From 544081f3c7974ce4b5a947a4ca0d024961bde4dd Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 15 Dec 2022 12:55:18 +0100 Subject: [PATCH 1/2] Space remove --- tools/config/winlogbeat-modules-enabled.yml | 70 ++++++++++----------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index b3b0a6b9f..2b1bb553a 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -563,43 +563,43 @@ fieldmappings: # # Microsoft-Windows-Windows Defender/Operational # - Action_ID: winlog.event_data.Action\ ID - Action_Name: winlog.event_data.Action\ Name - Additional_Actions_ID: winlog.event_data.Additional\ Actions\ ID - Additional_Actions_String: winlog.event_data.Additional\ Actions\ String - Category_ID: winlog.event_data.Category\ ID - Category_Name: winlog.event_data.Category\ Name - Detection_ID: winlog.event_data.Detection\ ID - Detection_Time: winlog.event_data.Detection\ Time - Detection_User: winlog.event_data.Detection\ User - Engine_Version: winlog.event_data.Engine\ Version - Error_Code: winlog.event_data.Error\ Code - Error_Description: winlog.event_data.Error\ Description - Execution_ID: winlog.event_data.Execution\ ID - Execution_Name: winlog.event_data.Execution\ Name + ActionID: winlog.event_data.Action\ ID + ActionName: winlog.event_data.Action\ Name + AdditionalActionsID: winlog.event_data.Additional\ Actions\ ID + AdditionalActionsString: winlog.event_data.Additional\ Actions\ String + CategoryID: winlog.event_data.Category\ ID + CategoryName: winlog.event_data.Category\ Name + DetectionID: winlog.event_data.Detection\ ID + DetectionTime: winlog.event_data.Detection\ Time + DetectionUser: winlog.event_data.Detection\ User + EngineVersion: winlog.event_data.Engine\ Version + ErrorCode: winlog.event_data.Error\ Code + ErrorDescription: winlog.event_data.Error\ Description + ExecutionID: winlog.event_data.Execution\ ID + ExecutionName: winlog.event_data.Execution\ Name FWLink: winlog.event_data.FWLink - New_Value: winlog.event_data.New\ Value - Old_Value: winlog.event_data.Old\ Value - Origin_ID: winlog.event_data.Origin\ ID - Origin_Name: winlog.event_data.Origin\ Name + NewValue: winlog.event_data.New\ Value + OldValue: winlog.event_data.Old\ Value + OriginID: winlog.event_data.Origin\ ID + OriginName: winlog.event_data.Origin\ Name Path: winlog.event_data.Path - Post_Clean_Status: winlog.event_data.Post\ Clean\ Status - Pre_Execution_Status: winlog.event_data.Pre\ Execution\ Status - Process_Name: winlog.event_data.Process\ Name - Product_Name: winlog.event_data.Product\ Name - Product_Version: winlog.event_data.Product\ Version - Remediation_User: winlog.event_data.Remediation\ User - Security_intelligence_Version: winlog.event_data.Security\ intelligence\ Version - Severity_ID: winlog.event_data.Severity\ ID - Severity_Name: winlog.event_data.Severity\ Name - Source_ID: winlog.event_data.Source\ ID - Source_Name: winlog.event_data.Source\ Name - Status_Code: winlog.event_data.Status\ Code - Status_Description: winlog.event_data.Status\ Description - Threat_ID: winlog.event_data.Threat\ ID - Threat_Name: winlog.event_data.Threat\ Name - Type_ID: winlog.event_data.Type\ ID - Type_Name: winlog.event_data.Type\ Name + PostCleanStatus: winlog.event_data.Post\ Clean\ Status + PreExecutionStatus: winlog.event_data.Pre\ Execution\ Status + ProcessName: winlog.event_data.Process\ Name + ProductName: winlog.event_data.Product\ Name + ProductVersion: winlog.event_data.Product\ Version + RemediationUser: winlog.event_data.Remediation\ User + SecurityintelligenceVersion: winlog.event_data.Security\ intelligence\ Version + SeverityID: winlog.event_data.Severity\ ID + SeverityName: winlog.event_data.Severity\ Name + SourceID: winlog.event_data.Source\ ID + SourceName: winlog.event_data.Source\ Name + StatusCode: winlog.event_data.Status\ Code + StatusDescription: winlog.event_data.Status\ Description + ThreatID: winlog.event_data.Threat\ ID + ThreatName: winlog.event_data.Threat\ Name + TypeID: winlog.event_data.Type\ ID + TypeName: winlog.event_data.Type\ Name # # Microsoft-Windows-Windows Firewall With Advanced Security/Firewall # From 2f945478dc7e83c7b2e150e5deb8ad9b49d2c6c5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 15 Dec 2022 17:54:34 +0100 Subject: [PATCH 2/2] Fix duplicate --- tools/config/winlogbeat-modules-enabled.yml | 22 ++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 2b1bb553a..cbc432525 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -190,7 +190,9 @@ fieldmappings: ClassId: winlog.event_data.ClassId DeviceDescription: winlog.event_data.DeviceDescription # ErrorCode => printservice-admin EventID: 4909 or 808 - ErrorCode: winlog.event_data.ErrorCode + ErrorCode: + service=windefend: winlog.event_data.Error\ Code + default: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath # Filename => category: antivirus Filename: winlog.event_data.Filename @@ -337,6 +339,7 @@ fieldmappings: CommandType: powershell.command.type EngineVersion: service=powershell-classic: powershell.engine.version + service=windefend: winlog.event_data.Engine\ Version default: winlog.event_data.EngineVersion HostApplication: process.command_line HostId: process.entity_id @@ -446,7 +449,9 @@ fieldmappings: NewTargetUserName: winlog.event_data.NewTargetUserName NewTime: winlog.event_data.NewTime NewUacValue: winlog.event_data.NewUacValue - NewValue: winlog.event_data.NewValue + NewValue: + service=windefend: winlog.event_data.New\ Value + default: winlog.event_data.NewValue NewValueType: winlog.event_data.NewValueType ObjectClass: winlog.event_data.ObjectClass ObjectDN: winlog.event_data.ObjectDN @@ -459,7 +464,9 @@ fieldmappings: OldSd: winlog.event_data.OldSd OldTargetUserName: winlog.event_data.OldTargetUserName OldUacValue: winlog.event_data.OldUacValue - OldValue: winlog.event_data.OldValue + OldValue: + service=windefend: winlog.event_data.Old\ Value + default: winlog.event_data.OldValue OldValueType: winlog.event_data.OldValueType OpCorrelationID: winlog.event_data.OpCorrelationID OperationType: winlog.event_data.OperationType @@ -472,7 +479,9 @@ fieldmappings: PreviousTime: winlog.event_data.PreviousTime PrimaryGroupId: winlog.event_data.PrimaryGroupId PrivilegeList: winlog.event_data.PrivilegeList - ProcessName: process.executable + ProcessName: + service=windefend: winlog.event_data.Process\ Name + default: process.executable ProfilePath: winlog.event_data.ProfilePath Properties: winlog.event_data.Properties PuaCount: winlog.event_data.PuaCount @@ -572,20 +581,15 @@ fieldmappings: DetectionID: winlog.event_data.Detection\ ID DetectionTime: winlog.event_data.Detection\ Time DetectionUser: winlog.event_data.Detection\ User - EngineVersion: winlog.event_data.Engine\ Version - ErrorCode: winlog.event_data.Error\ Code ErrorDescription: winlog.event_data.Error\ Description ExecutionID: winlog.event_data.Execution\ ID ExecutionName: winlog.event_data.Execution\ Name FWLink: winlog.event_data.FWLink - NewValue: winlog.event_data.New\ Value - OldValue: winlog.event_data.Old\ Value OriginID: winlog.event_data.Origin\ ID OriginName: winlog.event_data.Origin\ Name Path: winlog.event_data.Path PostCleanStatus: winlog.event_data.Post\ Clean\ Status PreExecutionStatus: winlog.event_data.Pre\ Execution\ Status - ProcessName: winlog.event_data.Process\ Name ProductName: winlog.event_data.Product\ Name ProductVersion: winlog.event_data.Product\ Version RemediationUser: winlog.event_data.Remediation\ User