diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml index f9cdff1a1..0b2ca2e7a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md author: Daniil Yugoslavskiy, oscd.community date: 2020/10/19 -modified: 2023/01/13 +modified: 2023/01/17 tags: - attack.discovery - attack.t1049 @@ -22,10 +22,9 @@ detection: - '/lsof' - '/netstat' filter_landscape_sysinfo: - ParentCommandLine|contains|all: # "/usr/bin/python /usr/bin/landscape-sysinfo " - - '/usr/bin/python' - - '/usr/bin/landscape-sysinfo' - condition: selection and not filter_landscape_sysinfo + ParentCommandLine|contains: '/usr/bin/landscape-sysinfo' + Image|endswith: '/who' + condition: selection and not 1 of filter_* falsepositives: - Legitimate activities level: low diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml new file mode 100644 index 000000000..b62c4f02b --- /dev/null +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -0,0 +1,27 @@ +title: Sysinternals Tools AppX Versions Execution +id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc +status: experimental +description: Detects execution of Sysinternals tools via an AppX package. Attackers could instal the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths +references: + - Internal Research +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + service: appmodel-runtime +detection: + selection: + EventID: 201 + ImageName: + - 'procdump.exe' + - 'psloglist.exe' + - 'psexec.exe' + - 'livekd.exe' + - 'ADExplorer.exe' + condition: selection +falsepositives: + - Legitimate usage of the applications from the Windows Store +level: medium diff --git a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml new file mode 100644 index 000000000..299085328 --- /dev/null +++ b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -0,0 +1,24 @@ +title: Suspicious Digital Signature Of AppX Package +id: b5aa7d60-c17e-4538-97de-09029d6cd76b +status: experimental +description: Detects execution of AppX packages with known suspicious or malicious signature +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + service: appxpackaging-om +detection: + selection: + EventID: 157 + # Add more known suspicious/malicious certificates used in different attacks + subjectName: 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml new file mode 100644 index 000000000..be15f2373 --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml @@ -0,0 +1,32 @@ +title: Suspicious Cobalt Strike DNS Beaconing - DNS Client +id: 0d18728b-f5bf-4381-9dcf-915539fff6c2 +related: + - id: f356a9c4-effd-4608-bbf8-408afd5cd006 + type: similar +status: test +description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons +references: + - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns + - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.command_and_control + - attack.t1071.004 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection_eid: + EventID: 3008 + selection_query_1: + QueryName|startswith: + - 'aaa.stage.' + - 'post.1' + selection_query_2: + QueryName|contains: '.stage.123456.' + condition: selection_eid and 1 of selection_query_* +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml new file mode 100644 index 000000000..467dbdcc0 --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -0,0 +1,26 @@ +title: DNS Query for Anonfiles.com Domain - DNS Client +id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 +related: + - id: 065cceea-77ec-4030-9052-fc0affea7110 + type: similar +status: experimental +description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes +references: + - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.exfiltration + - attack.t1567.002 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection: + EventID: 3008 + QueryName|contains: '.anonfiles.com' + condition: selection +falsepositives: + - Rare legitimate access to anonfiles.com +level: high diff --git a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml new file mode 100644 index 000000000..e58b68a6b --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml @@ -0,0 +1,26 @@ +title: DNS Query for MEGA.io Upload Domain - DNS Client +id: 66474410-b883-415f-9f8d-75345a0a66a6 +related: + - id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 + type: similar +status: test +description: Detects DNS queries for subdomains used for upload to MEGA.io +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.exfiltration + - attack.t1567.002 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection: + EventID: 3008 + QueryName|contains: 'userstorage.mega.co.nz' + condition: selection +falsepositives: + - Legitimate DNS queries and usage of Mega +level: high diff --git a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml new file mode 100644 index 000000000..7e1bb41d5 --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml @@ -0,0 +1,26 @@ +title: Query Tor Onion Address - DNS Client +id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 +related: + - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 + type: similar +status: experimental +description: Detects DNS resolution of an .onion address related to Tor routing networks +references: + - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ +author: Nasreddine Bencherchali +date: 2022/02/20 +tags: + - attack.command_and_control + - attack.t1090.003 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection: + EventID: 3008 + QueryName|contains: '.onion' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml new file mode 100644 index 000000000..371f2ab3a --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -0,0 +1,26 @@ +title: DNS Query for Ufile.io Upload Domain - DNS Client +id: 090ffaad-c01a-4879-850c-6d57da98452d +related: + - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b + type: similar +status: experimental +description: Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.exfiltration + - attack.t1567.002 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection: + EventID: 3008 + QueryName|contains: 'ufile.io' + condition: selection +falsepositives: + - Legitimate DNS queries and usage of Ufile +level: high diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 21f2c207d..ad1e4499e 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -1,19 +1,18 @@ -title: Added Rule in Windows Firewall with Advanced Security +title: New Firewall Rule Added In Windows Firewall Exception List id: cde0a575-7d3d-4a49-9817-b8004a7bf105 status: experimental -description: A rule has been modified in the Windows Firewall exception list +description: Detects when a rule has been added to the Windows Firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2022/11/01 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: 2004 + EventID: 2004 # A rule has been added to the Windows Defender Firewall exception list filter_block: Action: 2 filter_installations: diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index 62287d0b0..dede28059 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -1,21 +1,21 @@ -title: Modified Rule in Windows Firewall with Advanced Security +title: Firewall Rule Modified In The Windows Firewall Exception List id: 5570c4d9-8fdd-4622-965b-403a5a101aa0 status: experimental -description: A rule has been modified in the Windows Firewall exception list +description: Detects when a rule has been modified in the windows firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: 2005 - filter: + EventID: 2005 # A rule has been modified in the Windows Defender Firewall exception list + filter_generic: ModifyingApplication|startswith: - 'C:\Program Files (x86)\' - 'C:\Program Files\' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* level: low diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml new file mode 100644 index 000000000..fd09f8d20 --- /dev/null +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -0,0 +1,25 @@ +title: All Rules Have Been Deleted From The Windows Firewall Configuration +id: 79609c82-a488-426e-abcf-9f341a39365d +status: experimental +description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +author: frack113, Nasreddine Bencherchali +date: 2023/01/17 +logsource: + product: windows + service: firewall-as +detection: + selection: + EventID: 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer + filter_generic: + ModifyingApplication|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_svchost: + ModifyingApplication: 'C:\Windows\System32\svchost.exe' + filter_msmpeng: + ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + ModifyingApplication|endswith: '\MsMpEng.exe' + condition: selection and not 1 of filter_* +level: high diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index c0e528e34..3b2926ed1 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -1,28 +1,26 @@ -title: Delete Rule in Windows Firewall with Advanced Security +title: A Rule Has Been Deleted From The Windows Firewall Exception List id: c187c075-bb3e-4c62-b4fa-beae0ffc211f status: experimental -description: A rule has been deleted in the Windows Firewall exception list. +description: Detects when a singe rules or all of the rules have been deleted from the Windows Defender Firewall references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2022/10/18 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: - - 2006 - - 2033 #All rules - filter: - - ModifyingApplication: 'C:\Windows\System32\svchost.exe' - - ModifyingApplication|startswith: + EventID: 2006 # A rule has been deleted in the Windows Defender Firewall exception list + filter_generic: + ModifyingApplication|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' + filter_svchost: + ModifyingApplication: 'C:\Windows\System32\svchost.exe' filter_msmpeng: ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' ModifyingApplication|endswith: '\MsMpEng.exe' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* level: medium diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml similarity index 55% rename from rules/windows/builtin/firewall_as/win_firewall_as_failed.yml rename to rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index bb60ac051..41c42ba6e 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -1,17 +1,17 @@ -title: Failed to Load Policy in Windows Firewall with Advanced Security +title: The Windows Defender Firewall Service Failed To Load Group Policy id: 7ec15688-fd24-4177-ba43-1a950537ee39 status: experimental -description: The Windows Firewall service failed to load Group Policy. +description: Detects activity when The Windows Defender Firewall service failed to load Group Policy references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: 2009 + EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy condition: selection level: low diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml similarity index 54% rename from rules/windows/builtin/firewall_as/win_firewall_as_reset.yml rename to rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index ac11c5662..3f492f622 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -1,17 +1,17 @@ -title: Reset to Default Configuration Windows Firewall with Advanced Security +title: Windows Defender Firewall Has Been Reset To Its Default Configuration id: 04b60639-39c0-412a-9fbe-e82499c881a3 status: experimental -description: Windows Firewall has been reset to its default configuration. +description: Detects activity when Windows Defender Firewall has been reset to its default configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: 2032 + EventID: 2032 # Windows Defender Firewall has been reset to its default configuration condition: selection level: low diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index 725ebaff8..81bb75a6a 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -1,21 +1,20 @@ -title: Setting Change in Windows Firewall with Advanced Security +title: Windows Firewall Settings Have Been Changed id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064 status: experimental -description: Setting have been change in Windows Firewall +description: Detects activity when the settings of the Windows firewall have been changed references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2022/03/28 +modified: 2023/01/17 logsource: product: windows service: firewall-as -# EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: EventID: - 2002 # A Windows Firewall setting has changed. - - 2003 # A Windows Firewall setting in the %1 profile has changed. + - 2003 # A Windows Firewall setting in the profile has changed - 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied # - 2010 # Network profile changed on an interface. condition: selection diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index 5961c870d..b8f9859ca 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -8,7 +8,7 @@ related: - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d type: similar status: experimental -description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index 4d5d8a6d6..23d3b71dd 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -1,11 +1,15 @@ -title: DNS Query for Anonfiles.com Domain +title: DNS Query for Anonfiles.com Domain - Sysmon id: 065cceea-77ec-4030-9052-fc0affea7110 +related: + - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 + type: similar status: experimental -description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes +description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: pH-T date: 2022/07/15 +modified: 2023/01/16 tags: - attack.exfiltration - attack.t1567.002 @@ -14,8 +18,8 @@ logsource: category: dns_query detection: selection: - QueryName|contains: .anonfiles.com + QueryName|contains: '.anonfiles.com' condition: selection falsepositives: - - Legitimate access to anonfiles.com + - Rare legitimate access to anonfiles.com level: high diff --git a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml index bf93e948c..4529f5c21 100644 --- a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml +++ b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2021/04/12 -modified: 2022/10/09 +modified: 2023/01/16 tags: - attack.persistence - attack.t1554 @@ -15,8 +15,8 @@ logsource: category: dns_query detection: selection: - QueryName|contains: servicebus.windows.net - Image|contains: HybridConnectionManager + QueryName|contains: 'servicebus.windows.net' + Image|contains: 'HybridConnectionManager' condition: selection falsepositives: - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service diff --git a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml index 5307ae410..eb3e5fc11 100644 --- a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml @@ -1,5 +1,8 @@ -title: Suspicious Cobalt Strike DNS Beaconing +title: Suspicious Cobalt Strike DNS Beaconing - Sysmon id: f356a9c4-effd-4608-bbf8-408afd5cd006 +related: + - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2 + type: similar status: test description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons references: @@ -7,7 +10,7 @@ references: - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ author: Florian Roth date: 2021/11/09 -modified: 2022/12/25 +modified: 2023/01/16 tags: - attack.command_and_control - attack.t1071.004 diff --git a/rules/windows/dns_query/dns_query_win_mega_nz.yml b/rules/windows/dns_query/dns_query_win_mega_nz.yml index 47fd48c93..0e7122758 100644 --- a/rules/windows/dns_query/dns_query_win_mega_nz.yml +++ b/rules/windows/dns_query/dns_query_win_mega_nz.yml @@ -1,12 +1,15 @@ -title: DNS Query for MEGA.io Upload Domain +title: DNS Query for MEGA.io Upload Domain - Sysmon id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 +related: + - id: 66474410-b883-415f-9f8d-75345a0a66a6 + type: similar status: test description: Detects DNS queries for subdomains used for upload to MEGA.io references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ author: Aaron Greetham (@beardofbinary) - NCC Group date: 2021/05/26 -modified: 2022/10/09 +modified: 2023/01/16 tags: - attack.exfiltration - attack.t1567.002 @@ -15,8 +18,8 @@ logsource: category: dns_query detection: selection: - QueryName|contains: userstorage.mega.co.nz + QueryName|contains: 'userstorage.mega.co.nz' condition: selection falsepositives: - - Legitimate Mega upload + - Legitimate DNS queries and usage of Mega level: high diff --git a/rules/windows/dns_query/dns_query_win_tor_onion.yml b/rules/windows/dns_query/dns_query_win_tor_onion.yml index 00c07a185..266d2f40d 100644 --- a/rules/windows/dns_query/dns_query_win_tor_onion.yml +++ b/rules/windows/dns_query/dns_query_win_tor_onion.yml @@ -1,11 +1,15 @@ -title: Query Tor Onion Address +title: DNS Query Tor Onion Address - Sysmon id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 +related: + - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 + type: similar status: experimental -description: Detects DNS resolution of an .onion address related to Tor routing networks +description: Detects DNS queries to an ".onion" address related to Tor routing networks references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 date: 2022/02/20 +modified: 2023/01/16 tags: - attack.command_and_control - attack.t1090.003 diff --git a/rules/windows/dns_query/dns_query_win_ufile_io.yml b/rules/windows/dns_query/dns_query_win_ufile_io.yml index 0d171d615..654a68715 100644 --- a/rules/windows/dns_query/dns_query_win_ufile_io.yml +++ b/rules/windows/dns_query/dns_query_win_ufile_io.yml @@ -1,11 +1,15 @@ -title: DNS Query for Ufile.io Upload Domain +title: DNS Query for Ufile.io Upload Domain - Sysmon id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b +related: + - id: 090ffaad-c01a-4879-850c-6d57da98452d + type: similar status: experimental -description: Detects DNS queries for subdomains used for upload to ufile.io +description: Detects DNS queries to "ufile.io". Which is often abused by malware for upload and exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: yatinwad and TheDFIRReport date: 2022/06/23 +modified: 2023/01/16 tags: - attack.exfiltration - attack.t1567.002 @@ -14,8 +18,8 @@ logsource: category: dns_query detection: selection: - QueryName|contains: ufile.io + QueryName|contains: 'ufile.io' condition: selection falsepositives: - - Legitimate Ufile upload + - Legitimate DNS queries and usage of Ufile level: high diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index f613acb6e..17cbc6b9a 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -21,9 +21,10 @@ references: - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang + - https://github.com/DarkCoderSc/PowerRunAsSystem/ author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2023/01/09 +modified: 2023/01/16 tags: - attack.execution - attack.t1059.001 @@ -268,6 +269,7 @@ detection: - '\Parse_Keys.ps1' - '\Port-Scan.ps1' - '\PowerBreach.ps1' + - '\PowerRunAsSystem.psm1' - '\PowerSharpPack.ps1' - '\PowerUp.ps1' - '\PowerUpSQL.ps1' diff --git a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml b/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml index 1d4ed95ed..d3b66f451 100755 --- a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml +++ b/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml @@ -39,8 +39,10 @@ detection: - 'C:\Windows\system32\efsui.exe' - 'C:\Windows\system32\dsac.exe' filter_citrix: + # Example: + # TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* falsepositives: - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. level: high diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml index 5d193835b..b5e017597 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113 date: 2021/06/07 -modified: 2022/08/05 +modified: 2023/01/12 tags: - attack.defense_evasion - attack.t1562.001 @@ -18,9 +18,9 @@ logsource: category: ps_classic_provider_start definition: fields have to be extract from event detection: - tamper_ps_action: + selection_tamper_ps_action: HostApplication|contains: 'Set-MpPreference' - tamper_ps_option: + selection_tamper_ps_option: HostApplication|contains: - 'DisableRealtimeMonitoring 1' - 'DisableBehaviorMonitoring 1' @@ -42,7 +42,7 @@ detection: - 'DisableRemovableDriveScanning $true' - 'DisableScanningMappedNetworkDrivesForFullScan $true' - 'DisableScanningNetworkFiles $true' - tamper_default_actions_allow: + selection_tamper_other_default_actions_allow: HostApplication|contains|all: - 'Set-MpPreference' - Allow @@ -50,7 +50,13 @@ detection: - LowThreatDefaultAction - ModerateThreatDefaultAction - HighThreatDefaultAction - condition: all of tamper_ps_* or tamper_default_actions_allow + selection_tamper_other_alias: + HostApplication|contains: + - 'ltdefac ' + - 'mtdefac ' + - 'htdefac ' + - 'stdefac ' + condition: all of selection_tamper_ps_* or 1 of selection_tamper_other_* falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml new file mode 100644 index 000000000..be3c5d3bb --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -0,0 +1,36 @@ +title: Potential Data Exfiltration Via Audio File +id: e4f93c99-396f-47c8-bb0f-201b1fa69034 +status: experimental +description: Detects potential exfiltration attempt via audio file using PowerShell +references: + - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 +author: Nasreddine Bencherchali +date: 2023/01/16 +tags: + - attack.exfiltration +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection_main: + ScriptBlockText|contains|all: + - '[System.Math]::' + - '[IO.FileMode]::' + - 'BinaryWriter' + selection_header_wav: + ScriptBlockText|contains|all: + # Byte chunks from the WAV header used in the example POC + # You can extend this for different audio formats by adding different selections + - '0x52' + - '0x49' + - '0x46' + - '0x57' + - '0x41' + - '0x56' + - '0x45' + - '0xAC' + condition: selection_main and 1 of selection_header_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 738b0a267..a30b8da6d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -3,6 +3,8 @@ id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 related: - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb type: similar + - id: 02030f2f-6199-49ec-b258-ea71b07e03dc + type: similar - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf type: obsoletes - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e @@ -23,9 +25,10 @@ references: - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang + - https://github.com/DarkCoderSc/PowerRunAsSystem/ author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer date: 2017/03/05 -modified: 2023/01/05 +modified: 2023/01/16 tags: - attack.execution - attack.discovery @@ -121,6 +124,9 @@ detection: - 'Invoke-Gopher' - 'Invoke-Grouper' # Also Covers Invoke-GrouperX - 'Invoke-HandleKatz' + - 'Invoke-ImpersonatedProcess' + - 'Invoke-ImpersonateSystem' + - 'Invoke-InteractiveSystemPowerShell' - 'Invoke-Internalmonologue' - 'Invoke-Inveigh' - 'Invoke-InveighRelay' @@ -204,6 +210,7 @@ detection: - 'Invoke-SSHCommand' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' + - 'Invoke-SystemCommand' - 'Invoke-Tater' - 'Invoke-Thunderfox' - 'Invoke-ThunderStruck' diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml index b1d7d2321..5d3f3d949 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -11,7 +11,7 @@ references: - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ author: frack113, elhoim, Tim Shelton (fps, alias support) date: 2022/01/16 -modified: 2023/01/06 +modified: 2023/01/12 tags: - attack.defense_evasion - attack.t1562.001 @@ -44,7 +44,7 @@ detection: - 'DisableRemovableDriveScanning $true' - 'DisableScanningMappedNetworkDrivesForFullScan $true' - 'DisableScanningNetworkFiles $true' - selection_default_actions_allow: + selection_other_default_actions_allow: ScriptBlockText|contains|all: - 'Set-MpPreference' - Allow @@ -52,13 +52,13 @@ detection: - LowThreatDefaultAction - ModerateThreatDefaultAction - HighThreatDefaultAction - selection_use_of_alias: + selection_other_use_of_alias: ScriptBlockText|contains: - 'ltdefac ' - 'mtdefac ' - 'htdefac ' - 'stdefac ' - condition: all of selection_options_disabling* or selection_default_actions_allow or selection_use_of_alias + condition: all of selection_options_disabling* or 1 of selection_other_* falsepositives: - Legitimate PowerShell scripts level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml index a13d2acbd..796381b09 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/nas_bench/status/1535431474429808642 author: 'oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali' date: 2020/10/05 -modified: 2022/06/11 +modified: 2023/01/16 tags: - attack.execution - attack.defense_evasion @@ -36,7 +36,7 @@ detection: CommandLine|contains|all: - ' -d ' - ' -e kill ' - condition: all of selection* and not 1 of filter_* + condition: all of selection_* and not 1 of filter_* falsepositives: - Automation and orchestration scripts may use this method execute scripts etc - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server) diff --git a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml index 0010cf33a..e38a5573f 100644 --- a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml @@ -19,9 +19,10 @@ references: - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang + - https://github.com/DarkCoderSc/PowerRunAsSystem/ author: Nasreddine Bencherchali date: 2023/01/02 -modified: 2023/01/05 +modified: 2023/01/16 tags: - attack.execution - attack.discovery @@ -116,6 +117,9 @@ detection: - 'Invoke-Gopher' - 'Invoke-Grouper' # Also Covers Invoke-GrouperX - 'Invoke-HandleKatz' + - 'Invoke-ImpersonatedProcess' + - 'Invoke-ImpersonateSystem' + - 'Invoke-InteractiveSystemPowerShell' - 'Invoke-Internalmonologue' - 'Invoke-Inveigh' - 'Invoke-InveighRelay' @@ -199,6 +203,7 @@ detection: - 'Invoke-SSHCommand' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' + - 'Invoke-SystemCommand' - 'Invoke-Tater' - 'Invoke-Thunderfox' - 'Invoke-ThunderStruck' diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index dc758c9f6..0e96d1e40 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914244344799235 author: frack113 date: 2022/01/16 -modified: 2022/10/28 +modified: 2023/01/16 tags: - attack.defense_evasion - attack.t1218.007 @@ -43,6 +43,9 @@ detection: ParentImage|contains: '\AppData\Local\Temp\' filter_system_temp: ParentImage|startswith: 'C:\Windows\Temp\' + filter_ccm: + ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe' + IntegrityLevel: 'System' condition: all of selection_* and not 1 of filter_* falsepositives: - Legitimate script diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml index ac00104db..9ff176fb9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml @@ -1,14 +1,15 @@ title: Suspicious Use of PsLogList id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc status: experimental -description: Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery. +description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs references: - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList -author: Nasreddine Bencherchali @nas_bench + - https://twitter.com/EricaZelic/status/1614075109827874817 +author: Nasreddine Bencherchali date: 2021/12/18 -modified: 2022/06/16 +modified: 2023/01/16 tags: - attack.discovery - attack.t1087 @@ -23,10 +24,12 @@ detection: - Image|endswith: - '\psloglist.exe' - '\psloglist64.exe' - selection_flgs: - CommandLine|contains|all: - - 'security' - - 'accepteula' + selection_cli_eventlog: + CommandLine|contains: + - ' security' + - ' application' + - ' system' + selection_cli_flags: CommandLine|contains: - ' -d' - ' /d' @@ -34,7 +37,11 @@ detection: - ' /x' - ' -s' - ' /s' - condition: 1 of selection* + - ' -c' # Clear event log after displaying + - ' /c' + - ' -g' # Export an event log as an evt file. + - ' /g' + condition: all of selection_* falsepositives: - Another tool that uses the command line switches of PsLogList - Legitimate use of PsLogList by an administrator diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml index bf68f57b7..b08e23407 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -6,7 +6,7 @@ related: - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d type: similar status: experimental -description: Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml index 8c6850ae3..5740a5f6f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml @@ -1,7 +1,7 @@ title: Disable Important Scheduled Task id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 status: experimental -description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task - https://twitter.com/MichalKoczwara/status/1553634816016498688 diff --git a/tests/logsource.json b/tests/logsource.json index ade003d67..bd6ab2699 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -1,76 +1,76 @@ { "title": "Field name by logsource", - "version": "20221231", + "version": "20230113", "legit":{ "windows":{ - "commun": ["EventID","Provider_Name"], + "commun": ["EventID", "Provider_Name"], "empty": [], "category":{ - "process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion", - "Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName", - "ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId", - "ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"], - "file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"], - "network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort", - "DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname", - "SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"], - "sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"], - "process_termination":["Image","ProcessGuid","ProcessId","User"], - "driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"], - "image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid", - "ProcessId","Product","Signature","SignatureStatus","Signed","User"], - "create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress", - "StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"], - "raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"], - "process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId", - "SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"], - "raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"], - "file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], - "registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"], - "registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"], - "registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"], - "registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], - "registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], - "create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"], - "pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"], - "wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"], - "dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"], - "file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"], - "clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"], - "process_tampering":["Image","ProcessGuid","ProcessId","Type","User"], - "file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"], - "ps_module":["ContextInfo","UserData","Payload"], - "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"], - "file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"], - "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"], + "process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion", + "Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName", + "ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId", + "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User"], + "file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort", + "DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname", + "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User"], + "sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"], + "process_termination":["Image", "ProcessGuid", "ProcessId", "User"], + "driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"], + "image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid", + "ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"], + "create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress", + "StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"], + "raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"], + "process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId", + "SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"], + "raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], + "registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"], + "registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"], + "registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"], + "registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], + "registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], + "create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"], + "wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"], + "dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"], + "file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"], + "process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"], + "file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "ps_module":["ContextInfo", "UserData", "Payload"], + "ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"], + "file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"], + "file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"], "ps_classic_start":[], "ps_classic_provider_start":[], "sysmon_error":[] }, "service":{ "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"], - "bits-client":["RemoteName","LocalName","processPath","processId"], - "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer", - "RequestedPolicy","ValidatedPolicy","Status"], - "diagnosis-scripted": ["PackagePath","PackageId"], - "firewall-as":["Action","ApplicationPath","ModifyingApplication"], - "ldap_debug":["ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","ProcessId"], - "ntlm":["CallerPID","ClientDomainName","ClientLUID","ClientUserName","DomainName","MechanismOID", - "ProcessName","SChannelName","SChannelType","TargetName","UserName","WorkstationName"], - "openssh":["process","payload"], - "security-mitigations":["ProcessPathLength","ProcessPath","ProcessCommandLineLength","ProcessCommandLine", - "ProcessId","ProcessCreateTime","ProcessStartKey","ProcessSignatureLevel", - "ProcessSectionSignatureLevel","ProcessProtection","TargetThreadId","TargetThreadCreateTime", - "RequiredSignatureLevel","SignatureLevel","ImageNameLength","ImageName"], - "shell-core":["Name","AppID","Flags"], - "smbclient-security":["Reason","Status","ShareNameLength","ShareName","ObjectNameLength","ObjectName", - "UserNameLength","UserName","ServerNameLength","ServerName"], - "taskscheduler":["TaskName","UserContext","Path","ProcessID","Priority","UserName"], - "terminalservices-localsessionmanager":["User","SessionID","Address"], - "iis":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", - "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", - "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", - "cs-referer","cs-cookie"], + "bits-client":["RemoteName", "LocalName", "processPath", "processId"], + "codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer", + "RequestedPolicy", "ValidatedPolicy", "Status"], + "diagnosis-scripted": ["PackagePath", "PackageId"], + "firewall-as":["Action", "ApplicationPath", "ModifyingApplication"], + "ldap_debug":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"], + "ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID", + "ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"], + "openssh":["process", "payload"], + "security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine", + "ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel", + "ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime", + "RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"], + "shell-core":["Name", "AppID", "Flags"], + "smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName", + "UserNameLength", "UserName", "ServerNameLength", "ServerName"], + "taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"], + "terminalservices-localsessionmanager":["User", "SessionID", "Address"], + "iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", + "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", + "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", + "cs-referer", "cs-cookie"], "application":[], "sysmon":[], "powershell":[], @@ -89,44 +89,47 @@ "applocker":[], "vhdmp":[], "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"], - "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"] + "appxpackaging-om":["subjectName"], + "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"], + "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"], + "appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"] } }, "linux":{ "commun": [], "empty": [], "category":{ - "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", - "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", - "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"], - "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname", - "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort", + "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", + "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", + "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], + "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", + "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", "DestinationPortName"], - "process_termination": ["ProcessGuid","ProcessId","Image","User"], - "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"], - "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], - "sysmon_status": ["Configuration","ConfigurationFileHash"], - "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"] + "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], + "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], + "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], + "sysmon_status": ["Configuration", "ConfigurationFileHash"], + "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] }, "service":{ - "auditd": ["a0","a1","a2","a3","a4","a5","a6","a7","a8","a9", - "acct","acl","action","added","addr","apparmor","arch","argc","audit_backlog_limit","audit_backlog_wait_time", - "audit_enabled","audit_failure","auid","banners","bool","bus","cap_fe,cap_fi","cap_fp","cap_fver","cap_pa","cap_pe","cap_pi", - "cap_pp","capability","category","cgroup","changed","cipher","class","cmd","code","comm","compat","cwd","daddr","data", - "default-context","dev","dev","device","dir","direction","dmac","dport","egid","enforcing","entries","errno","euid","exe", - "exit","fam","family","fd","fe","feature","fi","file","flags","format","fp","fsgid","fsuid","fver","gid","grantors","grp", - "hook","hostname","icmp_type","id","igid","img-ctx","inif","ino","inode","inode_gid","inode_uid","invalid_context","ioctlcmd", - "ip","ipid","ipx-net","item","items","iuid","kernel","key","kind","ksize","laddr","len","list","lport","mac","macproto","maj", - "major","minor","mode","model","msg","name","nametype","nargs","net","new","new_gid","new_lock","new_pe","new_pi","new_pp", - "new-chardev","new-disk","new-enabled","new-fs","new-level","new-log_passwd","new-mem","new-net","new-range","new-rng","new-role", - "new-seuser","new-vcpu","nlnk-fam","nlnk-grp","nlnk-pid","oauid","obj","obj_gid","obj_uid","ocomm","oflag","ogid","old","old_enforcing", - "old_lock","old_pa","old_pe","old_pi","old_pp","old_prom","old_val","old-auid","old-chardev","old-disk","old-enabled","old-fs", - "old-level","old-log_passwd","old-mem","old-net","old-range","old-rng","old-role","old-ses","old-seuser","old-vcpu","op","opid", - "oses","ouid","outif","pa","parent","path","pe","per","perm","perm_mask","permissive","pfs","pi","pid","pp","ppid","printer", - "proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid", - "scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid", - "sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user", - "uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"], + "auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", + "acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time", + "audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi", + "cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data", + "default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe", + "exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp", + "hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd", + "ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj", + "major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp", + "new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role", + "new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing", + "old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs", + "old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid", + "oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer", + "proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid", + "scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid", + "sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user", + "uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"], "vsftpd":[], "sshd":[], "syslog":[], @@ -142,13 +145,13 @@ "commun": [], "empty": ["not_found"], "category":{ - "proxy":["c-uri","c-uri-extension","c-uri-query","c-uri-stem","c-useragent","cs-bytes","cs-cookie", - "cs-host","cs-method","r-dns","cs-referrer","cs-version","sc-bytes","sc-status","src_ip","dst_ip", + "proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie", + "cs-host", "cs-method", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip", "cs-uri"], - "webserver":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", - "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", - "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", - "cs-referer","cs-cookie"], + "webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", + "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", + "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", + "cs-referer", "cs-cookie"], "antivirus":[], "database":[], "dns":[], @@ -330,17 +333,17 @@ "commun": [], "empty": [], "category":{ - "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", - "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", - "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"], - "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname", - "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort", + "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", + "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", + "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], + "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", + "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", "DestinationPortName"], - "process_termination": ["ProcessGuid","ProcessId","Image","User"], - "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"], - "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], - "sysmon_status": ["Configuration","ConfigurationFileHash"], - "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"] + "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], + "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], + "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], + "sysmon_status": ["Configuration", "ConfigurationFileHash"], + "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] }, "service":{ } @@ -350,16 +353,16 @@ "windows":{ "category":{ "process_creation": ["GrandparentCommandLine"], - "network_connection": ["CommandLine","ParentImage"], - "create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage", - "SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine", - "IsInitialThread","RemoteCreation"], - "file_delete": ["CommandLine","ParentImage","ParentCommandLine"], - "file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"], + "network_connection": ["CommandLine", "ParentImage"], + "create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage", + "SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine", + "IsInitialThread", "RemoteCreation"], + "file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"], + "file_event": ["CommandLine", "ParentImage", "ParentCommandLine", "MagicHeader"], "image_load": ["CommandLine"], - "process_access": ["SourceCommandLine","CallTraceExtended"], - "file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"], - "file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"] + "process_access": ["SourceCommandLine", "CallTraceExtended"], + "file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"], + "file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"] }, "service":{} } diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index f087a54a4..e178e5baa 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -1,132 +1,147 @@ title: ELK Windows Indices and Mappings logsources: - windows: - product: windows - index: logstash-windows-* - windows-application: - product: windows - service: application - conditions: - EventLog: Application - windows-security: - product: windows - service: security - conditions: - EventLog: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - EventLog: Microsoft-Windows-Sysmon - windows-dns-server: - product: windows - service: dns-server - conditions: - EventLog: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - EventLog: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - EventLog: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - EventLog: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - EventLog: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - EventLog: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - EventLog: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - EventLog: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - EventLog: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - EventLog: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - EventLog: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - EventLog: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - EventLog: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - EventLog: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - EventLog: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: logstash-windows-* + windows-application: + product: windows + service: application + conditions: + EventLog: Application + windows-security: + product: windows + service: security + conditions: + EventLog: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + EventLog: Microsoft-Windows-Sysmon + windows-dns-server: + product: windows + service: dns-server + conditions: + EventLog: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + EventLog: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + EventLog: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + EventLog: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + EventLog: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + EventLog: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventLog: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + EventLog: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + EventLog: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + EventLog: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + EventLog: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + EventLog: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + EventLog: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + EventLog: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + EventLog: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + EventLog: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + EventLog: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + EventLog: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 422fbd79b..c5adcb9b0 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -1,134 +1,149 @@ title: ELK Ingested with Winlogbeat logsources: - windows: - product: windows - index: - windows-application: - product: windows - service: application - conditions: - log_name: Application - windows-security: - product: windows - service: security - conditions: - log_name: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - log_name: 'Microsoft-Windows-Sysmon/Operational' - windows-dns-server: - product: windows - service: dns-server - conditions: - log_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - log_name: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - log_name: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - log_name: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - log_name: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - log_name: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - log_name: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - log_name: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - log_name: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - log_name: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - log_name: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - log_name: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - log_name: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - log_name: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - log_name: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + log_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + log_name: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + log_name: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + log_name: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + log_name: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + log_name: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + log_name: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + log_name: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + log_name: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + log_name: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + log_name: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index de0288a21..c7ece3026 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -1,134 +1,149 @@ title: ELK Ingested with Winlogbeat logsources: - windows: - product: windows - index: winlogbeat-* - windows-application: - product: windows - service: application - conditions: - log_name: Application - windows-security: - product: windows - service: security - conditions: - log_name: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - log_name: 'Microsoft-Windows-Sysmon/Operational' - windows-dns-server: - product: windows - service: dns-server - conditions: - log_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - log_name: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - log_name: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - log_name: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - log_name: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - log_name: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - log_name: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - log_name: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - logname: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - logname: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - logname: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - logname: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - logname: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - logname: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - logname: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - logname: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - logname: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + log_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + log_name: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + log_name: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + log_name: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + logname: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + logname: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + logname: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + logname: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + logname: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + logname: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + logname: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + logname: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + logname: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + logname: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + logname: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + logname: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 452a8cb1e..fbb3b0f5c 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -157,6 +157,21 @@ logsources: service: lsa-server conditions: channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + channel: 'Microsoft-Windows-AppModel-Runtime/Admin' linux: product: linux index: posix diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 19f3d92f7..b8c2b13b7 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -208,3 +208,18 @@ logsources: service: lsa-server conditions: Channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + Channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + Channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + Channel: 'Microsoft-Windows-AppModel-Runtime/Admin' diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index a33ae0ed6..441ac65d7 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -1,928 +1,942 @@ title: HAWK order: 20 backends: - - hawk + - hawk logsources: - antivirus: - category: antivirus - conditions: - vendor_type: 'Antivirus' - apache: - service: apache - conditions: - product_name: - - 'apache*' - - 'httpd*' - webserver: - category: webserver - conditions: - vendor_type: 'Webserver' - cisco: - product: cisco - conditions: - vendor_name: 'Cisco' - django: - product: django - conditions: - vendor_name: 'Django' - okta: - service: okta - conditions: - vendor_name: "Okta" - product_name: "Identity and Access Management" - onedrive: - service: onedrive - conditions: - vendor_name: "Microsoft" - product_name: "Onedrive" - onelogin-events: - service: onelogin.events - conditions: - vendor_name: "Microsoft" - product_name: "Onelogin" - microsoft365: - product: m365 - service: threat_management - conditions: - vendor_name: "Microsoft" - product_name: "365" - m365: - product: m365 - service: threat_management - conditions: - vendor_name: "Microsoft" - product_name: "365" - google-workspace: - service: google_workspace.admin - conditions: - vendor_name: "Google" - product_name: "Workspace" - guacamole: - service: guacamole - product_name: "Guacamole" - conditions: - vendor_name: "Guacamole" - google-cloud: - service: gcp.audit - conditions: - vendor_name: "Google" - product_name: "Cloud" - sshd: - service: sshd - conditions: - process_name: "sshd*" - syslog: - service: syslog - conditions: - process_name: "syslog*" - spring: - category: application - product: spring - conditions: - vendor_name: "Spring" - linux-audit: - product: linux - service: auditd - conditions: - vendor_name: "Linux" - product_name: "Audit" - modsecurity: - service: modsecurity - conditions: - process_name: "modsec*" - msexchange-management: - service: msexchange-management - conditions: - product_name: "MSExchange Management" - windows: - product: windows - index: windows - conditions: - vendor_name: "Microsoft" - windows-stream-hash: - product: windows - category: create_stream_hash - conditions: - product_name: "Sysmon" - vendor_id: "15" - windows-create-remote-thread: - product: windows - category: create_remote_thread - conditions: - product_name: "Sysmon" - vendor_id: "8" - windows-process-access: - product: windows - category: process_access - conditions: - product_name: "Sysmon" - vendor_id: "10" - windows-process-creation: - product: windows - category: process_creation - conditions: - product_name: "Sysmon" - vendor_id: "1" - windows-bits-client: - product: windows - service: bits-client - conditions: - event_channel: "Microsoft-Windows-Bits-Client/Operational" - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - event_channel: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - event_channel: 'Microsoft-Windows-LSA/Operational' - windows-network-connection: - product: windows - category: network_connection - conditions: - product_name: "Sysmon" - vendor_id: "3" - windows-sysmon-status: - product: windows - category: sysmon_status - conditions: - product_name: "Sysmon" - vendor_id: - - 4 - - 5 - windows-sysmon-error: - product: windows - category: sysmon_error - conditions: - product_name: "Sysmon" - vendor_id: "255" - windows-raw-access-thread: - product: windows - category: raw_access_thread - conditions: - product_name: "Sysmon" - vendor_id: 9 - windows-file-create: - product: windows - category: file_create - conditions: - product_name: "Sysmon" - vendor_id: "11" - windows-file-event: - product: windows - category: file_event - conditions: - product_name: "Sysmon" - vendor_id: "11" - windows-file-change: - product: windows - category: file_change - conditions: - product_name: "Sysmon" - vendor_id: "2" - windows-pipe-created: - product: windows - category: pipe_created - conditions: - product_name: "Sysmon" - vendor_id: - - 17 - - 18 - windows-dns-query: - product: windows - category: dns_query - conditions: - product_name: "Sysmon" - vendor_id: "22" - windows-file-delete: - product: windows - category: file_delete - conditions: - product_name: "Sysmon" - vendor_id: "23" - windows-kernel-file-rename: - product: windows - category: file_rename - conditions: - product_name: "Kernel-File" - windows-kernel-file-access: - product: windows - category: file_access - conditions: - product_name: "Kernel-File" - windows-wmi-sysmon: - product: windows - category: wmi_event - conditions: - product_name: "Sysmon" - vendor_id: - - 19 - - 20 - - 21 - windows-ldap-debug: - product: windows - category: ldap_debug - conditions: - event_channel: "Microsoft-Windows-LDAP-Client/Debug" - windows-driver-load: - product: windows - category: driver_load - conditions: - product_name: "Sysmon" - vendor_id: "6" - windows-image-load: - product: windows - category: image_load - conditions: - product_name: "Sysmon" - vendor_id: "7" - clamav: - service: clamav - conditions: - process_name: "clamav*" - aws-cloudtrail: - service: cloudtrail - conditions: - vendor_name: "AWS CloudTrail" - zeek: - product: zeek - conditions: - vendor_name: "Zeek" - vendor_type: "IDS" - firewall: - category: firewall - conditions: - vendor_type: - - "Firewall" - - "Router" - - "WAP" - zeek-category-dns: - category: dns - rewrite: - product: zeek - service: dns - zeek-category-proxy: - category: proxy - rewrite: - product: zeek - service: http - zeek-conn: - product: zeek - service: conn - conditions: - hawk_source: "conn.log" - zeek-conn_long: - product: zeek - service: conn_long - conditions: - hawk_source: "conn_long.log" - zeek-dce_rpc: - product: zeek - service: dce_rpc - conditions: - hawk_source: "dce_rpc.log" - zeek-dns: - product: zeek - service: dns - conditions: - hawk_source: "dns.log" - zeek-dnp3: - product: zeek - service: dnp3 - conditions: - hawk_source: "dnp3.log" - zeek-dpd: - product: zeek - service: dpd - conditions: - hawk_source: "dpd.log" - zeek-files: - product: zeek - service: files - conditions: - hawk_source: "files.log" - zeek-ftp: - product: zeek - service: ftp - conditions: - hawk_source: "ftp.log" - zeek-gquic: - product: zeek - service: gquic - conditions: - hawk_source: "gquic.log" - zeek-http: - product: zeek - service: http - conditions: - hawk_source: "http.log" - zeek-http2: - product: zeek - service: http2 - conditions: - hawk_source: "http2.log" - zeek-intel: - product: zeek - service: intel - conditions: - hawk_source: "intel.log" - zeek-irc: - product: zeek - service: irc - conditions: - hawk_source: "irc.log" - zeek-kerberos: - product: zeek - service: kerberos - conditions: - hawk_source: "kerberos.log" - zeek-known_certs: - product: zeek - service: known_certs - conditions: - hawk_source: "known_certs.log" - zeek-known_hosts: - product: zeek - service: known_hosts - conditions: - hawk_source: "known_hosts.log" - zeek-known_modbus: - product: zeek - service: known_modbus - conditions: - hawk_source: "known_modbus.log" - zeek-known_services: - product: zeek - service: known_services - conditions: - hawk_source: "known_services.log" - zeek-modbus: - product: zeek - service: modbus - conditions: - hawk_source: "modbus.log" - zeek-modbus_register_change: - product: zeek - service: modbus_register_change - conditions: - hawk_source: "modbus_register_change.log" - zeek-mqtt_connect: - product: zeek - service: mqtt_connect - conditions: - hawk_source: "mqtt_connect.log" - zeek-mqtt_publish: - product: zeek - service: mqtt_publish - conditions: - hawk_source: "mqtt_publish.log" - zeek-mqtt_subscribe: - product: zeek - service: mqtt_subscribe - conditions: - hawk_source: "mqtt_subscribe.log" - zeek-mysql: - product: zeek - service: mysql - conditions: - hawk_source: "mysql.log" - zeek-notice: - product: zeek - service: notice - conditions: - hawk_source: "notice.log" - zeek-ntlm: - product: zeek - service: ntlm - conditions: - hawk_source: "ntlm.log" - zeek-ntp: - product: zeek - service: ntp - conditions: - hawk_source: "ntp.log" - zeek-ocsp: - product: zeek - service: ntp - conditions: - hawk_source: "ocsp.log" - zeek-pe: - product: zeek - service: pe - conditions: - hawk_source: "pe.log" - zeek-pop3: - product: zeek - service: pop3 - conditions: - hawk_source: "pop3.log" - zeek-radius: - product: zeek - service: radius - conditions: - hawk_source: "radius.log" - zeek-rdp: - product: zeek - service: rdp - conditions: - hawk_source: "rdp.log" - zeek-rfb: - product: zeek - service: rfb - conditions: - hawk_source: "rfb.log" - zeek-sip: - product: zeek - service: sip - conditions: - hawk_source: "sip.log" - zeek-smb_files: - product: zeek - service: smb_files - conditions: - hawk_source: "smb_files.log" - zeek-smb_mapping: - product: zeek - service: smb_mapping - conditions: - hawk_source: "smb_mapping.log" - zeek-smtp: - product: zeek - service: smtp - conditions: - hawk_source: "smtp.log" - zeek-smtp_links: - product: zeek - service: smtp_links - conditions: - hawk_source: "smtp_links.log" - zeek-snmp: - product: zeek - service: snmp - conditions: - hawk_source: "snmp.log" - zeek-socks: - product: zeek - service: socks - conditions: - hawk_source: "socks.log" - zeek-software: - product: zeek - service: software - conditions: - hawk_source: "software.log" - zeek-ssh: - product: zeek - service: ssh - conditions: - hawk_source: "ssh.log" - zeek-ssl: - product: zeek - service: ssl - conditions: - hawk_source: "tls.log" - zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that - product: zeek - service: tls - conditions: - hawk_source: "tls.log" - zeek-syslog: - product: zeek - service: syslog - conditions: - hawk_source: "syslog.log" - zeek-tunnel: - product: zeek - service: tunnel - conditions: - hawk_source: "tunnel.log" - zeek-traceroute: - product: zeek - service: traceroute - conditions: - hawk_source: "traceroute.log" - zeek-weird: - product: zeek - service: weird - conditions: - hawk_source: "weird.log" - zeek-x509: - product: zeek - service: x509 - conditions: - hawk_source: "x509.log" - zeek-ip_search: - product: zeek - service: network - conditions: - hawk_source: - - "conn.log" - - "conn_long.log" - - "dce_rpc.log" - - "dhcp.log" - - "dnp3.log" - - "dns.log" - - "ftp.log" - - "gquic.log" - - "http.log" - - "irc.log" - - "kerberos.log" - - "modbus.log" - - "mqtt_connect.log" - - "mqtt_publish.log" - - "mqtt_subscribe.log" - - "mysql.log" - - "ntlm.log" - - "ntp.log" - - "radius.log" - - "rfb.log" - - "sip.log" - - "smb_files.log" - - "smb_mapping.log" - - "smtp.log" - - "smtp_links.log" - - "snmp.log" - - "socks.log" - - "ssh.log" - - "tls.log" #SSL - - "tunnel.log" - - "weird.log" - azure-signin: - product: azure - service: signinlogs - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - product_source: "signInAudits" - azure-auditlogs: - product: azure - service: auditlogs - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - product_source: "directoryAudits" - azure-activitylogs: - product: azure - service: activitylogs - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - azure-activity: - product: azure - service: azureactivity - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - microsoft-servicebus-client: - product: windows - service: microsoft-servicebus-client - conditions: - event_channel: 'Microsoft-ServiceBus-Client' - windows-application: - product: windows - service: application - conditions: - event_channel: 'Application' - windows-security: - product: windows - service: security - conditions: - event_channel: 'Security' - windows-system: - product: windows - service: system - conditions: - event_channel: 'System' - windows-sysmon: - product: windows - service: sysmon - conditions: - product_name: 'Sysmon' - windows-powershell: - product: windows - service: powershell - conditions: - product_name: 'PowerShell' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - product_name: 'Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - product_name: 'TaskScheduler' - windows-wmi: - product: windows - service: wmi - conditions: - product_name: 'WMI-Activity' - windows-dns-server: - product: windows - service: dns-server - conditions: - product_name: 'DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - product_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - product_name: 'DriverFrameworks-UserMode' - windows-ntlm: - product: windows - service: ntlm - conditions: - product_name: 'NTLM' - windows-dhcp: - product: windows - service: dhcp - conditions: - product_name: 'DHCP-Server' - windows-defender: - product: windows - service: windefend - conditions: - product_name: 'Windows Defender' - windows-applocker: - product: windows - service: applocker - conditions: - product_name: - - 'AppLocker' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - product_name: 'Windows Firewall With Advanced Security' - windows-ps-module: - product: windows - category: ps_module - conditions: - product_name: 'PowerShell' - vendor_id: 4103 - windows-ps-script: - product: windows - category: ps_script - conditions: - product_name: 'PowerShell' - vendor_id: 4104 - windows-ps-classic-start: - product: windows - category: ps_classic_start - conditions: - EventID: 400 - product_name: 'Windows PowerShell' - windows-ps-classic-provider: - product: windows - category: ps_classic_provider_start - conditions: - vendor_id: 600 - product_name: 'Windows PowerShell' - windows-ps-classic-script: - product: windows - category: ps_classic_script - conditions: - vendor_id: 800 - product_name: 'Windows PowerShell' - windows-service-bus: - service: Microsoft-ServiceBus-Client - conditions: - product_name: "Microsoft-ServiceBus-Client" - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - product_name: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - product_name: 'PrintService' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - product_name: 'PrintService' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - product_name: 'TerminalServices-LocalSessionManager' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - product_name: 'CodeIntegrity' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - product_name: 'SmbClient' - windows-registry: - product: windows - category: registry_event - conditions: - product_name: "Sysmon" - vendor_id: - - 12 - - 13 - - 14 - windows-registry-add: - product: windows - category: registry_add - conditions: - product_name: "Sysmon" - vendor_id: 12 - windows-registry-delete: - product: windows - category: registry_delete - conditions: - product_name: "Sysmon" - vendor_id: 12 - windows-registry-set: - product: windows - category: registry_set - conditions: - product_name: "Sysmon" - vendor_id: 13 - windows-registry-rename: - product: windows - category: registry_rename - conditions: - product_name: "Sysmon" - vendor_id: 14 - windows-file-block-executable: - product: windows - category: file_block - conditions: - product_name: "Sysmon" - vendor_id: 27 - #dns: - # category: dns - # conditions: - qflow: - product: qflow - netflow: - service: netflow - ipfix: - product: ipfix - flow: - product: flow + antivirus: + category: antivirus + conditions: + vendor_type: 'Antivirus' + apache: + service: apache + conditions: + product_name: + - 'apache*' + - 'httpd*' + webserver: + category: webserver + conditions: + vendor_type: 'Webserver' + cisco: + product: cisco + conditions: + vendor_name: 'Cisco' + django: + product: django + conditions: + vendor_name: 'Django' + okta: + service: okta + conditions: + vendor_name: "Okta" + product_name: "Identity and Access Management" + onedrive: + service: onedrive + conditions: + vendor_name: "Microsoft" + product_name: "Onedrive" + onelogin-events: + service: onelogin.events + conditions: + vendor_name: "Microsoft" + product_name: "Onelogin" + microsoft365: + product: m365 + service: threat_management + conditions: + vendor_name: "Microsoft" + product_name: "365" + m365: + product: m365 + service: threat_management + conditions: + vendor_name: "Microsoft" + product_name: "365" + google-workspace: + service: google_workspace.admin + conditions: + vendor_name: "Google" + product_name: "Workspace" + guacamole: + service: guacamole + product_name: "Guacamole" + conditions: + vendor_name: "Guacamole" + google-cloud: + service: gcp.audit + conditions: + vendor_name: "Google" + product_name: "Cloud" + sshd: + service: sshd + conditions: + process_name: "sshd*" + syslog: + service: syslog + conditions: + process_name: "syslog*" + spring: + category: application + product: spring + conditions: + vendor_name: "Spring" + linux-audit: + product: linux + service: auditd + conditions: + vendor_name: "Linux" + product_name: "Audit" + modsecurity: + service: modsecurity + conditions: + process_name: "modsec*" + msexchange-management: + service: msexchange-management + conditions: + product_name: "MSExchange Management" + windows: + product: windows + index: windows + conditions: + vendor_name: "Microsoft" + windows-stream-hash: + product: windows + category: create_stream_hash + conditions: + product_name: "Sysmon" + vendor_id: "15" + windows-create-remote-thread: + product: windows + category: create_remote_thread + conditions: + product_name: "Sysmon" + vendor_id: "8" + windows-process-access: + product: windows + category: process_access + conditions: + product_name: "Sysmon" + vendor_id: "10" + windows-process-creation: + product: windows + category: process_creation + conditions: + product_name: "Sysmon" + vendor_id: "1" + windows-bits-client: + product: windows + service: bits-client + conditions: + event_channel: "Microsoft-Windows-Bits-Client/Operational" + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + event_channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + event_channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + event_channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + event_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' + windows-network-connection: + product: windows + category: network_connection + conditions: + product_name: "Sysmon" + vendor_id: "3" + windows-sysmon-status: + product: windows + category: sysmon_status + conditions: + product_name: "Sysmon" + vendor_id: + - 4 + - 5 + windows-sysmon-error: + product: windows + category: sysmon_error + conditions: + product_name: "Sysmon" + vendor_id: "255" + windows-raw-access-thread: + product: windows + category: raw_access_thread + conditions: + product_name: "Sysmon" + vendor_id: 9 + windows-file-create: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-event: + product: windows + category: file_event + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-change: + product: windows + category: file_change + conditions: + product_name: "Sysmon" + vendor_id: "2" + windows-pipe-created: + product: windows + category: pipe_created + conditions: + product_name: "Sysmon" + vendor_id: + - 17 + - 18 + windows-dns-query: + product: windows + category: dns_query + conditions: + product_name: "Sysmon" + vendor_id: "22" + windows-file-delete: + product: windows + category: file_delete + conditions: + product_name: "Sysmon" + vendor_id: "23" + windows-kernel-file-rename: + product: windows + category: file_rename + conditions: + product_name: "Kernel-File" + windows-kernel-file-access: + product: windows + category: file_access + conditions: + product_name: "Kernel-File" + windows-wmi-sysmon: + product: windows + category: wmi_event + conditions: + product_name: "Sysmon" + vendor_id: + - 19 + - 20 + - 21 + windows-ldap-debug: + product: windows + category: ldap_debug + conditions: + event_channel: "Microsoft-Windows-LDAP-Client/Debug" + windows-driver-load: + product: windows + category: driver_load + conditions: + product_name: "Sysmon" + vendor_id: "6" + windows-image-load: + product: windows + category: image_load + conditions: + product_name: "Sysmon" + vendor_id: "7" + clamav: + service: clamav + conditions: + process_name: "clamav*" + aws-cloudtrail: + service: cloudtrail + conditions: + vendor_name: "AWS CloudTrail" + zeek: + product: zeek + conditions: + vendor_name: "Zeek" + vendor_type: "IDS" + firewall: + category: firewall + conditions: + vendor_type: + - "Firewall" + - "Router" + - "WAP" + zeek-category-dns: + category: dns + rewrite: + product: zeek + service: dns + zeek-category-proxy: + category: proxy + rewrite: + product: zeek + service: http + zeek-conn: + product: zeek + service: conn + conditions: + hawk_source: "conn.log" + zeek-conn_long: + product: zeek + service: conn_long + conditions: + hawk_source: "conn_long.log" + zeek-dce_rpc: + product: zeek + service: dce_rpc + conditions: + hawk_source: "dce_rpc.log" + zeek-dns: + product: zeek + service: dns + conditions: + hawk_source: "dns.log" + zeek-dnp3: + product: