config: add PrintService Operational

tools/config/elk-windows.yml

@@ -52,6 +52,11 @@ logsources:
     service: printservice-admin
     conditions:
       EventLog: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      EventLog: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/elk-winlogbeat-sp.yml

@@ -52,6 +52,11 @@ logsources:
     service: printservice-admin
     conditions:
       log_name: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      log_name: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/elk-winlogbeat.yml

@@ -52,6 +52,11 @@ logsources:
     service: printservice-admin
     conditions:
       log_name: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      log_name: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/fireeye-helix.yml

@@ -76,6 +76,11 @@ logsources:
         service: printservice-admin
         conditions:
             channel: 'Microsoft-Windows-PrintService/Admin'
+    windows-printservice-operational:
+        product: windows
+        service: printservice-operational
+        conditions:
+            channel: 'Microsoft-Windows-PrintService/Operational'
     windows-smbclient-security:
         product: windows
         index: windows

tools/config/logpoint-windows.yml

@@ -52,6 +52,11 @@ logsources:
     service: printservice-admin
     conditions:
       event_source: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      event_source: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/logstash-windows.yml

@@ -73,6 +73,11 @@ logsources:
     service: printservice-admin
     conditions:
       Channel: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      Channel: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/powershell-windows-all.yml

@@ -79,6 +79,11 @@ logsources:
     service: printservice-admin
     conditions:
       LogName: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      LogName: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/powershell.yml

@@ -93,6 +93,11 @@ logsources:
     service: printservice-admin
     conditions:
       LogName: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      LogName: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/splunk-windows.yml

@@ -89,6 +89,11 @@ logsources:
     service: printservice-admin
     conditions:
       source: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      source: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/sumologic.yml

@@ -76,6 +76,11 @@ logsources:
     service: printservice-admin
     conditions:
       EventChannel: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      EventChannel: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/thor.yml

@@ -200,7 +200,12 @@ logsources:
     product: windows
     service: smbclient-security
     sources:
-      - "Microsoft-Windows-SmbClient/Security"
+      - "WinEventLog:Microsoft-Windows-SmbClient/Security"
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    sources:
+      - "WinEventLog:Microsoft-Windows-PrintService/Operational"
   windows-applocker:
     product: windows
     service: applocker

tools/config/winlogbeat-modules-enabled.yml

@@ -60,6 +60,11 @@ logsources:
     service: printservice-admin
     conditions:
       winlog.channel: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      winlog.channel: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security

tools/config/winlogbeat.yml

@@ -59,6 +59,11 @@ logsources:
     service: printservice-admin
     conditions:
       winlog.channel: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      winlog.channel: 'Microsoft-Windows-PrintService/Operational'
   windows-smbclient-security:
     product: windows
     service: smbclient-security