diff --git a/tests/logsource.json b/tests/logsource.json index 45761f7da..7f7ab8b7d 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -44,6 +44,7 @@ "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"] }, "service":{ + "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"], "bits-client":["RemoteName","LocalName","processPath","processId"], "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer", "RequestedPolicy","ValidatedPolicy","Status"], diff --git a/tests/test_rules.py b/tests/test_rules.py index 004b72032..f864f9975 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -857,6 +857,8 @@ class TestRules(unittest.TestCase): pattern_prefix = "win_applocker_" elif value == "dns-server-analytic": pattern_prefix = "win_dns_analytic_" + elif value == "bitlocker": + pattern_prefix = "win_bitlocker_" # This value is used to test if we should add the OS infix for certain categories if os_bool: diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index df881f41a..458f64607 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -109,4 +109,9 @@ logsources: service: ldap_debug conditions: EventLog: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 5f3098e63..90f764db2 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -109,6 +109,11 @@ logsources: service: ldap_debug conditions: log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 4e55a3e8c..cb0d4e24a 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -109,6 +109,11 @@ logsources: service: ldap_debug conditions: logname: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + logname: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 1eedbd76b..ff57115d1 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -137,6 +137,11 @@ logsources: service: ldap_debug conditions: channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + channel: 'Microsoft-Windows-BitLocker/BitLocker Management' linux: product: linux index: posix diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index 879e1bc07..f7faa953f 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -109,6 +109,11 @@ logsources: service: ldap_debug conditions: event_source: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 637f099f8..48bcf02c0 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -130,4 +130,9 @@ logsources: service: ldap_debug conditions: Channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 6102e3d8c..556051e6c 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -150,4 +150,9 @@ logsources: product: windows service: ldap_debug conditions: - LogName: 'Microsoft-Windows-LDAP-Client/Debug' \ No newline at end of file + LogName: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' \ No newline at end of file diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index f8c30dcca..1df7507d0 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -166,6 +166,11 @@ logsources: service: ldap_debug conditions: source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' windows-defender: product: windows service: windefend diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index aa0e9f75e..d23d40698 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -140,6 +140,11 @@ logsources: service: ldap_debug conditions: source: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + source: 'Microsoft-Windows-BitLocker/BitLocker Management' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 86c46e545..5eb6437e4 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -414,6 +414,11 @@ logsources: service: ldap_debug sources: - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + sources: + - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index cbc432525..ce55c210f 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -154,6 +154,11 @@ logsources: service: ldap_debug conditions: winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 564ecfee6..6234fc1ed 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -117,6 +117,11 @@ logsources: service: ldap_debug conditions: log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 23eedcd78..7948fcf8c 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -143,6 +143,11 @@ logsources: service: ldap_debug conditions: winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + winlog.channel: 'bitlocker' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'