frack113
@@ -190,7 +190,9 @@ fieldmappings:
|
||||
ClassId: winlog.event_data.ClassId
|
||||
DeviceDescription: winlog.event_data.DeviceDescription
|
||||
# ErrorCode => printservice-admin EventID: 4909 or 808
|
||||
ErrorCode: winlog.event_data.ErrorCode
|
||||
ErrorCode:
|
||||
service=windefend: winlog.event_data.Error\ Code
|
||||
default: winlog.event_data.ErrorCode
|
||||
FilePath: winlog.event_data.FilePath
|
||||
# Filename => category: antivirus
|
||||
Filename: winlog.event_data.Filename
|
||||
@@ -337,6 +339,7 @@ fieldmappings:
|
||||
CommandType: powershell.command.type
|
||||
EngineVersion:
|
||||
service=powershell-classic: powershell.engine.version
|
||||
service=windefend: winlog.event_data.Engine\ Version
|
||||
default: winlog.event_data.EngineVersion
|
||||
HostApplication: process.command_line
|
||||
HostId: process.entity_id
|
||||
@@ -446,7 +449,9 @@ fieldmappings:
|
||||
NewTargetUserName: winlog.event_data.NewTargetUserName
|
||||
NewTime: winlog.event_data.NewTime
|
||||
NewUacValue: winlog.event_data.NewUacValue
|
||||
NewValue: winlog.event_data.NewValue
|
||||
NewValue:
|
||||
service=windefend: winlog.event_data.New\ Value
|
||||
default: winlog.event_data.NewValue
|
||||
NewValueType: winlog.event_data.NewValueType
|
||||
ObjectClass: winlog.event_data.ObjectClass
|
||||
ObjectDN: winlog.event_data.ObjectDN
|
||||
@@ -459,7 +464,9 @@ fieldmappings:
|
||||
OldSd: winlog.event_data.OldSd
|
||||
OldTargetUserName: winlog.event_data.OldTargetUserName
|
||||
OldUacValue: winlog.event_data.OldUacValue
|
||||
OldValue: winlog.event_data.OldValue
|
||||
OldValue:
|
||||
service=windefend: winlog.event_data.Old\ Value
|
||||
default: winlog.event_data.OldValue
|
||||
OldValueType: winlog.event_data.OldValueType
|
||||
OpCorrelationID: winlog.event_data.OpCorrelationID
|
||||
OperationType: winlog.event_data.OperationType
|
||||
@@ -472,7 +479,9 @@ fieldmappings:
|
||||
PreviousTime: winlog.event_data.PreviousTime
|
||||
PrimaryGroupId: winlog.event_data.PrimaryGroupId
|
||||
PrivilegeList: winlog.event_data.PrivilegeList
|
||||
ProcessName: process.executable
|
||||
ProcessName:
|
||||
service=windefend: winlog.event_data.Process\ Name
|
||||
default: process.executable
|
||||
ProfilePath: winlog.event_data.ProfilePath
|
||||
Properties: winlog.event_data.Properties
|
||||
PuaCount: winlog.event_data.PuaCount
|
||||
@@ -563,43 +572,38 @@ fieldmappings:
|
||||
#
|
||||
# Microsoft-Windows-Windows Defender/Operational
|
||||
#
|
||||
Action_ID: winlog.event_data.Action\ ID
|
||||
Action_Name: winlog.event_data.Action\ Name
|
||||
Additional_Actions_ID: winlog.event_data.Additional\ Actions\ ID
|
||||
Additional_Actions_String: winlog.event_data.Additional\ Actions\ String
|
||||
Category_ID: winlog.event_data.Category\ ID
|
||||
Category_Name: winlog.event_data.Category\ Name
|
||||
Detection_ID: winlog.event_data.Detection\ ID
|
||||
Detection_Time: winlog.event_data.Detection\ Time
|
||||
Detection_User: winlog.event_data.Detection\ User
|
||||
Engine_Version: winlog.event_data.Engine\ Version
|
||||
Error_Code: winlog.event_data.Error\ Code
|
||||
