
index: RAILS
application-spring:
product: spring
index: SPRING
unix:
product: unix
index: UNIX
linux:
product: linux
index: LINUX
linux-sshd:
product: linux
service: sshd
index: LINUX
linux-auth:
product: linux
service: auth
index: LINUX
linux-clamav:
product: linux
service: clamav
index: LINUX
windows:
product: windows
index: WINDOWS
windows-sysmon:
product: windows
service: sysmon
conditions:
EventChannel: Microsoft-Windows-Sysmon
index: WINDOWS
windows-security:
product: windows
service: security
conditions:
EventChannel: Security
index: WINDOWS
windows-powershell:
product: windows
service: powershell
conditions:
EventChannel:
- Microsoft-Windows-Powershell
- PowerShellCore
index: WINDOWS
windows-system:
product: windows
service: system
conditions:
EventChannel: System
index: WINDOWS
windows-dhcp:
product: windows
service: dhcp
conditions:
EventChannel: Microsoft-Windows-DHCP-Server
index: WINDOWS
windows-ntlm:
product: windows
service: ntlm
conditions:
EventChannel: 'Microsoft-Windows-NTLM/Operational'
index: WINDOWS
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
EventChannel: 'Microsoft-Windows-PrintService/Admin'
index: WINDOWS
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
EventChannel: 'Microsoft-Windows-PrintService/Operational'
index: WINDOWS
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
index: WINDOWS
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational'
index: WINDOWS
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
EventChannel: 'Microsoft-Windows-SmbClient/Security'
index: WINDOWS
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
EventChannel: 'MSExchange Management'
index: WINDOWS
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
index: WINDOWS
windows-bits-client:
product: windows
service: bits-client
conditions:
EventChannel: 'Microsoft-Windows-Bits-Client/Operational'
index: WINDOWS
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
EventChannel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
index: WINDOWS
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
index: WINDOWS
windows-shell-core:
product: windows
service: shell-core
conditions:
EventChannel: 'Microsoft-Windows-Shell-Core/Operational'
index: WINDOWS
windows-openssh:
product: windows
service: openssh
conditions:
EventChannel: 'OpenSSH/Operational'
index: WINDOWS
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
EventChannel: 'Microsoft-Windows-LDAP-Client/Debug'
index: WINDOWS
windows-bitlocker:
product: windows
service: bitlocker
conditions:
EventChannel: 'Microsoft-Windows-BitLocker/BitLocker Management'
index: WINDOWS
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
EventChannel: 'Microsoft-Windows-VHDMP/Operational'
index: WINDOWS
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
EventChannel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
index: WINDOWS
windows-lsa-server:
product: windows
service: lsa-server
conditions:
EventChannel: 'Microsoft-Windows-LSA/Operational'
index: WINDOWS
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
EventChannel: 'Microsoft-Windows-AppxPackaging/Operational'
index: WINDOWS
windows-dns-client:
product: windows
service: dns-client
conditions:
EventChannel: 'Microsoft-Windows-DNS Client Events/Operational'
index: WINDOWS
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
EventChannel: 'Microsoft-Windows-AppModel-Runtime/Admin'
index: WINDOWS
apache:
service: apache
index: WEBSERVER
apache2:
service: apache
index: WEBSERVER
webserver:
category: webserver
index: WEBSERVER
firewall:
category: firewall
index: FIREWALL
firewall2:
product: firewall
index: FIREWALL
network-dns:
category: dns
index: DNS
network-dns2:
product: dns
index: DNS
proxy:
category: proxy
index: PROXY
antivirus:
category: antivirus
index: ANTIVIRUS
application-sql:
product: sql
index: DATABASE
application-python:
product: python
index: APPLICATIONS
application-django:
product: django
index: DJANGO
application-rails:
product: rails
index: RAILS
application-spring:
product: spring
index: SPRING
# if no index, search in all indexes
tools/config/thor.yml
+467 -452
View File
@@ -1,458 +1,473 @@
title: THOR
order: 20
backends:
- thor
- thor
# this configuration differs from other configurations and can not be used
# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.
