diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index ec23029dd..df881f41a 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -104,4 +104,9 @@ logsources: service: openssh conditions: EventLog: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + EventLog: 'Microsoft-Windows-LDAP-Client/Debug' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index b8ec6a7eb..5f3098e63 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -104,6 +104,11 @@ logsources: service: openssh conditions: log_name: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + log_name: 'Microsoft-Windows-LDAP-Client/Debug' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index b01f6add2..4e55a3e8c 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -104,6 +104,11 @@ logsources: service: openssh conditions: logname: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + logname: 'Microsoft-Windows-LDAP-Client/Debug' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index b7292d3c1..7d52b4553 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -132,6 +132,11 @@ logsources: service: openssh conditions: channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + channel: 'Microsoft-Windows-LDAP-Client/Debug' linux: product: linux index: posix diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 9cb84cd92..813e34ee4 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -187,4 +187,9 @@ logsources: product: windows service: openssh conditions: - Provider_Name: 'OpenSSH/Operational' \ No newline at end of file + Provider_Name: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + Provider_Name: 'Microsoft-Windows-LDAP-Client/Debug' \ No newline at end of file diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index cea879cea..879e1bc07 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -104,6 +104,11 @@ logsources: service: openssh conditions: event_source: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + event_source: 'Microsoft-Windows-LDAP-Client/Debug' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index bd8e90eac..637f099f8 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -125,4 +125,9 @@ logsources: service: openssh conditions: Channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + Channel: 'Microsoft-Windows-LDAP-Client/Debug' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index dc5fbb872..6102e3d8c 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -145,4 +145,9 @@ logsources: product: windows service: openssh conditions: - LogName: 'OpenSSH/Operational' \ No newline at end of file + LogName: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + LogName: 'Microsoft-Windows-LDAP-Client/Debug' \ No newline at end of file diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 704f1d367..f8c30dcca 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -161,6 +161,11 @@ logsources: service: openssh conditions: source: 'WinEventLog:OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' windows-defender: product: windows service: windefend diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 1d3d13c9c..aa0e9f75e 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -135,6 +135,11 @@ logsources: service: openssh conditions: EventChannel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + source: 'Microsoft-Windows-LDAP-Client/Debug' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index d261d14da..86c46e545 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -409,6 +409,11 @@ logsources: service: openssh sources: - 'WinEventLog:OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + sources: + - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 970605461..b3b0a6b9f 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -149,6 +149,11 @@ logsources: service: openssh conditions: winlog.channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 75167b4a0..564ecfee6 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -112,6 +112,11 @@ logsources: service: openssh conditions: log_name: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + log_name: 'Microsoft-Windows-LDAP-Client/Debug' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 7ade1d521..23eedcd78 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -138,6 +138,11 @@ logsources: service: openssh conditions: winlog.channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'