security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added configuration for auditbeat, mapping to Elastic ECS

Browse Source
This commit is contained in:
Steven
2021-09-23 14:59:51 +02:00
parent 3107ede1c4
commit 35a710eec6
1 changed files with 252 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/config/auditbeat.yml
+252
View File
@@ -0,0 +1,252 @@
title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- es-rule-eql
- es-eql
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
linux_auditd:
product: linux
service: auditd
conditions:
event.provider: auditd
defaultindex: auditbeat-*
fieldmappings:
# https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-auditd.html
a0: auditd.data.a0
a1: auditd.data.a1
a2: auditd.data.a2
a3: auditd.data.a3
acct: auditd.data.acct
acl: auditd.data.acl
action: auditd.data.action
added: auditd.data.added
addr: auditd.data.socket.addr
apparmor: auditd.data.apparmor
arch: auditd.data.arch
argc: auditd.data.argc
audit_backlog_limit: auditd.data.audit_backlog_limit
audit_backlog_wait_time: auditd.data.audit_backlog_wait_time
audit_enabled: auditd.data.audit_enabled
audit_failure: auditd.data.audit_failure
auid: user.auid
banners: auditd.data.banners
bool: auditd.data.bool
bus: auditd.data.bus
capability: auditd.data.capability
cap_fe: auditd.data.cap_fe
cap_fi: auditd.data.cap_fi
cap_fp: auditd.data.cap_fp
cap_fver: auditd.data.cap_fver
cap_pa: auditd.data.cap_pa
cap_pe: auditd.data.cap_pe
cap_pi: auditd.data.cap_pi
cap_pp: auditd.data.cap_pp
category: user.selinux.category
cgroup: auditd.data.cgroup
changed: auditd.data.changed
cipher: auditd.data.cipher
class: auditd.data.class
cmd: auditd.data.cmd
code: auditd.data.code
comm: auditd.data.comm
compat: auditd.data.compat
cwd: process.cwd
daddr: auditd.data.daddr
data: auditd.data.data
default-context: auditd.data.default-context
dev: auditd.paths.dev
device: auditd.data.device
dir: auditd.data.dir
direction: auditd.data.direction
dmac: auditd.data.dmac
dport: auditd.data.dport
enforcing: auditd.data.enforcing
entries: auditd.data.entries
exe: process.executable
exit: auditd.data.exit
fam: auditd.data.fam
family: auditd.data.family
fd: auditd.data.fd
file: auditd.data.file
flags: auditd.data.flags
fe: auditd.data.fe
feature: auditd.data.feature
fi: auditd.data.fi
fp: auditd.data.fp
format: auditd.data.format
fsgid: user.fsgid
fsuid: user.fsuid
fver: auditd.data.fver
gid: user.gid
grantors: auditd.data.grantors
grp: auditd.data.grp
hook: auditd.data.hook
hostname: auditd.data.hostname
icmp_type: auditd.data.icmp_type
id: auditd.data.id
igid: auditd.data.igid
Image:
img-ctx: auditd.data.img-ctx
inif: auditd.data.inif
ip: auditd.data.ip
ipid: auditd.data.ipid
ino: auditd.data.ino
inode: auditd.paths.inode
inode_gid: auditd.data.inode_gid
inode_uid: auditd.data.inode_uid
invalid_context: auditd.data.invalid_context
ioctlcmd: auditd.data.ioctlcmd
ipx-net: auditd.data.ipx-net
item: auditd.paths.item
items: auditd.data.items
iuid: auditd.data.iuid
kernel: auditd.data.kernel
kind: auditd.data.kind
ksize: auditd.data.ksize
laddr: auditd.data.laddr
len: auditd.data.len
lport: auditd.data.lport
list: auditd.data.list
mac: auditd.data.mac
macproto: auditd.data.macproto
maj: auditd.data.maj
major: auditd.data.major
minor: auditd.data.minor
mode: auditd.paths.mode
model: auditd.data.model
msg: auditd.data.msg