logsources:
# log source configurations for generic sigma rules
process_creation_1:
category: process_creation
product: windows
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
process_creation_2:
category: process_creation
product: windows
conditions:
EventID: 4688
rewrite:
product: windows
service: security
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
network_connection:
category: network_connection
product: windows
conditions:
EventID: 3
rewrite:
product: windows
service: sysmon
sysmon_status1:
category: sysmon_status
product: windows
conditions:
EventID: 4
rewrite:
product: windows
service: sysmon
sysmon_status2:
category: sysmon_status
product: windows
conditions:
EventID: 16
rewrite:
product: windows
service: sysmon
process_terminated:
category: process_termination
product: windows
conditions:
EventID: 5
rewrite:
product: windows
service: sysmon
driver_loaded:
category: driver_load
product: windows
conditions:
EventID: 6
rewrite:
product: windows
service: sysmon
image_loaded:
category: image_load
product: windows
conditions:
EventID: 7
rewrite:
product: windows
service: sysmon
create_remote_thread:
category: create_remote_thread
product: windows
conditions:
EventID: 8
rewrite:
product: windows
service: sysmon
raw_access_thread:
category: raw_access_thread
product: windows
conditions:
EventID: 9
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
product: windows
conditions:
EventID: 10
rewrite:
product: windows
service: sysmon
file_creation:
category: file_event
product: windows
conditions:
EventID: 11
rewrite:
product: windows
service: sysmon
registry_event1:
category: registry_event
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_event2:
category: registry_event
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_event3:
category: registry_event
product: windows
conditions:
EventID: 14
rewrite:
product: windows
service: sysmon
registry_add:
category: registry_add
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_delete:
category: registry_delete
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_set:
category: registry_set
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_rename:
category: registry_rename
product: windows
conditions:
EventID: 14
rewrite:
product: windows
service: sysmon
create_stream_hash:
category: create_stream_hash
product: windows
conditions:
EventID: 15
rewrite:
product: windows
service: sysmon
pipe_created1:
category: pipe_created
product: windows
conditions:
EventID: 17
rewrite:
product: windows
service: sysmon
pipe_created2:
category: pipe_created
product: windows
conditions:
EventID: 18
rewrite:
product: windows
service: sysmon
wmi_event1:
category: wmi_event
product: windows
conditions:
EventID: 19
rewrite:
product: windows
service: sysmon
wmi_event2:
category: wmi_event
product: windows
conditions:
EventID: 20
rewrite:
product: windows
service: sysmon
wmi_event3:
category: wmi_event
product: windows
conditions:
EventID: 21
rewrite:
product: windows
service: sysmon
dns_query:
category: dns_query
product: windows
conditions:
EventID: 22
rewrite:
product: windows
service: sysmon
file_delete:
category: file_delete
product: windows
conditions:
EventID: 23
rewrite:
product: windows
service: sysmon
file_block:
category: file_block
product: windows
conditions:
EventID: 27
rewrite:
product: windows
service: sysmon
sysmon_error:
category: sysmon_error
product: windows
conditions:
EventID: 255
rewrite:
product: windows
service: sysmon
#PowerShell Operational
ps_module:
category: ps_module
product: windows
conditions:
EventID: 4103
rewrite:
product: windows
service: powershell
ps_script:
category: ps_script
product: windows
conditions:
EventID: 4104
rewrite:
product: windows
service: powershell
#Powershell "classic" channel
ps_classic_start:
category: ps_classic_start
product: windows
conditions:
EventID: 400
rewrite:
product: windows
service: powershell-classic
ps_classic_provider_start:
category: ps_classic_provider_start
product: windows
conditions:
EventID: 600
rewrite:
product: windows
service: powershell-classic
ps_classic_script:
category: ps_classic_script
product: windows
conditions:
EventID: 800
rewrite:
product: windows
service: powershell-classic
# target system configurations
windows-application:
product: windows
service: application
sources:
- "WinEventLog:Application"
windows-security:
product: windows
service: security
sources:
- "WinEventLog:Security"
windows-system:
product: windows
service: system
sources:
- "WinEventLog:System"
windows-ntlm:
product: windows
service: ntlm
sources:
- "WinEventLog:Microsoft-Windows-NTLM/Operational"
windows-sysmon:
product: windows
service: sysmon
sources:
- "WinEventLog:Microsoft-Windows-Sysmon/Operational"
windows-powershell:
product: windows
service: powershell
sources:
- "WinEventLog:Microsoft-Windows-PowerShell/Operational"
- "WinEventLog:PowerShellCore/Operational"
windows-classicpowershell:
product: windows
service: powershell-classic
sources:
- "WinEventLog:Windows PowerShell"
windows-taskscheduler:
product: windows
service: taskscheduler
sources:
- "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
windows-wmi:
product: windows
service: wmi
sources:
- "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
windows-dhcp:
product: windows
service: dhcp
sources:
- "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"
windows-printservice-admin:
product: windows
service: printservice-admin
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Admin"
windows-smbclient-security:
product: windows
service: smbclient-security
sources:
- "WinEventLog:Microsoft-Windows-SmbClient/Security"
windows-printservice-operational:
product: windows
service: printservice-operational
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Operational"
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
sources:
- 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
sources:
- "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"
windows-applocker:
product: windows
service: applocker
sources:
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
sources:
- 'WinEventLog:MSExchange Management'
windows-defender:
product: windows
service: windefend
sources:
- 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
windows-firewall-advanced-security:
product: windows
service: firewall-as
sources:
- 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
sources:
- 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
sources:
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
sources:
- 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
sources:
- 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
sources:
- 'WinEventLog:OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
sources:
- 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
sources:
- 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp:
product: windows
service: vhdmp
sources:
- 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
sources:
- 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
sources:
- 'WinEventLog:Microsoft-Windows-LSA/Operational'
apache:
category: webserver
sources:
- "File:/var/log/apache/*.log"
- "File:/var/log/apache2/*.log"
- "File:/var/log/httpd/*.log"
linux-auth:
product: linux
service: auth
sources:
- "File:/var/log/auth.log"
- "File:/var/log/auth.log.?"