zeek + service: dnp3 + conditions: + hawk_source: "dnp3.log" + zeek-dpd: + product: zeek + service: dpd + conditions: + hawk_source: "dpd.log" + zeek-files: + product: zeek + service: files + conditions: + hawk_source: "files.log" + zeek-ftp: + product: zeek + service: ftp + conditions: + hawk_source: "ftp.log" + zeek-gquic: + product: zeek + service: gquic + conditions: + hawk_source: "gquic.log" + zeek-http: + product: zeek + service: http + conditions: + hawk_source: "http.log" + zeek-http2: + product: zeek + service: http2 + conditions: + hawk_source: "http2.log" + zeek-intel: + product: zeek + service: intel + conditions: + hawk_source: "intel.log" + zeek-irc: + product: zeek + service: irc + conditions: + hawk_source: "irc.log" + zeek-kerberos: + product: zeek + service: kerberos + conditions: + hawk_source: "kerberos.log" + zeek-known_certs: + product: zeek + service: known_certs + conditions: + hawk_source: "known_certs.log" + zeek-known_hosts: + product: zeek + service: known_hosts + conditions: + hawk_source: "known_hosts.log" + zeek-known_modbus: + product: zeek + service: known_modbus + conditions: + hawk_source: "known_modbus.log" + zeek-known_services: + product: zeek + service: known_services + conditions: + hawk_source: "known_services.log" + zeek-modbus: + product: zeek + service: modbus + conditions: + hawk_source: "modbus.log" + zeek-modbus_register_change: + product: zeek + service: modbus_register_change + conditions: + hawk_source: "modbus_register_change.log" + zeek-mqtt_connect: + product: zeek + service: mqtt_connect + conditions: + hawk_source: "mqtt_connect.log" + zeek-mqtt_publish: + product: zeek + service: mqtt_publish + conditions: + hawk_source: "mqtt_publish.log" + zeek-mqtt_subscribe: + product: zeek + service: mqtt_subscribe + conditions: + hawk_source: "mqtt_subscribe.log" + zeek-mysql: + product: zeek + service: mysql + conditions: + hawk_source: "mysql.log" + zeek-notice: + product: zeek + service: notice + conditions: + hawk_source: "notice.log" + zeek-ntlm: + product: zeek + service: ntlm + conditions: + hawk_source: "ntlm.log" + zeek-ntp: + product: zeek + service: ntp + conditions: + hawk_source: "ntp.log" + zeek-ocsp: + product: zeek + service: ntp + conditions: + hawk_source: "ocsp.log" + zeek-pe: + product: zeek + service: pe + conditions: + hawk_source: "pe.log" + zeek-pop3: + product: zeek + service: pop3 + conditions: + hawk_source: "pop3.log" + zeek-radius: + product: zeek + service: radius + conditions: + hawk_source: "radius.log" + zeek-rdp: + product: zeek + service: rdp + conditions: + hawk_source: "rdp.log" + zeek-rfb: + product: zeek + service: rfb + conditions: + hawk_source: "rfb.log" + zeek-sip: + product: zeek + service: sip + conditions: + hawk_source: "sip.log" + zeek-smb_files: + product: zeek + service: smb_files + conditions: + hawk_source: "smb_files.log" + zeek-smb_mapping: + product: zeek + service: smb_mapping + conditions: + hawk_source: "smb_mapping.log" + zeek-smtp: + product: zeek + service: smtp + conditions: + hawk_source: "smtp.log" + zeek-smtp_links: + product: zeek + service: smtp_links + conditions: + hawk_source: "smtp_links.log" + zeek-snmp: + product: zeek + service: snmp + conditions: + hawk_source: "snmp.log" + zeek-socks: + product: zeek + service: socks + conditions: + hawk_source: "socks.log" + zeek-software: + product: zeek + service: software + conditions: + hawk_source: "software.log" + zeek-ssh: + product: zeek + service: ssh + conditions: + hawk_source: "ssh.log" + zeek-ssl: + product: zeek + service: ssl + conditions: + hawk_source: "tls.log" + zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that + product: zeek + service: tls + conditions: + hawk_source: "tls.log" + zeek-syslog: + product: zeek + service: syslog + conditions: + hawk_source: "syslog.log" + zeek-tunnel: + product: zeek + service: tunnel + conditions: + hawk_source: "tunnel.log" + zeek-traceroute: + product: zeek + service: traceroute + conditions: + hawk_source: "traceroute.log" + zeek-weird: + product: zeek + service: weird + conditions: + hawk_source: "weird.log" + zeek-x509: + product: zeek + service: x509 + conditions: + hawk_source: "x509.log" + zeek-ip_search: + product: zeek + service: network + conditions: + hawk_source: + - "conn.log" + - "conn_long.log" + - "dce_rpc.log" + - "dhcp.log" + - "dnp3.log" + - "dns.log" + - "ftp.log" + - "gquic.log" + - "http.log" + - "irc.log" + - "kerberos.log" + - "modbus.log" + - "mqtt_connect.log" + - "mqtt_publish.log" + - "mqtt_subscribe.log" + - "mysql.log" + - "ntlm.log" + - "ntp.log" + - "radius.log" + - "rfb.log" + - "sip.log" + - "smb_files.log" + - "smb_mapping.log" + - "smtp.log" + - "smtp_links.log" + - "snmp.log" + - "socks.log" + - "ssh.log" + - "tls.log" #SSL + - "tunnel.log" + - "weird.log" + azure-signin: + product: azure + service: signinlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + product_source: "signInAudits" + azure-auditlogs: + product: azure + service: auditlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + product_source: "directoryAudits" + azure-activitylogs: + product: azure + service: activitylogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activity: + product: azure + service: azureactivity + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + event_channel: 'Microsoft-ServiceBus-Client' + windows-application: + product: windows + service: application + conditions: + event_channel: 'Application' + windows-security: + product: windows + service: security + conditions: + event_channel: 'Security' + windows-system: + product: windows + service: system + conditions: + event_channel: 'System' + windows-sysmon: + product: windows + service: sysmon + conditions: + product_name: 'Sysmon' + windows-powershell: + product: windows + service: powershell + conditions: + product_name: 'PowerShell' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + product_name: 'Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + product_name: 'TaskScheduler' + windows-wmi: + product: windows + service: wmi + conditions: + product_name: 'WMI-Activity' + windows-dns-server: + product: windows + service: dns-server + conditions: + product_name: 'DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + product_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + product_name: 'DriverFrameworks-UserMode' + windows-ntlm: + product: windows + service: ntlm + conditions: + product_name: 'NTLM' + windows-dhcp: + product: windows + service: dhcp + conditions: + product_name: 'DHCP-Server' + windows-defender: + product: windows + service: windefend + conditions: + product_name: 'Windows Defender' + windows-applocker: + product: windows + service: applocker + conditions: + product_name: 'AppLocker' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + product_name: 'Windows Firewall With Advanced Security' + windows-ps-module: + product: windows + category: ps_module + conditions: + product_name: 'PowerShell' + vendor_id: 4103 + windows-ps-script: + product: windows + category: ps_script + conditions: + product_name: 'PowerShell' + vendor_id: 4104 + windows-ps-classic-start: + product: windows + category: ps_classic_start + conditions: + EventID: 400 + product_name: 'Windows PowerShell' + windows-ps-classic-provider: + product: windows + category: ps_classic_provider_start + conditions: + vendor_id: 600 + product_name: 'Windows PowerShell' + windows-ps-classic-script: + product: windows + category: ps_classic_script + conditions: + vendor_id: 800 + product_name: 'Windows PowerShell' + windows-service-bus: + service: Microsoft-ServiceBus-Client + conditions: + product_name: "Microsoft-ServiceBus-Client" + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + product_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + product_name: 'PrintService' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + product_name: 'PrintService' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + product_name: 'TerminalServices-LocalSessionManager' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + product_name: 'CodeIntegrity' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + product_name: 'SmbClient' + windows-registry: + product: windows + category: registry_event + conditions: + product_name: "Sysmon" + vendor_id: + - 12 + - 13 + - 14 + windows-registry-add: + product: windows + category: registry_add + conditions: + product_name: "Sysmon" + vendor_id: 12 + windows-registry-delete: + product: windows + category: registry_delete + conditions: + product_name: "Sysmon" + vendor_id: 12 + windows-registry-set: + product: windows + category: registry_set + conditions: + product_name: "Sysmon" + vendor_id: 13 + windows-registry-rename: + product: windows + category: registry_rename + conditions: + product_name: "Sysmon" + vendor_id: 14 + windows-file-block-executable: + product: windows + category: file_block + conditions: + product_name: "Sysmon" + vendor_id: 27 + #dns: + # category: dns + # conditions: + qflow: + product: qflow + netflow: + service: netflow + ipfix: + product: ipfix + flow: + product: flow fieldmappings: - dst: - - ip_dst_host - dst_ip: - - ip_dst - src: - - ip_src_host - src_ip: - - ip_src - IPAddress: ip_src - DNSAddress: dns_address - DCIPAddress: ip_src - category: vendor_category - error: error_code - key: event_key - payload: event_payload - weight: event_weight - account type: account_type - PrivilegeList: process_privileges - pid_user: event_username - sid: correlation_session_id - UserSid: correlation_session_id - TargetSid: target_session_id - TargetUserName: target_username - SamAccountName: target_username - AccountName: target_username - TargetDomainName: target_domain - DnsServerIpAddress: dns_address - QueryName: dns_query - AuthenticationPackageName: package_name - HostProcess: image - Application: image - ProcessName: image - TargetImage: target_image - ParentImage: parent_image - CallerProcessName: parent_image - ParentProcessName: parent_image - CommandLine: command - ProcessCommandLine: command - ParentCommandLine: parent_command - Imphash: file_hash_imphash - sha256: file_hash_sha256 - md5: file_hash_md5 - sha1: file_hash_sha1 - SubjectUserSid: correlation_session_id - SubjectSid: correlation_session_id - SubjectUserName: correlation_username - SubjectDomainName: correlation_domain - SubjectLogonId: correlation_logon_id - pid: event_pid - ProccessId: pid - NewProcessName: image - ServiceName: service_name - Service: service_name - ServiceFileName: filename - EventID: vendor_id - SourceImage: parent_image - ImageLoaded: image_loaded - Description: image_description - ScriptBlockText: value - Product: image_product - Company: image_company - CurrentDirectory: path - ShareName: path - RelativeTargetName: filename - TargetName: value - Initiated: value - Accesses: access_mask - LDAPDisplayName: distinguished_name - AttributeLDAPDisplayName: distinguished_name - AttributeValue: value - ParentProcessId: parent_pid - SourceProcessId: source_pid - TargetProcessId: target_pid - Signed: signature - Status: value - TargetFilename: filename - FileName: filename - TargetObject: object_target - ObjectClass: object_type - ObjectValueName: object_name - ObjectName: object_name - DeviceClassName: object_name - CallTrace: calltrace - IpAddress: ip_src - WorkstationName: ip_src_host - Workstation: ip_src_host - DestinationIp: ip_dst - DestinationHostname: ip_dst_host - DestinationPort: ip_dport - DestAddress: ip_dst - DestPort: ip_dport - SourceAddress: ip_src - SourcePort: ip_sport - GrantedAccess: access_mask - StartModule: target_process_name - TargetProcessAddress: process_address - TicketOptions: sys.ticket.options - TicketEncryptionType: sys.ticket.encryption.type - DetectionSource: value - Priority: event_priority - event_type_id: vendor_id - destination.port: ip_dport - user: correlation_username - User: correlation_username - # Provider_Name: channel - c-referer: http_referer - cs-referer: http_referer - cs-host: http_host - cs-method: http_method - c-uri: http_path - c-uri-stem: http_path - cs-uri: http_path - cs-uri-stem: http_path - c-agent: http_user_agent - cs-agent: http_user_agent - c-useragent: http_user_agent - cs-useragent: http_user_agent - cs-user-agent: http_user_agent - c-ip: ip_src - cs-ip: ip_src - s-ip: ip_dst - sc-ip: ip_dst - c-username: correlation_username - cs-username: correlation_username - s-computername: ip_dst_host - cs-uri-query: http_query - c-uri-query: http_query - sc-status: http_status_code - sc-bytes: http_content_length - user-agent: http_user_agent - cs-User-Agent: http_user_agent - r-dns: http_host - id.orig_h: ip_src - id.orig_p: ip_sport - id.resp_h: ip_dst - id.resp_p: ip_dport - host: ip_src - hostname: ip_src_host - port_num: ip_dport - dst_port: ip_dport - query: dns_query - orig_ip_bytes: net_if_out_bytes - resp_ip_bytes: net_if_in_bytes - QNAME: qname - Channel: event_channel + dst: + - ip_dst_host + dst_ip: + - ip_dst + src: + - ip_src_host + src_ip: + - ip_src + IPAddress: ip_src + DNSAddress: dns_address + DCIPAddress: ip_src + category: vendor_category + error: error_code + key: event_key + payload: event_payload + weight: event_weight + account type: account_type + PrivilegeList: process_privileges + pid_user: event_username + sid: correlation_session_id + UserSid: correlation_session_id + TargetSid: target_session_id + TargetUserName: target_username + SamAccountName: target_username + AccountName: target_username + TargetDomainName: target_domain + DnsServerIpAddress: dns_address + QueryName: dns_query + AuthenticationPackageName: package_name + HostProcess: image + Application: image + ProcessName: image + TargetImage: target_image + ParentImage: parent_image + CallerProcessName: parent_image + ParentProcessName: parent_image + CommandLine: command + ProcessCommandLine: command + ParentCommandLine: parent_command + Imphash: file_hash_imphash + sha256: file_hash_sha256 + md5: file_hash_md5 + sha1: file_hash_sha1 + SubjectUserSid: correlation_session_id + SubjectSid: correlation_session_id + SubjectUserName: correlation_username + SubjectDomainName: correlation_domain + SubjectLogonId: correlation_logon_id + pid: event_pid + ProccessId: pid + NewProcessName: image + ServiceName: service_name + Service: service_name + ServiceFileName: filename + EventID: vendor_id + SourceImage: parent_image + ImageLoaded: image_loaded + Description: image_description + ScriptBlockText: value + Product: image_product + Company: image_company + CurrentDirectory: path + ShareName: path + RelativeTargetName: filename + TargetName: value + Initiated: value + Accesses: access_mask + LDAPDisplayName: distinguished_name + AttributeLDAPDisplayName: distinguished_name + AttributeValue: value + ParentProcessId: parent_pid + SourceProcessId: source_pid + TargetProcessId: target_pid + Signed: signature + Status: value + TargetFilename: filename + FileName: filename + TargetObject: object_target + ObjectClass: object_type + ObjectValueName: object_name + ObjectName: object_name + DeviceClassName: object_name + CallTrace: calltrace + IpAddress: ip_src + WorkstationName: ip_src_host + Workstation: ip_src_host + DestinationIp: ip_dst + DestinationHostname: ip_dst_host + DestinationPort: ip_dport + DestAddress: ip_dst + DestPort: ip_dport + SourceAddress: ip_src + SourcePort: ip_sport + GrantedAccess: access_mask + StartModule: target_process_name + TargetProcessAddress: process_address + TicketOptions: sys.ticket.options + TicketEncryptionType: sys.ticket.encryption.type + DetectionSource: value + Priority: event_priority + event_type_id: vendor_id + destination.port: ip_dport + user: correlation_username + User: correlation_username + # Provider_Name: channel + c-referer: http_referer + cs-referer: http_referer + cs-host: http_host + cs-method: http_method + c-uri: http_path + c-uri-stem: http_path + cs-uri: http_path + cs-uri-stem: http_path + c-agent: http_user_agent + cs-agent: http_user_agent + c-useragent: http_user_agent + cs-useragent: http_user_agent + cs-user-agent: http_user_agent + c-ip: ip_src + cs-ip: ip_src + s-ip: ip_dst + sc-ip: ip_dst + c-username: correlation_username + cs-username: correlation_username + s-computername: ip_dst_host + cs-uri-query: http_query + c-uri-query: http_query + sc-status: http_status_code + sc-bytes: http_content_length + user-agent: http_user_agent + cs-User-Agent: http_user_agent + r-dns: http_host + id.orig_h: ip_src + id.orig_p: ip_sport + id.resp_h: ip_dst + id.resp_p: ip_dport + host: ip_src + hostname: ip_src_host + port_num: ip_dport + dst_port: ip_dport + query: dns_query + orig_ip_bytes: net_if_out_bytes + resp_ip_bytes: net_if_in_bytes + QNAME: qname + Channel: event_channel diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index c595abfd9..f66b38872 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -1,134 +1,149 @@ title: Logpoint order: 20 backends: - - logpoint + - logpoint logsources: - windows-security: - product: windows - service: security - conditions: - event_source: 'Microsoft-Windows-Security-Auditing' - windows-system: - product: windows - service: system - conditions: - event_source: 'Microsoft-Windows-Security-Auditing' - windows-dns-server: - product: windows - service: dns-server - conditions: - event_source: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - event_source: 'Microsoft-Windows-DHCP-Server/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - event_source: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - event_source: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - event_source: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - event_source: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - event_source: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - event_source: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - event_source: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - event_source: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - event_source: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - event_source: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - event_source: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - event_source: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - event_source: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - event_source: 'Microsoft-Windows-LSA/Operational' + windows-security: + product: windows + service: security + conditions: + event_source: 'Microsoft-Windows-Security-Auditing' + windows-system: + product: windows + service: system + conditions: + event_source: 'Microsoft-Windows-Security-Auditing' + windows-dns-server: + product: windows + service: dns-server + conditions: + event_source: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + event_source: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + event_source: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + event_source: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + event_source: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + event_source: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + event_source: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + event_source: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + event_source: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + event_source: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + event_source: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + event_source: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + event_source: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + event_source: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_source: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + event_source: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + event_source: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + event_source: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + event_source: 'Microsoft-Windows-AppModel-Runtime/Admin' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index cdf8d65f1..db51c787e 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -1,153 +1,168 @@ title: Logstash Windows common log sources order: 20 backends: - - es-qs - - es-dsl - - es-rule - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers logsources: - windows: - product: windows - index: logstash-windows-* - windows-application: - product: windows - service: application - conditions: - Channel: Application - windows-security: - product: windows - service: security - conditions: - Channel: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - Channel: Microsoft-Windows-Sysmon - windows-dns-server: - product: windows - service: dns-server - conditions: - Channel: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - Channel: 'Microsoft-Windows-DHCP-Server/Operational' - windows-defender: - product: windows - service: windefend - conditions: - Channel: 'Microsoft-Windows-Windows Defender/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - Channel: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - Channel: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - Channel: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - Channel: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - Channel: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - Channel: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - Channel: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - Channel: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - Channel: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - Channel: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - Channel: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - Channel: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - Channel: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - Channel: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: logstash-windows-* + windows-application: + product: windows + service: application + conditions: + Channel: Application + windows-security: + product: windows + service: security + conditions: + Channel: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + Channel: Microsoft-Windows-Sysmon + windows-dns-server: + product: windows + service: dns-server + conditions: + Channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + Channel: 'Microsoft-Windows-DHCP-Server/Operational' + windows-defender: + product: windows + service: windefend + conditions: + Channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + Channel: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + Channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + Channel: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + Channel: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + Channel: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + Channel: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + Channel: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + Channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + Channel: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + Channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + Channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + Channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + Channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + Channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + Channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + Channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + Channel: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index e26815896..9a912c3c2 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -1,173 +1,188 @@ title: Logsource to LogName mappings for PowerShell backend order: 20 backends: - - powershell + - powershell logsources: - windows-application: - product: windows - service: application - conditions: - LogName: 'Application' - windows-security: - product: windows - service: security - conditions: - LogName: 'Security' - windows-system: - product: windows - service: system - conditions: - LogName: 'System' - windows-sysmon: - product: windows - service: sysmon - conditions: - LogName: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - LogName: - - 'Microsoft-Windows-PowerShell/Operational' - - 'PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - LogName: 'Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - LogName: 'Microsoft-Windows-TaskScheduler/Operational' - windows-wmi: - product: windows - service: wmi - conditions: - LogName: 'Microsoft-Windows-WMI-Activity/Operational' - windows-dns-server: - product: windows - service: dns-server - conditions: - LogName: 'DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - LogName: 'Microsoft-Windows-DNS-Server/Audit' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - LogName: 'Microsoft-Windows-NTLM/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - LogName: 'Microsoft-Windows-DHCP-Server/Operational' - windows-defender: - product: windows - service: windefend - conditions: - LogName: 'Microsoft-Windows-Windows Defender/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - LogName: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - LogName: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - LogName: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - LogName: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - LogName: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - LogName: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - LogName: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - LogName: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - LogName: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - LogName: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - LogName: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - LogName: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - LogName: 'Microsoft-Windows-LSA/Operational' + windows-application: + product: windows + service: application + conditions: + LogName: 'Application' + windows-security: + product: windows + service: security + conditions: + LogName: 'Security' + windows-system: + product: windows + service: system + conditions: + LogName: 'System' + windows-sysmon: + product: windows + service: sysmon + conditions: + LogName: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + LogName: + - 'Microsoft-Windows-PowerShell/Operational' + - 'PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + LogName: 'Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + LogName: 'Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + conditions: + LogName: 'Microsoft-Windows-WMI-Activity/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + LogName: 'DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + LogName: 'Microsoft-Windows-DNS-Server/Audit' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + LogName: 'Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + LogName: 'Microsoft-Windows-DHCP-Server/Operational' + windows-defender: + product: windows + service: windefend + conditions: + LogName: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + LogName: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + LogName: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + LogName: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + LogName: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + LogName: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + LogName: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + LogName: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + LogName: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + LogName: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + LogName: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + LogName: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + LogName: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + LogName: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + LogName: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + LogName: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + LogName: 'Microsoft-Windows-AppModel-Runtime/Admin' diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index a9f42d18d..bb5177e05 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -1,195 +1,210 @@ title: Splunk Windows log source conditions order: 20 backends: - - splunk - - splunkxml - - splunkdm + - splunk + - splunkxml + - splunkdm logsources: - windows-application: - product: windows - service: application - conditions: - source: 'WinEventLog:Application' - windows-security: - product: windows - service: security - conditions: - source: 'WinEventLog:Security' - windows-system: - product: windows - service: system - conditions: - source: 'WinEventLog:System' - windows-sysmon: - product: windows - service: sysmon - conditions: - source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' - windows-process-creation: - product: windows - service: sysmon - category: process_creation - # Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. - # This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here. - search: 'ParentProcessGuid EventCode=1' - windows-file-creation: - product: windows - service: sysmon - category: file_creation - search: 'TargetFilename EventCode=11' - windows-powershell: - product: windows - service: powershell - conditions: - source: - - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' - - 'WinEventLog:PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - source: 'WinEventLog:Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' - windows-wmi: - product: windows - service: wmi - conditions: - source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' - windows-dns-server: - product: windows - service: dns-server - category: dns - conditions: - source: 'WinEventLog:DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - source: 'WinEventLog:Microsoft-Windows-NTLM/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - source: - - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' - - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - source: 'WinEventLog:MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - source: 'WinEventLog:Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' - windows-rpc-firewall: - product: rpc_firewall - category: application - conditions: - source: 'WinEventLog:RPCFW' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - source: - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - source: 'WinEventLog:OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' - windows-defender: - product: windows - service: windefend - conditions: - source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - source: 'WinEventLog:Microsoft-Windows-LSA/Operational' + windows-application: + product: windows + service: application + conditions: + source: 'WinEventLog:Application' + windows-security: + product: windows + service: security + conditions: + source: 'WinEventLog:Security' + windows-system: + product: windows + service: system + conditions: + source: 'WinEventLog:System' + windows-sysmon: + product: windows + service: sysmon + conditions: + source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' + windows-process-creation: + product: windows + service: sysmon + category: process_creation + # Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. + # This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here. + search: 'ParentProcessGuid EventCode=1' + windows-file-creation: + product: windows + service: sysmon + category: file_creation + search: 'TargetFilename EventCode=11' + windows-powershell: + product: windows + service: powershell + conditions: + source: + - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' + - 'WinEventLog:PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + source: 'WinEventLog:Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + conditions: + source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' + windows-dns-server: + product: windows + service: dns-server + category: dns + conditions: + source: 'WinEventLog:DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + source: 'WinEventLog:Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + source: + - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' + - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + source: 'WinEventLog:MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + source: 'WinEventLog:Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' + windows-rpc-firewall: + product: rpc_firewall + category: application + conditions: + source: 'WinEventLog:RPCFW' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + source: + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + source: 'WinEventLog:OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' + windows-defender: + product: windows + service: windefend + conditions: + source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + source: 'WinEventLog:Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + source: 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + source: 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + source: 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index c6addce9d..e5e427726 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -1,200 +1,241 @@ title: SumoLogic order: 20 backends: - - sumologic + - sumologic afl_fields: - - _index - - EventID - - CommandLine - - NewProcessName - - Image - - ParentImage - - ParentCommandLine - - ParentProcessName + - _index + - EventID + - CommandLine + - NewProcessName + - Image + - ParentImage + - ParentCommandLine + - ParentProcessName # Sumulogic mapping depends on customer configuration. Adapt to your context! # typically rule on _sourceCategory, _index or Field Extraction Rules (FER) # supposing existing FER for service, EventChannel, EventID logsources: - unix: - product: unix - index: UNIX - linux: - product: linux - index: LINUX - linux-sshd: - product: linux - service: sshd - index: LINUX - linux-auth: - product: linux - service: auth - index: LINUX - linux-clamav: - product: linux - service: clamav - index: LINUX - windows: - product: windows - index: WINDOWS - windows-sysmon: - product: windows - service: sysmon - conditions: - EventChannel: Microsoft-Windows-Sysmon - index: WINDOWS - windows-security: - product: windows - service: security - conditions: - EventChannel: Security - index: WINDOWS - windows-powershell: - product: windows - service: powershell - conditions: - EventChannel: - - Microsoft-Windows-Powershell - - PowerShellCore - index: WINDOWS - windows-system: - product: windows - service: system - conditions: - EventChannel: System - index: WINDOWS - windows-dhcp: - product: windows - service: dhcp - conditions: - EventChannel: Microsoft-Windows-DHCP-Server - index: WINDOWS - windows-ntlm: - product: windows - service: ntlm - conditions: - EventChannel: 'Microsoft-Windows-NTLM/Operational' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - EventChannel: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - EventChannel: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - EventChannel: 'Microsoft-Windows-SmbClient/Security' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - EventChannel: 'MSExchange Management' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - EventChannel: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - EventChannel: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - EventChannel: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - EventChannel: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - source: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - source: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - source: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - source: 'Microsoft-Windows-AppXDeploymentServer/Operational' - apache: - service: apache - index: WEBSERVER - apache2: - service: apache - index: WEBSERVER - webserver: - category: webserver - index: WEBSERVER - firewall: - category: firewall - index: FIREWALL - firewall2: - product: firewall - index: FIREWALL - network-dns: - category: dns - index: DNS - network-dns2: - product: dns - index: DNS - proxy: - category: proxy - index: PROXY - antivirus: - category: antivirus - index: ANTIVIRUS - application-sql: - product: sql - index: DATABASE - application-python: - product: python - index: APPLICATIONS - application-django: - product: django - index: DJANGO - application-rails: - product: rails - index: RAILS - application-spring: - product: spring - index: SPRING + unix: + product: unix + index: UNIX + linux: + product: linux + index: LINUX + linux-sshd: + product: linux + service: sshd + index: LINUX + linux-auth: + product: linux + service: auth + index: LINUX + linux-clamav: + product: linux + service: clamav + index: LINUX + windows: + product: windows + index: WINDOWS + windows-sysmon: + product: windows + service: sysmon + conditions: + EventChannel: Microsoft-Windows-Sysmon + index: WINDOWS + windows-security: + product: windows + service: security + conditions: + EventChannel: Security + index: WINDOWS + windows-powershell: + product: windows + service: powershell + conditions: + EventChannel: + - Microsoft-Windows-Powershell + - PowerShellCore + index: WINDOWS + windows-system: + product: windows + service: system + conditions: + EventChannel: System + index: WINDOWS + windows-dhcp: + product: windows + service: dhcp + conditions: + EventChannel: Microsoft-Windows-DHCP-Server + index: WINDOWS + windows-ntlm: + product: windows + service: ntlm + conditions: + EventChannel: 'Microsoft-Windows-NTLM/Operational' + index: WINDOWS + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + EventChannel: 'Microsoft-Windows-PrintService/Admin' + index: WINDOWS + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + EventChannel: 'Microsoft-Windows-PrintService/Operational' + index: WINDOWS + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + index: WINDOWS + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' + index: WINDOWS + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + EventChannel: 'Microsoft-Windows-SmbClient/Security' + index: WINDOWS + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + EventChannel: 'MSExchange Management' + index: WINDOWS + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + index: WINDOWS + windows-bits-client: + product: windows + service: bits-client + conditions: + EventChannel: 'Microsoft-Windows-Bits-Client/Operational' + index: WINDOWS + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + EventChannel: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + index: WINDOWS + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + index: WINDOWS + windows-shell-core: + product: windows + service: shell-core + conditions: + EventChannel: 'Microsoft-Windows-Shell-Core/Operational' + index: WINDOWS + windows-openssh: + product: windows + service: openssh + conditions: + EventChannel: 'OpenSSH/Operational' + index: WINDOWS + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + EventChannel: 'Microsoft-Windows-LDAP-Client/Debug' + index: WINDOWS + windows-bitlocker: + product: windows + service: bitlocker + conditions: + EventChannel: 'Microsoft-Windows-BitLocker/BitLocker Management' + index: WINDOWS + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + EventChannel: 'Microsoft-Windows-VHDMP/Operational' + index: WINDOWS + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + EventChannel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + index: WINDOWS + windows-lsa-server: + product: windows + service: lsa-server + conditions: + EventChannel: 'Microsoft-Windows-LSA/Operational' + index: WINDOWS + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + EventChannel: 'Microsoft-Windows-AppxPackaging/Operational' + index: WINDOWS + windows-dns-client: + product: windows + service: dns-client + conditions: + EventChannel: 'Microsoft-Windows-DNS Client Events/Operational' + index: WINDOWS + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + EventChannel: 'Microsoft-Windows-AppModel-Runtime/Admin' + index: WINDOWS + apache: + service: apache + index: WEBSERVER + apache2: + service: apache + index: WEBSERVER + webserver: + category: webserver + index: WEBSERVER + firewall: + category: firewall + index: FIREWALL + firewall2: + product: firewall + index: FIREWALL + network-dns: + category: dns + index: DNS + network-dns2: + product: dns + index: DNS + proxy: + category: proxy + index: PROXY + antivirus: + category: antivirus + index: ANTIVIRUS + application-sql: + product: sql + index: DATABASE + application-python: + product: python + index: APPLICATIONS + application-django: + product: django + index: DJANGO + application-rails: + product: rails + index: RAILS + application-spring: + product: spring + index: SPRING # if no index, search in all indexes diff --git a/tools/config/thor.yml b/tools/config/thor.yml index f62d844c3..bdc8238a2 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -1,458 +1,473 @@ title: THOR order: 20 backends: - - thor + - thor # this configuration differs from other configurations and can not be used # with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK. logsources: - # log source configurations for generic sigma rules - process_creation_1: - category: process_creation - product: windows - conditions: - EventID: 1 - rewrite: - product: windows - service: sysmon - process_creation_2: - category: process_creation - product: windows - conditions: - EventID: 4688 - rewrite: - product: windows - service: security - fieldmappings: - Image: NewProcessName - ParentImage: ParentProcessName - network_connection: - category: network_connection - product: windows - conditions: - EventID: 3 - rewrite: - product: windows - service: sysmon - sysmon_status1: - category: sysmon_status - product: windows - conditions: - EventID: 4 - rewrite: - product: windows - service: sysmon - sysmon_status2: - category: sysmon_status - product: windows - conditions: - EventID: 16 - rewrite: - product: windows - service: sysmon - process_terminated: - category: process_termination - product: windows - conditions: - EventID: 5 - rewrite: - product: windows - service: sysmon - driver_loaded: - category: driver_load - product: windows - conditions: - EventID: 6 - rewrite: - product: windows - service: sysmon - image_loaded: - category: image_load - product: windows - conditions: - EventID: 7 - rewrite: - product: windows - service: sysmon - create_remote_thread: - category: create_remote_thread - product: windows - conditions: - EventID: 8 - rewrite: - product: windows - service: sysmon - raw_access_thread: - category: raw_access_thread - product: windows - conditions: - EventID: 9 - rewrite: - product: windows - service: sysmon - process_access: - category: process_access - product: windows - conditions: - EventID: 10 - rewrite: - product: windows - service: sysmon - file_creation: - category: file_event - product: windows - conditions: - EventID: 11 - rewrite: - product: windows - service: sysmon - registry_event1: - category: registry_event - product: windows - conditions: - EventID: 12 - rewrite: - product: windows - service: sysmon - registry_event2: - category: registry_event - product: windows - conditions: - EventID: 13 - rewrite: - product: windows - service: sysmon - registry_event3: - category: registry_event - product: windows - conditions: - EventID: 14 - rewrite: - product: windows - service: sysmon - registry_add: - category: registry_add - product: windows - conditions: - EventID: 12 - rewrite: - product: windows - service: sysmon - registry_delete: - category: registry_delete - product: windows - conditions: - EventID: 12 - rewrite: - product: windows - service: sysmon - registry_set: - category: registry_set - product: windows - conditions: - EventID: 13 - rewrite: - product: windows - service: sysmon - registry_rename: - category: registry_rename - product: windows - conditions: - EventID: 14 - rewrite: - product: windows - service: sysmon - create_stream_hash: - category: create_stream_hash - product: windows - conditions: - EventID: 15 - rewrite: - product: windows - service: sysmon - pipe_created1: - category: pipe_created - product: windows - conditions: - EventID: 17 - rewrite: - product: windows - service: sysmon - pipe_created2: - category: pipe_created - product: windows - conditions: - EventID: 18 - rewrite: - product: windows - service: sysmon - wmi_event1: - category: wmi_event - product: windows - conditions: - EventID: 19 - rewrite: - product: windows - service: sysmon - wmi_event2: - category: wmi_event - product: windows - conditions: - EventID: 20 - rewrite: - product: windows - service: sysmon - wmi_event3: - category: wmi_event - product: windows - conditions: - EventID: 21 - rewrite: - product: windows - service: sysmon - dns_query: - category: dns_query - product: windows - conditions: - EventID: 22 - rewrite: - product: windows - service: sysmon - file_delete: - category: file_delete - product: windows - conditions: - EventID: 23 - rewrite: - product: windows - service: sysmon - file_block: - category: file_block - product: windows - conditions: - EventID: 27 - rewrite: - product: windows - service: sysmon - sysmon_error: - category: sysmon_error - product: windows - conditions: - EventID: 255 - rewrite: - product: windows - service: sysmon - #PowerShell Operational - ps_module: - category: ps_module - product: windows - conditions: - EventID: 4103 - rewrite: - product: windows - service: powershell - ps_script: - category: ps_script - product: windows - conditions: - EventID: 4104 - rewrite: - product: windows - service: powershell - #Powershell "classic" channel - ps_classic_start: - category: ps_classic_start - product: windows - conditions: - EventID: 400 - rewrite: - product: windows - service: powershell-classic - ps_classic_provider_start: - category: ps_classic_provider_start - product: windows - conditions: - EventID: 600 - rewrite: - product: windows - service: powershell-classic - ps_classic_script: - category: ps_classic_script - product: windows - conditions: - EventID: 800 - rewrite: - product: windows - service: powershell-classic - # target system configurations - windows-application: - product: windows - service: application - sources: - - "WinEventLog:Application" - windows-security: - product: windows - service: security - sources: - - "WinEventLog:Security" - windows-system: - product: windows - service: system - sources: - - "WinEventLog:System" - windows-ntlm: - product: windows - service: ntlm - sources: - - "WinEventLog:Microsoft-Windows-NTLM/Operational" - windows-sysmon: - product: windows - service: sysmon - sources: - - "WinEventLog:Microsoft-Windows-Sysmon/Operational" - windows-powershell: - product: windows - service: powershell - sources: - - "WinEventLog:Microsoft-Windows-PowerShell/Operational" - - "WinEventLog:PowerShellCore/Operational" - windows-classicpowershell: - product: windows - service: powershell-classic - sources: - - "WinEventLog:Windows PowerShell" - windows-taskscheduler: - product: windows - service: taskscheduler - sources: - - "WinEventLog:Microsoft-Windows-TaskScheduler/Operational" - windows-wmi: - product: windows - service: wmi - sources: - - "WinEventLog:Microsoft-Windows-WMI-Activity/Operational" - windows-dhcp: - product: windows - service: dhcp - sources: - - "WinEventLog:Microsoft-Windows-DHCP-Server/Operational" - windows-printservice-admin: - product: windows - service: printservice-admin - sources: - - "WinEventLog:Microsoft-Windows-PrintService/Admin" - windows-smbclient-security: - product: windows - service: smbclient-security - sources: - - "WinEventLog:Microsoft-Windows-SmbClient/Security" - windows-printservice-operational: - product: windows - service: printservice-operational - sources: - - "WinEventLog:Microsoft-Windows-PrintService/Operational" - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - sources: - - 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - sources: - - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational" - windows-applocker: - product: windows - service: applocker - sources: - - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' - - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - sources: - - 'WinEventLog:MSExchange Management' - windows-defender: - product: windows - service: windefend - sources: - - 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' - windows-firewall-advanced-security: - product: windows - service: firewall-as - sources: - - 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - sources: - - 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - sources: - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - sources: - - 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - sources: - - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - sources: - - 'WinEventLog:OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - sources: - - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - sources: - - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp: - product: windows - service: vhdmp - sources: - - 'WinEventLog:Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - sources: - - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - sources: - - 'WinEventLog:Microsoft-Windows-LSA/Operational' - apache: - category: webserver - sources: - - "File:/var/log/apache/*.log" - - "File:/var/log/apache2/*.log" - - "File:/var/log/httpd/*.log" - linux-auth: - product: linux - service: auth - sources: - - "File:/var/log/auth.log" - - "File:/var/log/auth.log.?" - linux-syslog: - product: linux - service: syslog - sources: - - "File:/var/log/syslog" - - "File:/var/log/syslog.?" - logfiles: - category: logfile - sources: - - "File:*.log" + # log source configurations for generic sigma rules + process_creation_1: + category: process_creation + product: windows + conditions: + EventID: 1 + rewrite: + product: windows + service: sysmon + process_creation_2: + category: process_creation + product: windows + conditions: + EventID: 4688 + rewrite: + product: windows + service: security + fieldmappings: + Image: NewProcessName + ParentImage: ParentProcessName + network_connection: + category: network_connection + product: windows + conditions: + EventID: 3 + rewrite: + product: windows + service: sysmon + sysmon_status1: + category: sysmon_status + product: windows + conditions: + EventID: 4 + rewrite: + product: windows + service: sysmon + sysmon_status2: + category: sysmon_status + product: windows + conditions: + EventID: 16 + rewrite: + product: windows + service: sysmon + process_terminated: + category: process_termination + product: windows + conditions: + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 + rewrite: + product: windows + service: sysmon + registry_event1: + category: registry_event + product: windows + conditions: + EventID: 12 + rewrite: + product: windows + service: sysmon + registry_event2: + category: registry_event + product: windows + conditions: + EventID: 13 + rewrite: + product: windows + service: sysmon + registry_event3: + category: registry_event + product: windows + conditions: + EventID: 14 + rewrite: + product: windows + service: sysmon + registry_add: + category: registry_add + product: windows + conditions: + EventID: 12 + rewrite: + product: windows + service: sysmon + registry_delete: + category: registry_delete + product: windows + conditions: + EventID: 12 + rewrite: + product: windows + service: sysmon + registry_set: + category: registry_set + product: windows + conditions: + EventID: 13 + rewrite: + product: windows + service: sysmon + registry_rename: + category: registry_rename + product: windows + conditions: + EventID: 14 + rewrite: + product: windows + service: sysmon + create_stream_hash: + category: create_stream_hash + product: windows + conditions: + EventID: 15 + rewrite: + product: windows + service: sysmon + pipe_created1: + category: pipe_created + product: windows + conditions: + EventID: 17 + rewrite: + product: windows + service: sysmon + pipe_created2: + category: pipe_created + product: windows + conditions: + EventID: 18 + rewrite: + product: windows + service: sysmon + wmi_event1: + category: wmi_event + product: windows + conditions: + EventID: 19 + rewrite: + product: windows + service: sysmon + wmi_event2: + category: wmi_event + product: windows + conditions: + EventID: 20 + rewrite: + product: windows + service: sysmon + wmi_event3: + category: wmi_event + product: windows + conditions: + EventID: 21 + rewrite: + product: windows + service: sysmon + dns_query: + category: dns_query + product: windows + conditions: + EventID: 22 + rewrite: + product: windows + service: sysmon + file_delete: + category: file_delete + product: windows + conditions: + EventID: 23 + rewrite: + product: windows + service: sysmon + file_block: + category: file_block + product: windows + conditions: + EventID: 27 + rewrite: + product: windows + service: sysmon + sysmon_error: + category: sysmon_error + product: windows + conditions: + EventID: 255 + rewrite: + product: windows + service: sysmon + #PowerShell Operational + ps_module: + category: ps_module + product: windows + conditions: + EventID: 4103 + rewrite: + product: windows + service: powershell + ps_script: + category: ps_script + product: windows + conditions: + EventID: 4104 + rewrite: + product: windows + service: powershell + #Powershell "classic" channel + ps_classic_start: + category: ps_classic_start + product: windows + conditions: + EventID: 400 + rewrite: + product: windows + service: powershell-classic + ps_classic_provider_start: + category: ps_classic_provider_start + product: windows + conditions: + EventID: 600 + rewrite: + product: windows + service: powershell-classic + ps_classic_script: + category: ps_classic_script + product: windows + conditions: + EventID: 800 + rewrite: + product: windows + service: powershell-classic + # target system configurations + windows-application: + product: windows + service: application + sources: + - "WinEventLog:Application" + windows-security: + product: windows + service: security + sources: + - "WinEventLog:Security" + windows-system: + product: windows + service: system + sources: + - "WinEventLog:System" + windows-ntlm: + product: windows + service: ntlm + sources: + - "WinEventLog:Microsoft-Windows-NTLM/Operational" + windows-sysmon: + product: windows + service: sysmon + sources: + - "WinEventLog:Microsoft-Windows-Sysmon/Operational" + windows-powershell: + product: windows + service: powershell + sources: + - "WinEventLog:Microsoft-Windows-PowerShell/Operational" + - "WinEventLog:PowerShellCore/Operational" + windows-classicpowershell: + product: windows + service: powershell-classic + sources: + - "WinEventLog:Windows PowerShell" + windows-taskscheduler: + product: windows + service: taskscheduler + sources: + - "WinEventLog:Microsoft-Windows-TaskScheduler/Operational" + windows-wmi: + product: windows + service: wmi + sources: + - "WinEventLog:Microsoft-Windows-WMI-Activity/Operational" + windows-dhcp: + product: windows + service: dhcp + sources: + - "WinEventLog:Microsoft-Windows-DHCP-Server/Operational" + windows-printservice-admin: + product: windows + service: printservice-admin + sources: + - "WinEventLog:Microsoft-Windows-PrintService/Admin" + windows-smbclient-security: + product: windows + service: smbclient-security + sources: + - "WinEventLog:Microsoft-Windows-SmbClient/Security" + windows-printservice-operational: + product: windows + service: printservice-operational + sources: + - "WinEventLog:Microsoft-Windows-PrintService/Operational" + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + sources: + - 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + sources: + - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational" + windows-applocker: + product: windows + service: applocker + sources: + - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' + - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + sources: + - 'WinEventLog:MSExchange Management' + windows-defender: + product: windows + service: windefend + sources: + - 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' + windows-firewall-advanced-security: + product: windows + service: firewall-as + sources: + - 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + sources: + - 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + sources: + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + sources: + - 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + sources: + - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + sources: + - 'WinEventLog:OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + sources: + - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + sources: + - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp: + product: windows + service: vhdmp + sources: + - 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + sources: + - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + sources: + - 'WinEventLog:Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + sources: + - 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + sources: + - 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + sources: + - 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin' + apache: + category: webserver + sources: + - "File:/var/log/apache/*.log" + - "File:/var/log/apache2/*.log" + - "File:/var/log/httpd/*.log" + linux-auth: + product: linux + service: auth + sources: + - "File:/var/log/auth.log" + - "File:/var/log/auth.log.?" + linux-syslog: + product: linux + service: syslog + sources: + - "File:/var/log/syslog" + - "File:/var/log/syslog.?" + logfiles: + category: logfile + sources: + - "File:*.log" diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index a9a6398a8..7ec1a3dee 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -1,179 +1,194 @@ title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules order: 20 backends: - - es-qs - - es-dsl - - es-rule - - es-rule-eql - - es-eql - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers + - es-qs + - es-dsl + - es-rule + - es-rule-eql + - es-eql + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers logsources: - windows: - product: windows - index: winlogbeat-* - windows-application: - product: windows - service: application - conditions: - winlog.channel: Application - windows-security: - product: windows - service: security - conditions: - winlog.channel: Security - windows-system: - product: windows - service: system - conditions: - winlog.channel: System - windows-sysmon: - product: windows - service: sysmon - conditions: - winlog.channel: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - winlog.channel: - - 'Microsoft-Windows-PowerShell/Operational' - - 'PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - winlog.channel: 'Windows PowerShell' - windows-dns-server: - product: windows - service: dns-server - conditions: - winlog.channel: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - winlog.channel: 'Microsoft-Windows-NTLM/Operational' - windows-defender: - product: windows - service: windefend - conditions: - winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - winlog.channel: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - winlog.channel: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - winlog.channel: 'Microsoft-Windows-SmbClient/Security' - windows-applocker: - product: windows - service: applocker - conditions: - winlog.channel: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - winlog.channel: 'MSExchange Management' - microsoft-servicebus-client: - product: windows - service: microsoft-servicebus-client - conditions: - winlog.channel: 'Microsoft-ServiceBus-Client' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - winlog.channel: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - winlog.channel: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - winlog.channel: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - winlog_channel: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - winlog_channel: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + winlog.channel: Application + windows-security: + product: windows + service: security + conditions: + winlog.channel: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System + windows-sysmon: + product: windows + service: sysmon + conditions: + winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: + - 'Microsoft-Windows-PowerShell/Operational' + - 'PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' + windows-dns-server: + product: windows + service: dns-server + conditions: + winlog.channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + winlog.channel: 'Microsoft-Windows-NTLM/Operational' + windows-defender: + product: windows + service: windefend + conditions: + winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + winlog.channel: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + winlog.channel: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + winlog.channel: 'Microsoft-Windows-SmbClient/Security' + windows-applocker: + product: windows + service: applocker + conditions: + winlog.channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + winlog.channel: 'MSExchange Management' + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + winlog.channel: 'Microsoft-ServiceBus-Client' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + winlog.channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + winlog.channel: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + winlog.channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + winlog_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + winlog_channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' @@ -215,7 +230,7 @@ fieldmappings: default: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath # Filename => category: antivirus - Filename: winlog.event_data.Filename + Filename: winlog.event_data.Filename LDAPDisplayName: winlog.event_data.LDAPDisplayName # Level => Source: MSExchange Control Panel EventID: 4 Level: winlog.event_data.Level @@ -229,7 +244,7 @@ fieldmappings: ProcessGuid: process.entity_id ProcessId: process.pid Image: process.executable - FileVersion: + FileVersion: category=process_creation: process.pe.file_version category=image_load: file.pe.file_version default: winlog.event_data.FileVersion @@ -242,15 +257,15 @@ fieldmappings: category=process_creation: process.pe.product category=image_load: file.pe.product default: winlog.event_data.Product - Company: + Company: category=process_creation: process.pe.company category=image_load: file.pe.company default: winlog.event_data.Company - OriginalFileName: + OriginalFileName: category=process_creation: process.pe.original_file_name category=image_load: file.pe.original_file_name default: winlog.event_data.OriginalFileName - CommandLine: + CommandLine: category=process_creation: process.command_line service=security: process.command_line service=powershell-classic: powershell.command.value @@ -270,10 +285,10 @@ fieldmappings: TargetFilename: file.path CreationUtcTime: winlog.event_data.CreationUtcTime PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime - Protocol: + Protocol: category=network_connection: network.transport default: winlog.event_data.Protocol - Initiated: + Initiated: category=network_connection: network.direction default: winlog.event_data.Initiated #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 @@ -291,7 +306,7 @@ fieldmappings: SchemaVersion: winlog.event_data.SchemaVersion ImageLoaded: file.path Signed: file.code_signature.signed - Signature: + Signature: category=driver_loaded: file.code_signature.subject_name category=image_loaded: file.code_signature.subject_name default: winlog.event_data.Signature @@ -347,7 +362,7 @@ fieldmappings: category=driver_load: hash.sha256 category=image_load: file.hash.sha256 default: process.hash.sha256 - Imphash: + Imphash: category=driver_load: hash.imphash category=image_load: file.hash.imphash default: process.pe.imphash @@ -357,7 +372,7 @@ fieldmappings: CommandName: powershell.command.name CommandPath: powershell.command.path CommandType: powershell.command.type - EngineVersion: + EngineVersion: service=powershell-classic: powershell.engine.version service=windefend: winlog.event_data.Engine\ Version default: winlog.event_data.EngineVersion @@ -630,4 +645,3 @@ fieldmappings: ApplicationPath: winlog.event_data.ApplicationPath ModifyingApplication: winlog.event_data.ModifyingApplication Action: winlog.event_data.Action - diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 8154dea1b..8c0a81c60 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -1,214 +1,229 @@ title: Elastic Winlogbeat (<=6.x) index pattern and field mapping order: 20 backends: - - es-qs - - es-dsl - - es-rule - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers logsources: - windows: - product: windows - index: winlogbeat-* - windows-application: - product: windows - service: application - conditions: - log_name: Application - windows-security: - product: windows - service: security - conditions: - log_name: Security - windows-system: - product: windows - service: system - conditions: - winlog.channel: System - windows-sysmon: - product: windows - service: sysmon - conditions: - log_name: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - winlog.channel: - - 'Microsoft-Windows-PowerShell/Operational' - - 'PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - winlog.channel: 'Windows PowerShell' - windows-dns-server: - product: windows - service: dns-server - conditions: - log_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - log_name: 'Microsoft-Windows-DHCP-Server/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - log_name: 'Microsoft-Windows-NTLM/Operational' - windows-defender: - product: windows - service: windefend - conditions: - log_name: 'Microsoft-Windows-Windows Defender/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - log_name: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - log_name: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - log_name: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - log_name: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - log_name: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - log_name: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - log_name: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - log_name: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: + - 'Microsoft-Windows-PowerShell/Operational' + - 'PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + log_name: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + log_name: 'Microsoft-Windows-NTLM/Operational' + windows-defender: + product: windows + service: windefend + conditions: + log_name: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + log_name: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + log_name: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + log_name: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + log_name: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + log_name: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + log_name: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + log_name: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: - EventID: event_id - AccessMask: event_data.AccessMask - AccountName: event_data.AccountName - AllowedToDelegateTo: event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName - AuditPolicyChanges: event_data.AuditPolicyChanges - AuthenticationPackageName: event_data.AuthenticationPackageName - CallingProcessName: event_data.CallingProcessName - CallTrace: event_data.CallTrace - Channel: winlog.channel - CommandLine: event_data.CommandLine - ComputerName: event_data.ComputerName - CurrentDirectory: event_data.CurrentDirectory - Description: event_data.Description - DestinationHostname: event_data.DestinationHostname - DestinationIp: event_data.DestinationIp - DestinationIsIpv6: event_data.DestinationIsIpv6 - DestinationPort: event_data.DestinationPort - Details: event_data.Details - EngineVersion: event_data.EngineVersion - EventType: event_data.EventType - FailureCode: event_data.FailureCode - FileName: event_data.FileName - GrantedAccess: event_data.GrantedAccess - GroupName: event_data.GroupName - GroupSid: event_data.GroupSid - Hashes: event_data.Hashes - HiveName: event_data.HiveName - HostVersion: event_data.HostVersion - Image: event_data.Image - ImageLoaded: event_data.ImageLoaded - ImagePath: event_data.ImagePath - Imphash: event_data.Imphash - IpAddress: event_data.IpAddress - KeyLength: event_data.KeyLength - LogonProcessName: event_data.LogonProcessName - LogonType: event_data.LogonType - NewProcessName: event_data.NewProcessName - ObjectClass: event_data.ObjectClass - ObjectName: event_data.ObjectName - ObjectType: event_data.ObjectType - ObjectValueName: event_data.ObjectValueName - ParentCommandLine: event_data.ParentCommandLine - ParentProcessName: event_data.ParentProcessName - ParentImage: event_data.ParentImage - Path: event_data.Path - PipeName: event_data.PipeName - ProcessCommandLine: event_data.ProcessCommandLine - ProcessName: event_data.ProcessName - Product: event_data.Product - Properties: event_data.Properties - ScriptBlockText: winlog.event_data.ScriptBlockText - SecurityID: event_data.SecurityID - ServiceFileName: event_data.ServiceFileName - ServiceName: event_data.ServiceName - ShareName: event_data.ShareName - Signature: event_data.Signature - Source: event_data.Source - SourceImage: event_data.SourceImage - StartModule: event_data.StartModule - Status: event_data.Status - SubjectUserName: event_data.SubjectUserName - SubjectUserSid: event_data.SubjectUserSid - TargetFilename: event_data.TargetFilename - TargetImage: event_data.TargetImage - TargetObject: event_data.TargetObject - TicketEncryptionType: event_data.TicketEncryptionType - TicketOptions: event_data.TicketOptions - User: event_data.User - WorkstationName: event_data.WorkstationName + EventID: event_id + AccessMask: event_data.AccessMask + AccountName: event_data.AccountName + AllowedToDelegateTo: event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName + AuditPolicyChanges: event_data.AuditPolicyChanges + AuthenticationPackageName: event_data.AuthenticationPackageName + CallingProcessName: event_data.CallingProcessName + CallTrace: event_data.CallTrace + Channel: winlog.channel + CommandLine: event_data.CommandLine + ComputerName: event_data.ComputerName + CurrentDirectory: event_data.CurrentDirectory + Description: event_data.Description + DestinationHostname: event_data.DestinationHostname + DestinationIp: event_data.DestinationIp + DestinationIsIpv6: event_data.DestinationIsIpv6 + DestinationPort: event_data.DestinationPort + Details: event_data.Details + EngineVersion: event_data.EngineVersion + EventType: event_data.EventType + FailureCode: event_data.FailureCode + FileName: event_data.FileName + GrantedAccess: event_data.GrantedAccess + GroupName: event_data.GroupName + GroupSid: event_data.GroupSid + Hashes: event_data.Hashes + HiveName: event_data.HiveName + HostVersion: event_data.HostVersion + Image: event_data.Image + ImageLoaded: event_data.ImageLoaded + ImagePath: event_data.ImagePath + Imphash: event_data.Imphash + IpAddress: event_data.IpAddress + KeyLength: event_data.KeyLength + LogonProcessName: event_data.LogonProcessName + LogonType: event_data.LogonType + NewProcessName: event_data.NewProcessName + ObjectClass: event_data.ObjectClass + ObjectName: event_data.ObjectName + ObjectType: event_data.ObjectType + ObjectValueName: event_data.ObjectValueName + ParentCommandLine: event_data.ParentCommandLine + ParentProcessName: event_data.ParentProcessName + ParentImage: event_data.ParentImage + Path: event_data.Path + PipeName: event_data.PipeName + ProcessCommandLine: event_data.ProcessCommandLine + ProcessName: event_data.ProcessName + Product: event_data.Product + Properties: event_data.Properties + ScriptBlockText: winlog.event_data.ScriptBlockText + SecurityID: event_data.SecurityID + ServiceFileName: event_data.ServiceFileName + ServiceName: event_data.ServiceName + ShareName: event_data.ShareName + Signature: event_data.Signature + Source: event_data.Source + SourceImage: event_data.SourceImage + StartModule: event_data.StartModule + Status: event_data.Status + SubjectUserName: event_data.SubjectUserName + SubjectUserSid: event_data.SubjectUserSid + TargetFilename: event_data.TargetFilename + TargetImage: event_data.TargetImage + TargetObject: event_data.TargetObject + TicketEncryptionType: event_data.TicketEncryptionType + TicketOptions: event_data.TicketOptions + User: event_data.User + WorkstationName: event_data.WorkstationName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index b7b9a5f5c..3ff08c4e1 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -1,16 +1,16 @@ title: Elastic Winlogbeat (from 7.x) index pattern and field mapping order: 20 backends: - - es-qs - - es-dsl - - es-rule - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers - - opensearch-monitor + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers + - opensearch-monitor logsources: windows: product: windows @@ -147,7 +147,7 @@ logsources: product: windows service: bitlocker conditions: - winlog.channel: 'bitlocker' + winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' windows-vhdmp-operational: product: windows service: vhdmp @@ -163,6 +163,21 @@ logsources: service: lsa-server conditions: winlog_channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index b93527f5f..e1fa9f60d 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -128,4 +128,19 @@ logsources: product: windows service: lsa-server conditions: - Channel: 'Microsoft-Windows-LSA/Operational' \ No newline at end of file + Channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + Channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + Channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'