From 68f0cdf338bf1de12b2ca4fdd1111be98c8acd54 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 20 Jan 2022 09:44:36 +0100 Subject: [PATCH] feat: new log channel windows-codeintegrity-operational https://twitter.com/SBousseaden/status/1483810148602814466 --- tools/config/elk-windows.yml | 5 +++++ tools/config/elk-winlogbeat-sp.yml | 5 +++++ tools/config/elk-winlogbeat.yml | 5 +++++ tools/config/fireeye-helix.yml | 5 +++++ tools/config/hawk.yml | 5 +++++ tools/config/logpoint-windows.yml | 5 +++++ tools/config/logstash-windows.yml | 5 +++++ tools/config/powershell.yml | 5 +++++ tools/config/splunk-windows.yml | 5 +++++ tools/config/sumologic.yml | 5 +++++ tools/config/thor.yml | 5 +++++ tools/config/winlogbeat-modules-enabled.yml | 5 +++++ tools/config/winlogbeat.yml | 5 +++++ tools/config/zircolite.yml | 5 +++++ 14 files changed, 70 insertions(+) diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 9c532f66d..2543aac16 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: EventLog: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventLog: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 80af860a9..7e30b7d13 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: log_name: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 97dfe3ec8..16ae8e6a3 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: log_name: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 1467124cc..2a04e96ec 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -81,6 +81,11 @@ logsources: service: printservice-operational conditions: channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows index: windows diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index fc464ce91..0fd1fb251 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -356,6 +356,11 @@ logsources: service: printservice-operational conditions: product_name: 'PrintService' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + product_name: 'CodeIntegrity' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index b821d23b8..7e7efbb02 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -57,6 +57,11 @@ logsources: service: printservice-operational conditions: event_source: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + event_source: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index f3387e076..555b3335d 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -78,6 +78,11 @@ logsources: service: printservice-operational conditions: Channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + Channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 11db7be04..276ea9696 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -98,6 +98,11 @@ logsources: service: printservice-operational conditions: LogName: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + LogName: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 06b0c7306..948777a7c 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -107,6 +107,11 @@ logsources: service: printservice-operational conditions: source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + source: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 7dea87df9..9998e8cdc 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -81,6 +81,11 @@ logsources: service: printservice-operational conditions: EventChannel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/thor.yml b/tools/config/thor.yml index cbed042d5..6b01a4ec8 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -315,6 +315,11 @@ logsources: service: printservice-operational sources: - "WinEventLog:Microsoft-Windows-PrintService/Operational" + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + sources: + - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational" windows-applocker: product: windows service: applocker diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 07c3c4e09..41517c93f 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -81,6 +81,11 @@ logsources: service: printservice-operational conditions: winlog.channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 5e913928d..006585294 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -80,6 +80,11 @@ logsources: service: printservice-operational conditions: winlog.channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index af73a56fb..26b41b8ab 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -68,6 +68,11 @@ logsources: service: printservice-operational conditions: Channel: 'Microsoft-Windows-PrintService/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + Channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security