linux-syslog:
product: linux
service: syslog
sources:
- "File:/var/log/syslog"
- "File:/var/log/syslog.?"
logfiles:
category: logfile
sources:
- "File:*.log"
# log source configurations for generic sigma rules
process_creation_1:
category: process_creation
product: windows
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
process_creation_2:
category: process_creation
product: windows
conditions:
EventID: 4688
rewrite:
product: windows
service: security
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
network_connection:
category: network_connection
product: windows
conditions:
EventID: 3
rewrite:
product: windows
service: sysmon
sysmon_status1:
category: sysmon_status
product: windows
conditions:
EventID: 4
rewrite:
product: windows
service: sysmon
sysmon_status2:
category: sysmon_status
product: windows
conditions:
EventID: 16
rewrite:
product: windows
service: sysmon
process_terminated:
category: process_termination
product: windows
conditions:
EventID: 5
rewrite:
product: windows
service: sysmon
driver_loaded:
category: driver_load
product: windows
conditions:
EventID: 6
rewrite:
product: windows
service: sysmon
image_loaded:
category: image_load
product: windows
conditions:
EventID: 7
rewrite:
product: windows
service: sysmon
create_remote_thread:
category: create_remote_thread
product: windows
conditions:
EventID: 8
rewrite:
product: windows
service: sysmon
raw_access_thread:
category: raw_access_thread
product: windows
conditions:
EventID: 9
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
product: windows
conditions:
EventID: 10
rewrite:
product: windows
service: sysmon
file_creation:
category: file_event
product: windows
conditions:
EventID: 11
rewrite:
product: windows
service: sysmon
registry_event1:
category: registry_event
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_event2:
category: registry_event
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_event3:
category: registry_event
product: windows
conditions:
EventID: 14
rewrite:
product: windows
service: sysmon
registry_add:
category: registry_add
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_delete:
category: registry_delete
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_set:
category: registry_set
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_rename:
category: registry_rename
product: windows
conditions:
EventID: 14
rewrite:
product: windows
service: sysmon
create_stream_hash:
category: create_stream_hash
product: windows
conditions:
EventID: 15
rewrite:
product: windows
service: sysmon
pipe_created1:
category: pipe_created
product: windows
conditions:
EventID: 17
rewrite:
product: windows
service: sysmon
pipe_created2:
category: pipe_created
product: windows
conditions:
EventID: 18
rewrite:
product: windows
service: sysmon
wmi_event1:
category: wmi_event
product: windows
conditions:
EventID: 19
rewrite:
product: windows
service: sysmon
wmi_event2:
category: wmi_event
product: windows
conditions:
EventID: 20
rewrite:
product: windows
service: sysmon
wmi_event3:
category: wmi_event
product: windows
conditions:
EventID: 21
rewrite:
product: windows
service: sysmon
dns_query:
category: dns_query
product: windows
conditions:
EventID: 22
rewrite:
product: windows
service: sysmon
file_delete:
category: file_delete
product: windows
conditions:
EventID: 23
rewrite:
product: windows
service: sysmon
file_block:
category: file_block
product: windows
conditions:
EventID: 27
rewrite:
product: windows
service: sysmon
sysmon_error:
category: sysmon_error
product: windows
conditions:
EventID: 255
rewrite:
product: windows
service: sysmon
#PowerShell Operational
ps_module:
category: ps_module
product: windows
conditions:
EventID: 4103
rewrite:
product: windows
service: powershell
ps_script:
category: ps_script
product: windows
conditions:
EventID: 4104
rewrite:
product: windows
service: powershell
