diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index b3b0a6b9f..cbc432525 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -190,7 +190,9 @@ fieldmappings: ClassId: winlog.event_data.ClassId DeviceDescription: winlog.event_data.DeviceDescription # ErrorCode => printservice-admin EventID: 4909 or 808 - ErrorCode: winlog.event_data.ErrorCode + ErrorCode: + service=windefend: winlog.event_data.Error\ Code + default: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath # Filename => category: antivirus Filename: winlog.event_data.Filename @@ -337,6 +339,7 @@ fieldmappings: CommandType: powershell.command.type EngineVersion: service=powershell-classic: powershell.engine.version + service=windefend: winlog.event_data.Engine\ Version default: winlog.event_data.EngineVersion HostApplication: process.command_line HostId: process.entity_id @@ -446,7 +449,9 @@ fieldmappings: NewTargetUserName: winlog.event_data.NewTargetUserName NewTime: winlog.event_data.NewTime NewUacValue: winlog.event_data.NewUacValue - NewValue: winlog.event_data.NewValue + NewValue: + service=windefend: winlog.event_data.New\ Value + default: winlog.event_data.NewValue NewValueType: winlog.event_data.NewValueType ObjectClass: winlog.event_data.ObjectClass ObjectDN: winlog.event_data.ObjectDN @@ -459,7 +464,9 @@ fieldmappings: OldSd: winlog.event_data.OldSd OldTargetUserName: winlog.event_data.OldTargetUserName OldUacValue: winlog.event_data.OldUacValue - OldValue: winlog.event_data.OldValue + OldValue: + service=windefend: winlog.event_data.Old\ Value + default: winlog.event_data.OldValue OldValueType: winlog.event_data.OldValueType OpCorrelationID: winlog.event_data.OpCorrelationID OperationType: winlog.event_data.OperationType @@ -472,7 +479,9 @@ fieldmappings: PreviousTime: winlog.event_data.PreviousTime PrimaryGroupId: winlog.event_data.PrimaryGroupId PrivilegeList: winlog.event_data.PrivilegeList - ProcessName: process.executable + ProcessName: + service=windefend: winlog.event_data.Process\ Name + default: process.executable ProfilePath: winlog.event_data.ProfilePath Properties: winlog.event_data.Properties PuaCount: winlog.event_data.PuaCount @@ -563,43 +572,38 @@ fieldmappings: # # Microsoft-Windows-Windows Defender/Operational # - Action_ID: winlog.event_data.Action\ ID - Action_Name: winlog.event_data.Action\ Name - Additional_Actions_ID: winlog.event_data.Additional\ Actions\ ID - Additional_Actions_String: winlog.event_data.Additional\ Actions\ String - Category_ID: winlog.event_data.Category\ ID - Category_Name: winlog.event_data.Category\ Name - Detection_ID: winlog.event_data.Detection\ ID - Detection_Time: winlog.event_data.Detection\ Time - Detection_User: winlog.event_data.Detection\ User - Engine_Version: winlog.event_data.Engine\ Version - Error_Code: winlog.event_data.Error\ Code - Error_Description: winlog.event_data.Error\ Description - Execution_ID: winlog.event_data.Execution\ ID - Execution_Name: winlog.event_data.Execution\ Name + ActionID: winlog.event_data.Action\ ID + ActionName: winlog.event_data.Action\ Name + AdditionalActionsID: winlog.event_data.Additional\ Actions\ ID + AdditionalActionsString: winlog.event_data.Additional\ Actions\ String + CategoryID: winlog.event_data.Category\ ID + CategoryName: winlog.event_data.Category\ Name + DetectionID: winlog.event_data.Detection\ ID + DetectionTime: winlog.event_data.Detection\ Time + DetectionUser: winlog.event_data.Detection\ User + ErrorDescription: winlog.event_data.Error\ Description + ExecutionID: winlog.event_data.Execution\ ID + ExecutionName: winlog.event_data.Execution\ Name FWLink: winlog.event_data.FWLink - New_Value: winlog.event_data.New\ Value - Old_Value: winlog.event_data.Old\ Value - Origin_ID: winlog.event_data.Origin\ ID - Origin_Name: winlog.event_data.Origin\ Name + OriginID: winlog.event_data.Origin\ ID + OriginName: winlog.event_data.Origin\ Name Path: winlog.event_data.Path - Post_Clean_Status: winlog.event_data.Post\ Clean\ Status - Pre_Execution_Status: winlog.event_data.Pre\ Execution\ Status - Process_Name: winlog.event_data.Process\ Name - Product_Name: winlog.event_data.Product\ Name - Product_Version: winlog.event_data.Product\ Version - Remediation_User: winlog.event_data.Remediation\ User - Security_intelligence_Version: winlog.event_data.Security\ intelligence\ Version - Severity_ID: winlog.event_data.Severity\ ID - Severity_Name: winlog.event_data.Severity\ Name - Source_ID: winlog.event_data.Source\ ID - Source_Name: winlog.event_data.Source\ Name - Status_Code: winlog.event_data.Status\ Code - Status_Description: winlog.event_data.Status\ Description - Threat_ID: winlog.event_data.Threat\ ID - Threat_Name: winlog.event_data.Threat\ Name - Type_ID: winlog.event_data.Type\ ID - Type_Name: winlog.event_data.Type\ Name + PostCleanStatus: winlog.event_data.Post\ Clean\ Status + PreExecutionStatus: winlog.event_data.Pre\ Execution\ Status + ProductName: winlog.event_data.Product\ Name + ProductVersion: winlog.event_data.Product\ Version + RemediationUser: winlog.event_data.Remediation\ User + SecurityintelligenceVersion: winlog.event_data.Security\ intelligence\ Version + SeverityID: winlog.event_data.Severity\ ID + SeverityName: winlog.event_data.Severity\ Name + SourceID: winlog.event_data.Source\ ID + SourceName: winlog.event_data.Source\ Name + StatusCode: winlog.event_data.Status\ Code + StatusDescription: winlog.event_data.Status\ Description + ThreatID: winlog.event_data.Threat\ ID + ThreatName: winlog.event_data.Threat\ Name + TypeID: winlog.event_data.Type\ ID + TypeName: winlog.event_data.Type\ Name # # Microsoft-Windows-Windows Firewall With Advanced Security/Firewall #