feat: add bitlocker channel

tests/logsource.json

@@ -44,6 +44,7 @@
                 "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"]
             },
             "service":{
+                "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"],
                 "bits-client":["RemoteName","LocalName","processPath","processId"],
                 "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer",
                                             "RequestedPolicy","ValidatedPolicy","Status"],

tests/test_rules.py

@@ -857,6 +857,8 @@ class TestRules(unittest.TestCase):
                                     pattern_prefix = "win_applocker_"
                                 elif value == "dns-server-analytic":
                                     pattern_prefix = "win_dns_analytic_"
+                                elif value == "bitlocker":
+                                    pattern_prefix = "win_bitlocker_"
                         
                     # This value is used to test if we should add the OS infix for certain categories
                     if os_bool:

tools/config/elk-windows.yml

@@ -109,4 +109,9 @@ logsources:
     service: ldap_debug
     conditions:
       EventLog: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: logstash-*

tools/config/elk-winlogbeat-sp.yml

@@ -109,6 +109,11 @@ logsources:
     service: ldap_debug
     conditions:
       log_name: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: <winlogbeat-{now/d}>
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/elk-winlogbeat.yml

@@ -109,6 +109,11 @@ logsources:
     service: ldap_debug
     conditions:
       logname: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      logname: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/fireeye-helix.yml

@@ -137,6 +137,11 @@ logsources:
         service: ldap_debug
         conditions:
             channel: 'Microsoft-Windows-LDAP-Client/Debug'
+    windows-bitlocker:
+        product: windows
+        service: bitlocker
+        conditions:
+            channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
     linux:
         product: linux
         index: posix

tools/config/logpoint-windows.yml

@@ -109,6 +109,11 @@ logsources:
     service: ldap_debug
     conditions:
       event_source: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      event_source: 'Microsoft-Windows-BitLocker/BitLocker Management'
 fieldmappings:
     EventID: event_id
     FailureCode: result_code

tools/config/logstash-windows.yml

@@ -130,4 +130,9 @@ logsources:
     service: ldap_debug
     conditions:
       Channel: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      Channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: logstash-*

tools/config/powershell.yml

@@ -150,4 +150,9 @@ logsources:
     product: windows
     service: ldap_debug
     conditions:
-      LogName: 'Microsoft-Windows-LDAP-Client/Debug'
+      LogName: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      LogName: 'Microsoft-Windows-BitLocker/BitLocker Management'

tools/config/splunk-windows.yml

@@ -166,6 +166,11 @@ logsources:
     service: ldap_debug
     conditions:
       source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
   windows-defender:
     product: windows
     service: windefend

tools/config/sumologic.yml

@@ -140,6 +140,11 @@ logsources:
     service: ldap_debug
     conditions:
       source: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      source: 'Microsoft-Windows-BitLocker/BitLocker Management'
   apache:
     service: apache
     index: WEBSERVER

tools/config/thor.yml

@@ -414,6 +414,11 @@ logsources:
     service: ldap_debug
     sources:
       - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    sources:
+      - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
   apache:
     category: webserver
     sources:

tools/config/winlogbeat-modules-enabled.yml

@@ -154,6 +154,11 @@ logsources:
     service: ldap_debug
     conditions:
       winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'

tools/config/winlogbeat-old.yml

@@ -117,6 +117,11 @@ logsources:
     service: ldap_debug
     conditions:
       log_name: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/winlogbeat.yml

@@ -143,6 +143,11 @@ logsources:
     service: ldap_debug
     conditions:
       winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      winlog.channel: 'bitlocker'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'