#Powershell "classic" channel
ps_classic_start:
category: ps_classic_start
product: windows
conditions:
EventID: 400
rewrite:
product: windows
service: powershell-classic
ps_classic_provider_start:
category: ps_classic_provider_start
product: windows
conditions:
EventID: 600
rewrite:
product: windows
service: powershell-classic
ps_classic_script:
category: ps_classic_script
product: windows
conditions:
EventID: 800
rewrite:
product: windows
service: powershell-classic
# target system configurations
windows-application:
product: windows
service: application
sources:
- "WinEventLog:Application"
windows-security:
product: windows
service: security
sources:
- "WinEventLog:Security"
windows-system:
product: windows
service: system
sources:
- "WinEventLog:System"
windows-ntlm:
product: windows
service: ntlm
sources:
- "WinEventLog:Microsoft-Windows-NTLM/Operational"
windows-sysmon:
product: windows
service: sysmon
sources:
- "WinEventLog:Microsoft-Windows-Sysmon/Operational"
windows-powershell:
product: windows
service: powershell
sources:
- "WinEventLog:Microsoft-Windows-PowerShell/Operational"
- "WinEventLog:PowerShellCore/Operational"
windows-classicpowershell:
product: windows
service: powershell-classic
sources:
- "WinEventLog:Windows PowerShell"
windows-taskscheduler:
product: windows
service: taskscheduler
sources:
- "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
windows-wmi:
product: windows
service: wmi
sources:
- "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
windows-dhcp:
product: windows
service: dhcp
sources:
- "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"
windows-printservice-admin:
product: windows
service: printservice-admin
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Admin"
windows-smbclient-security:
product: windows
service: smbclient-security
sources:
- "WinEventLog:Microsoft-Windows-SmbClient/Security"
windows-printservice-operational:
product: windows
service: printservice-operational
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Operational"
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
sources:
- 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
sources:
- "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"
windows-applocker:
product: windows
service: applocker
sources:
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
sources:
- 'WinEventLog:MSExchange Management'
windows-defender:
product: windows
service: windefend
sources:
- 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
windows-firewall-advanced-security:
product: windows
service: firewall-as
sources:
- 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
sources:
- 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
sources:
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
sources:
- 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
sources:
- 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
sources:
- 'WinEventLog:OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
sources:
- 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
sources:
- 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp:
product: windows
service: vhdmp
sources:
- 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
sources:
- 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
sources:
- 'WinEventLog:Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
sources:
- 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
sources:
- 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
sources:
- 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'
apache:
category: webserver
sources:
- "File:/var/log/apache/*.log"
- "File:/var/log/apache2/*.log"
- "File:/var/log/httpd/*.log"
linux-auth:
product: linux
service: auth
sources:
- "File:/var/log/auth.log"
- "File:/var/log/auth.log.?"
linux-syslog:
product: linux
service: syslog
sources:
- "File:/var/log/syslog"
- "File:/var/log/syslog.?"
