From 1015d3fe68fa38e9f85025b6514b03522a020383 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 28 Oct 2021 16:05:40 +0100 Subject: [PATCH] Update winlogbeat-modules-enabled.yml - Fixed typos in FileVersion, Description, Product, and Company fields for image_load category. - Added separate OriginalFileName fields for process_creation, image_load categories. --- tools/config/winlogbeat-modules-enabled.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index dfc0ca9e9..d7ec0f095 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -155,22 +155,25 @@ fieldmappings: Image: process.executable FileVersion: category=process_creation: process.pe.file_version - category=image_load: process.pe.file_version + category=image_load: file.pe.file_version default: winlog.event_data.FileVersion Description: category=process_creation: process.pe.description - category=image_load: process.pe.description + category=image_load: file.pe.description category=sysmon_error: winlog.event_data.Description default: winlog.event_data.Description Product: category=process_creation: process.pe.product - category=image_load: process.pe.product + category=image_load: file.pe.product default: winlog.event_data.Product Company: category=process_creation: process.pe.company - category=image_load: process.pe.company + category=image_load: file.pe.company default: winlog.event_data.Company - OriginalFileName: process.pe.original_file_name + OriginalFileName: + category=process_creation: process.pe.original_file_name + category=image_load: file.pe.original_file_name + default: winlog.event_data.OriginalFileName CommandLine: category=process_creation: process.command_line service=security: process.command_line