DHCP log source in sigmac configs

tools/config/arcsight.yml

@@ -46,6 +46,11 @@ logsources:
     service: powershell
     conditions:
       deviceVendor: Microsoft
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      deviceVendor: Microsoft
   windows-system:
     product: windows
     service: system

tools/config/elk-windows.yml

@@ -27,4 +27,9 @@ logsources:
     service: driver-framework
     conditions:
       source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
 defaultindex: logstash-*

tools/config/elk-winlogbeat.yml

@@ -27,6 +27,11 @@ logsources:
     service: driver-framework
     conditions:
       source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/helk.yml

@@ -27,6 +27,7 @@ logsources:
     product: windows
     service: powershell-classic
     index: logs-endpoint-winevent-powershell-*
+
 defaultindex: logs-*
 fieldmappings:
     AccessMask: object_access_mask_requested

tools/config/logpoint-windows-all.yml

@@ -19,6 +19,12 @@ logsources:
     service: driver-framework
     conditions:
       source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
+
 fieldmappings:
     EventID: event_id
     FailureCode: result_code

tools/config/netwitness.yml

@@ -30,6 +30,12 @@ logsources:
     service: powershell
     conditions:
       device.type: winevent_nic
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      device.type: winevent_nic
+      event.source: microsoft-windows-dhcp-server
   windows-sec:
     product: windows
     service: security

tools/config/powershell-windows-all.yml

@@ -60,3 +60,8 @@ logsources:
     service: ntlm
     conditions:
       LogName: 'Microsoft-Windows-NTLM/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      LogName: 'Microsoft-Windows-DHCP-Server/Operational'

tools/config/spark.yml

@@ -34,6 +34,11 @@ logsources:
     service: wmi
     sources: 
       - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    sources: 
+      - 'Microsoft-Windows-DHCP-Server'
   apache:
     category: webserver
     sources:

tools/config/splunk-windows-all.yml

@@ -60,5 +60,10 @@ logsources:
     service: ntlm
     conditions:
       source: 'Microsoft-Windows-NTLM/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
 fieldmappings:
     EventID: EventCode

tools/config/sumologic.yml

@@ -44,6 +44,12 @@ logsources:
     conditions:
       EventChannel: System
     index: WINDOWS
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      EventChannel: Microsoft-Windows-DHCP-Server
+    index: WINDOWS
   apache:
     product: apache
     service: apache