From 5715413da99ee8db8440ea147a460d38f35bcd3f Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 11 Jun 2019 13:15:43 +0200 Subject: [PATCH] Usage of Channel field name in ELK Windows config --- .../sysmon_termserv_proc_spawn.yml | 0 tools/config/elk-windows.yml | 12 ++++++------ 2 files changed, 6 insertions(+), 6 deletions(-) rename rules/windows/{sysmon => process_creation}/sysmon_termserv_proc_spawn.yml (100%) diff --git a/rules/windows/sysmon/sysmon_termserv_proc_spawn.yml b/rules/windows/process_creation/sysmon_termserv_proc_spawn.yml similarity index 100% rename from rules/windows/sysmon/sysmon_termserv_proc_spawn.yml rename to rules/windows/process_creation/sysmon_termserv_proc_spawn.yml diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 24dd92fa9..ed94fc3d0 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -15,30 +15,30 @@ logsources: product: windows service: application conditions: - EventLog: Application + Channel: Application windows-security: product: windows service: security conditions: - EventLog: Security + Channel: Security windows-sysmon: product: windows service: sysmon conditions: - EventLog: Microsoft-Windows-Sysmon + Channel: Microsoft-Windows-Sysmon windows-dns-server: product: windows service: dns-server conditions: - EventLog: 'DNS Server' + Channel: 'DNS Server' windows-driver-framework: product: windows service: driver-framework conditions: - source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' windows-dhcp: product: windows service: dhcp conditions: - source: 'Microsoft-Windows-DHCP-Server/Operational' + Channel: 'Microsoft-Windows-DHCP-Server/Operational' defaultindex: logstash-*