logfiles:
category: logfile
sources:
- "File:*.log"
tools/config/winlogbeat-modules-enabled.yml
+197 -183
View File
@@ -1,179 +1,194 @@
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- es-rule-eql
- es-eql
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- es-qs
- es-dsl
- es-rule
- es-rule-eql
- es-eql
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
winlog.channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
winlog.channel: 'MSExchange Management'
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
winlog.channel: 'Microsoft-ServiceBus-Client'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
winlog.channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
winlog.channel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
winlog.channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
winlog.channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
winlog_channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
winlog_channel: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
winlog.channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
winlog.channel: 'MSExchange Management'
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
winlog.channel: 'Microsoft-ServiceBus-Client'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
winlog.channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
winlog.channel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
winlog.channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
winlog.channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
winlog_channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
winlog_channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
@@ -215,7 +230,7 @@ fieldmappings:
default: winlog.event_data.ErrorCode
FilePath: winlog.event_data.FilePath
# Filename => category: antivirus
Filename: winlog.event_data.Filename
Filename: winlog.event_data.Filename
LDAPDisplayName: winlog.event_data.LDAPDisplayName
# Level => Source: MSExchange Control Panel EventID: 4
Level: winlog.event_data.Level
@@ -229,7 +244,7 @@ fieldmappings:
ProcessGuid: process.entity_id
ProcessId: process.pid
Image: process.executable
FileVersion:
FileVersion:
category=process_creation: process.pe.file_version
category=image_load: file.pe.file_version
default: winlog.event_data.FileVersion
@@ -242,15 +257,15 @@ fieldmappings:
category=process_creation: process.pe.product
category=image_load: file.pe.product
default: winlog.event_data.Product
Company:
Company:
category=process_creation: process.pe.company
category=image_load: file.pe.company
default: winlog.event_data.Company
OriginalFileName:
OriginalFileName:
category=process_creation: process.pe.original_file_name
category=image_load: file.pe.original_file_name
default: winlog.event_data.OriginalFileName
CommandLine:
CommandLine:
category=process_creation: process.command_line
service=security: process.command_line
service=powershell-classic: powershell.command.value
@@ -270,10 +285,10 @@ fieldmappings:
TargetFilename: file.path
CreationUtcTime: winlog.event_data.CreationUtcTime
PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime
Protocol:
Protocol:
category=network_connection: network.transport
default: winlog.event_data.Protocol
Initiated:
Initiated:
category=network_connection: network.direction
default: winlog.event_data.Initiated
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
@@ -291,7 +306,7 @@ fieldmappings:
SchemaVersion: winlog.event_data.SchemaVersion
ImageLoaded: file.path
Signed: file.code_signature.signed
Signature:
Signature:
category=driver_loaded: file.code_signature.subject_name
category=image_loaded: file.code_signature.subject_name
default: winlog.event_data.Signature
@@ -347,7 +362,7 @@ fieldmappings:
category=driver_load: hash.sha256
category=image_load: file.hash.sha256
default: process.hash.sha256
Imphash:
Imphash:
category=driver_load: hash.imphash
category=image_load: file.hash.imphash
default: process.pe.imphash
@@ -357,7 +372,7 @@ fieldmappings:
CommandName: powershell.command.name
CommandPath: powershell.command.path
CommandType: powershell.command.type
EngineVersion:
EngineVersion:
service=powershell-classic: powershell.engine.version
service=windefend: winlog.event_data.Engine\ Version
default: winlog.event_data.EngineVersion
@@ -630,4 +645,3 @@ fieldmappings:
ApplicationPath: winlog.event_data.ApplicationPath
ModifyingApplication: winlog.event_data.ModifyingApplication
Action: winlog.event_data.Action
tools/config/winlogbeat-old.yml
+220 -205
View File
@@ -1,214 +1,229 @@
title: Elastic Winlogbeat (<=6.x) index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
log_name: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
log_name: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
log_name: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
log_name:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
log_name: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
log_name: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
log_name: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
log_name: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
log_name: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
log_name: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
log_name: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
log_name:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
log_name: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
log_name: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
log_name: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
log_name: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
log_name: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
log_name: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
log_name: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
EventID: event_id