nargs: auditd.data.nargs
name: auditd.paths.name
nametype: auditd.paths.nametype
net: auditd.data.net
new: auditd.data.new
new-chardev: auditd.data.new-chardev
new-disk: auditd.data.new-disk
new-enabled: auditd.data.new-enabled
new-fs: auditd.data.new-fs
new_gid: auditd.data.new_gid
new-level: auditd.data.new-level
new_lock: auditd.data.new_lock
new-log_passwd: auditd.data.new-log_passwd
new-mem: auditd.data.new-mem
new-net: auditd.data.new-net
new_pe: auditd.data.new_pe
new_pi: auditd.data.new_pi
new_pp: auditd.data.new_pp
new-range: auditd.data.new-range
new-rng: auditd.data.new-rng
new-role: auditd.data.new-role
new-seuser: auditd.data.new-seuser
new-vcpu: auditd.data.new-vcpu
nlnk-fam: auditd.data.nlnk-fam
nlnk-grp: auditd.data.nlnk-grp
nlnk-pid: auditd.data.nlnk-pid
oauid: auditd.data.oauid
obj: auditd.data.obj
obj_gid: auditd.data.obj_gid
obj_uid: auditd.data.obj_uid
oflag: auditd.data.oflag
ogid: auditd.paths.ogid
ocomm: auditd.data.ocomm
old: auditd.data.old
old-auid: auditd.data.old-auid
old-chardev: auditd.data.old-chardev
old-disk: auditd.data.old-disk
old-enabled: auditd.data.old-enabled
old_enforcing: auditd.data.old_enforcing
old-fs: auditd.data.old-fs
old-level: auditd.data.old-level
old_lock: auditd.data.old_lock
old-log_passwd: auditd.data.old-log_passwd
old-mem: auditd.data.old-mem
old-net: auditd.data.old-net
old_pa: auditd.data.old_pa
old_pe: auditd.data.old_pe
old_pi: auditd.data.old_pi
old_pp: auditd.data.old_pp
old_prom: auditd.data.old_prom
old-range: auditd.data.old-range
old-rng: auditd.data.old-rng
old-role: auditd.data.old-role
old-ses: auditd.data.old-ses
old-seuser: auditd.data.old-seuser
old_val: auditd.data.old_val
old-vcpu: auditd.data.old-vcpu
op: auditd.data.op
opid: auditd.data.opid
oses: auditd.data.oses
ouid: auditd.paths.ouid
outif: auditd.data.outif
parent: auditd.data.parent
path: source.path
per: auditd.data.per
perm: auditd.data.perm
perm_mask: auditd.data.perm_mask
permissive: auditd.data.permissive
pfs: auditd.data.pfs
printer: auditd.data.printer
prom: auditd.data.prom
proctitle: proctitle
proto: auditd.data.proto
qbytes: auditd.data.qbytes
range: auditd.data.range
rdev: auditd.paths.rdev
reason: auditd.data.reason
removed: auditd.data.removed
res: auditd.data.res
resrc: auditd.data.resrc
result: auditd.result
role: user.selinux.role
rport: auditd.data.rport
saddr: auditd.data.socket.saddr
sauid: auditd.data.sauid
scontext: auditd.data.scontext
selected-context: auditd.data.selected-context
seperm: auditd.data.seperm
seqno: auditd.data.seqno
seperms: auditd.data.seperms
seresult: auditd.data.seresult
ses: auditd.data.ses
seuser: auditd.data.seuser
sgid: user.sgid
sig: auditd.data.sig
sigev_signo: auditd.data.sigev_signo
smac: auditd.data.smac
spid: auditd.data.spid
sport: auditd.data.sport
state: auditd.data.state
subj: auditd.data.subj
success: auditd.data.success
suid: user.suid
syscall: auditd.data.syscall
table: auditd.data.table
TargetFileName: auditd.data.file
tclass: auditd.data.tclass
tcontext: auditd.data.tcontext
terminal: auditd.data.terminal
tty: auditd.data.tty
type: user.selinux.domain
uid: user.uid
unit: auditd.data.unit
uri: auditd.data.uri
user: user.selinux.user
uuid: auditd.data.uuid
val: auditd.data.val
ver: auditd.data.ver
virt: auditd.data.virt
vm: auditd.data.vm
vm-ctx: auditd.data.vm-ctx
vm-pid: auditd.data.vm-pid
watch: auditd.data.watch