Error_Description: winlog.event_data.Error\ Description
|
||||
Execution_ID: winlog.event_data.Execution\ ID
|
||||
Execution_Name: winlog.event_data.Execution\ Name
|
||||
ActionID: winlog.event_data.Action\ ID
|
||||
ActionName: winlog.event_data.Action\ Name
|
||||
AdditionalActionsID: winlog.event_data.Additional\ Actions\ ID
|
||||
AdditionalActionsString: winlog.event_data.Additional\ Actions\ String
|
||||
CategoryID: winlog.event_data.Category\ ID
|
||||
CategoryName: winlog.event_data.Category\ Name
|
||||
DetectionID: winlog.event_data.Detection\ ID
|
||||
DetectionTime: winlog.event_data.Detection\ Time
|
||||
DetectionUser: winlog.event_data.Detection\ User
|
||||
ErrorDescription: winlog.event_data.Error\ Description
|
||||
ExecutionID: winlog.event_data.Execution\ ID
|
||||
ExecutionName: winlog.event_data.Execution\ Name
|
||||
FWLink: winlog.event_data.FWLink
|
||||
New_Value: winlog.event_data.New\ Value
|
||||
Old_Value: winlog.event_data.Old\ Value
|
||||
Origin_ID: winlog.event_data.Origin\ ID
|
||||
Origin_Name: winlog.event_data.Origin\ Name
|
||||
OriginID: winlog.event_data.Origin\ ID
|
||||
OriginName: winlog.event_data.Origin\ Name
|
||||
Path: winlog.event_data.Path
|
||||
Post_Clean_Status: winlog.event_data.Post\ Clean\ Status
|
||||
Pre_Execution_Status: winlog.event_data.Pre\ Execution\ Status
|
||||
Process_Name: winlog.event_data.Process\ Name
|
||||
Product_Name: winlog.event_data.Product\ Name
|
||||
Product_Version: winlog.event_data.Product\ Version
|
||||
Remediation_User: winlog.event_data.Remediation\ User
|
||||
Security_intelligence_Version: winlog.event_data.Security\ intelligence\ Version
|
||||
Severity_ID: winlog.event_data.Severity\ ID
|
||||
Severity_Name: winlog.event_data.Severity\ Name
|
||||
Source_ID: winlog.event_data.Source\ ID
|
||||
Source_Name: winlog.event_data.Source\ Name
|
||||
Status_Code: winlog.event_data.Status\ Code
|
||||
Status_Description: winlog.event_data.Status\ Description
|
||||
Threat_ID: winlog.event_data.Threat\ ID
|
||||
Threat_Name: winlog.event_data.Threat\ Name
|
||||
Type_ID: winlog.event_data.Type\ ID
|
||||
Type_Name: winlog.event_data.Type\ Name
|
||||
PostCleanStatus: winlog.event_data.Post\ Clean\ Status
|
||||
PreExecutionStatus: winlog.event_data.Pre\ Execution\ Status
|
||||
ProductName: winlog.event_data.Product\ Name
|
||||
ProductVersion: winlog.event_data.Product\ Version
|
||||
RemediationUser: winlog.event_data.Remediation\ User
|
||||
SecurityintelligenceVersion: winlog.event_data.Security\ intelligence\ Version
|
||||
SeverityID: winlog.event_data.Severity\ ID
|
||||
SeverityName: winlog.event_data.Severity\ Name
|
||||
SourceID: winlog.event_data.Source\ ID
|
||||
SourceName: winlog.event_data.Source\ Name
|
||||
StatusCode: winlog.event_data.Status\ Code
|
||||
StatusDescription: winlog.event_data.Status\ Description
|
||||
ThreatID: winlog.event_data.Threat\ ID
|
||||
ThreatName: winlog.event_data.Threat\ Name
|
||||
TypeID: winlog.event_data.Type\ ID
|
||||
TypeName: winlog.event_data.Type\ Name
|
||||
#
|
||||
# Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
|
||||
#
|
||||
|
||||
Reference in New Issue
Block a user