AccessMask: event_data.AccessMask
AccountName: event_data.AccountName
AllowedToDelegateTo: event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
AuditPolicyChanges: event_data.AuditPolicyChanges
AuthenticationPackageName: event_data.AuthenticationPackageName
CallingProcessName: event_data.CallingProcessName
CallTrace: event_data.CallTrace
Channel: winlog.channel
CommandLine: event_data.CommandLine
ComputerName: event_data.ComputerName
CurrentDirectory: event_data.CurrentDirectory
Description: event_data.Description
DestinationHostname: event_data.DestinationHostname
DestinationIp: event_data.DestinationIp
DestinationIsIpv6: event_data.DestinationIsIpv6
DestinationPort: event_data.DestinationPort
Details: event_data.Details
EngineVersion: event_data.EngineVersion
EventType: event_data.EventType
FailureCode: event_data.FailureCode
FileName: event_data.FileName
GrantedAccess: event_data.GrantedAccess
GroupName: event_data.GroupName
GroupSid: event_data.GroupSid
Hashes: event_data.Hashes
HiveName: event_data.HiveName
HostVersion: event_data.HostVersion
Image: event_data.Image
ImageLoaded: event_data.ImageLoaded
ImagePath: event_data.ImagePath
Imphash: event_data.Imphash
IpAddress: event_data.IpAddress
KeyLength: event_data.KeyLength
LogonProcessName: event_data.LogonProcessName
LogonType: event_data.LogonType
NewProcessName: event_data.NewProcessName
ObjectClass: event_data.ObjectClass
ObjectName: event_data.ObjectName
ObjectType: event_data.ObjectType
ObjectValueName: event_data.ObjectValueName
ParentCommandLine: event_data.ParentCommandLine
ParentProcessName: event_data.ParentProcessName
ParentImage: event_data.ParentImage
Path: event_data.Path
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
Product: event_data.Product
Properties: event_data.Properties
ScriptBlockText: winlog.event_data.ScriptBlockText
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
ServiceName: event_data.ServiceName
ShareName: event_data.ShareName
Signature: event_data.Signature
Source: event_data.Source
SourceImage: event_data.SourceImage
StartModule: event_data.StartModule
Status: event_data.Status
SubjectUserName: event_data.SubjectUserName
SubjectUserSid: event_data.SubjectUserSid
TargetFilename: event_data.TargetFilename
TargetImage: event_data.TargetImage
TargetObject: event_data.TargetObject
TicketEncryptionType: event_data.TicketEncryptionType
TicketOptions: event_data.TicketOptions
User: event_data.User
WorkstationName: event_data.WorkstationName
EventID: event_id
AccessMask: event_data.AccessMask
AccountName: event_data.AccountName
AllowedToDelegateTo: event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
AuditPolicyChanges: event_data.AuditPolicyChanges
AuthenticationPackageName: event_data.AuthenticationPackageName
CallingProcessName: event_data.CallingProcessName
CallTrace: event_data.CallTrace
Channel: winlog.channel
CommandLine: event_data.CommandLine
ComputerName: event_data.ComputerName
CurrentDirectory: event_data.CurrentDirectory
Description: event_data.Description
DestinationHostname: event_data.DestinationHostname
DestinationIp: event_data.DestinationIp
DestinationIsIpv6: event_data.DestinationIsIpv6
DestinationPort: event_data.DestinationPort
Details: event_data.Details
EngineVersion: event_data.EngineVersion
EventType: event_data.EventType
FailureCode: event_data.FailureCode
FileName: event_data.FileName
GrantedAccess: event_data.GrantedAccess
GroupName: event_data.GroupName
GroupSid: event_data.GroupSid
Hashes: event_data.Hashes
HiveName: event_data.HiveName
HostVersion: event_data.HostVersion
Image: event_data.Image
ImageLoaded: event_data.ImageLoaded
ImagePath: event_data.ImagePath
Imphash: event_data.Imphash
IpAddress: event_data.IpAddress
KeyLength: event_data.KeyLength
LogonProcessName: event_data.LogonProcessName
LogonType: event_data.LogonType
NewProcessName: event_data.NewProcessName
ObjectClass: event_data.ObjectClass
ObjectName: event_data.ObjectName
ObjectType: event_data.ObjectType
ObjectValueName: event_data.ObjectValueName
ParentCommandLine: event_data.ParentCommandLine
ParentProcessName: event_data.ParentProcessName
ParentImage: event_data.ParentImage
Path: event_data.Path
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
Product: event_data.Product
Properties: event_data.Properties
ScriptBlockText: winlog.event_data.ScriptBlockText
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
ServiceName: event_data.ServiceName
ShareName: event_data.ShareName
Signature: event_data.Signature
Source: event_data.Source
SourceImage: event_data.SourceImage
StartModule: event_data.StartModule
Status: event_data.Status
SubjectUserName: event_data.SubjectUserName
SubjectUserSid: event_data.SubjectUserSid
TargetFilename: event_data.TargetFilename
TargetImage: event_data.TargetImage
TargetObject: event_data.TargetObject
TicketEncryptionType: event_data.TicketEncryptionType
TicketOptions: event_data.TicketOptions
User: event_data.User
WorkstationName: event_data.WorkstationName
tools/config/winlogbeat.yml
+26 -11
View File
@@ -1,16 +1,16 @@
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- opensearch-monitor
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- opensearch-monitor
logsources:
windows:
product: windows
@@ -147,7 +147,7 @@ logsources:
product: windows
service: bitlocker
conditions:
winlog.channel: 'bitlocker'
winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
@@ -163,6 +163,21 @@ logsources:
service: lsa-server
conditions:
winlog_channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
tools/config/zircolite.yml
+16 -1
View File
@@ -128,4 +128,19 @@ logsources:
product: windows
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
Channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
Channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
Channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'