From aacb5f767cdfd7f1fd2caa9a48ba95fc931ff1c7 Mon Sep 17 00:00:00 2001
From: G Y <35021368+leegengyu@users.noreply.github.com>
Date: Wed, 14 Jul 2021 11:01:45 +0800
Subject: [PATCH] Update winlogbeat-modules-enabled.yml

Update mapping for EventID and TargetObject.
---
 tools/config/winlogbeat-modules-enabled.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 63494eee9..5cfb81d3a 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -106,7 +106,7 @@ defaultindex: winlogbeat-*
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
 # Keep EventID! Clean up the list afterwards!
 fieldmappings:
-    EventID: winlog.event_id
+    EventID: event.code
     AccessMask: winlog.event_data.AccessMask
     AccountName: winlog.event_data.AccountName
     AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
@@ -189,7 +189,7 @@ fieldmappings:
     SubjectUserSid: user.id
     TargetFilename: file.path
     TargetImage: winlog.event_data.TargetImage
-    TargetObject: winlog.event_data.TargetObject
+    TargetObject: registry.path
     TicketEncryptionType: winlog.event_data.TicketEncryptionType
     TicketOptions: winlog.event_data.TicketOptions
     TargetDomainName: user.domain