security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

feat: update config files

Browse Source 
- Update indentation of config files to 4
- Add new event logs
This commit is contained in:
Nasreddine Bencherchali
2023-01-17 01:00:24 +01:00
parent fd823045a9
commit e5fe4d5f46
17 changed files with 3367 additions and 3100 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/logsource.json
+118 -115
View File
@@ -1,76 +1,76 @@
{
"title": "Field name by logsource",
"version": "20221231",
"version": "20230113",
"legit":{
"windows":{
"commun": ["EventID","Provider_Name"],
"commun": ["EventID", "Provider_Name"],
"empty": [],
"category":{
"process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion",
"Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName",
"ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId",
"ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"],
"file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"],
"network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort",
"DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname",
"SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"],
"sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"],
"process_termination":["Image","ProcessGuid","ProcessId","User"],
"driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"],
"image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid",
"ProcessId","Product","Signature","SignatureStatus","Signed","User"],
"create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress",
"StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"],
"raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"],
"process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId",
"SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"],
"raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"],
"file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
"registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"],
"registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"],
"registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"],
"registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
"registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
"create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"],
"pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"],
"wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"],
"dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"],
"file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"],
"clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"],
"process_tampering":["Image","ProcessGuid","ProcessId","Type","User"],
"file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"],
"ps_module":["ContextInfo","UserData","Payload"],
"ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"],
"file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"],
"file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"],
"process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion",
"Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName",
"ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId",
"ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User"],
"file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort",
"DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname",
"SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"],
"process_termination":["Image", "ProcessGuid", "ProcessId", "User"],
"driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"],
"image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid",
"ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"],
"create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress",
"StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"],
"raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"],
"process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId",
"SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"],
"raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"],
"registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"],
"registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"],
"wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"],
"dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"],
"file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"],
"process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"],
"file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"ps_module":["ContextInfo", "UserData", "Payload"],
"ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"],
"file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"],
"file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"],
"ps_classic_start":[],
"ps_classic_provider_start":[],
"sysmon_error":[]
},
"service":{
"bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"],
"bits-client":["RemoteName","LocalName","processPath","processId"],
"codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer",
"RequestedPolicy","ValidatedPolicy","Status"],
"diagnosis-scripted": ["PackagePath","PackageId"],
"firewall-as":["Action","ApplicationPath","ModifyingApplication"],
"ldap_debug":["ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","ProcessId"],
"ntlm":["CallerPID","ClientDomainName","ClientLUID","ClientUserName","DomainName","MechanismOID",
"ProcessName","SChannelName","SChannelType","TargetName","UserName","WorkstationName"],
"openssh":["process","payload"],
"security-mitigations":["ProcessPathLength","ProcessPath","ProcessCommandLineLength","ProcessCommandLine",
"ProcessId","ProcessCreateTime","ProcessStartKey","ProcessSignatureLevel",
"ProcessSectionSignatureLevel","ProcessProtection","TargetThreadId","TargetThreadCreateTime",
"RequiredSignatureLevel","SignatureLevel","ImageNameLength","ImageName"],
"shell-core":["Name","AppID","Flags"],
"smbclient-security":["Reason","Status","ShareNameLength","ShareName","ObjectNameLength","ObjectName",
"UserNameLength","UserName","ServerNameLength","ServerName"],
"taskscheduler":["TaskName","UserContext","Path","ProcessID","Priority","UserName"],
"terminalservices-localsessionmanager":["User","SessionID","Address"],
"iis":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method",
"cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status",
"sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent",
"cs-referer","cs-cookie"],
"bits-client":["RemoteName", "LocalName", "processPath", "processId"],
"codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer",
"RequestedPolicy", "ValidatedPolicy", "Status"],
"diagnosis-scripted": ["PackagePath", "PackageId"],
"firewall-as":["Action", "ApplicationPath", "ModifyingApplication"],
"ldap_debug":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"],
"ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID",
"ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"],
"openssh":["process", "payload"],
"security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine",
"ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel",
"ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime",
"RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"],
"shell-core":["Name", "AppID", "Flags"],
"smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName",
"UserNameLength", "UserName", "ServerNameLength", "ServerName"],
"taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"],
"terminalservices-localsessionmanager":["User", "SessionID", "Address"],
"iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
"cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
"sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
"cs-referer", "cs-cookie"],
"application":[],
"sysmon":[],
"powershell":[],
@@ -89,44 +89,47 @@
"applocker":[],
"vhdmp":[],
"appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"],
"lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"]
"appxpackaging-om":["subjectName"],
"lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"],
"dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address", ""],
"appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"]
}
},
"linux":{
"commun": [],
"empty": [],
"category":{
"process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName",
"CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes",
"ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"],
"network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname",
"SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort",
"process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
"CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
"ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
"network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
"SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
"DestinationPortName"],
"process_termination": ["ProcessGuid","ProcessId","Image","User"],
"raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"],
"file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
"sysmon_status": ["Configuration","ConfigurationFileHash"],
"file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"]
"process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
"raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
"file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash"],
"file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
},
"service":{
"auditd": ["a0","a1","a2","a3","a4","a5","a6","a7","a8","a9",
"acct","acl","action","added","addr","apparmor","arch","argc","audit_backlog_limit","audit_backlog_wait_time",
"audit_enabled","audit_failure","auid","banners","bool","bus","cap_fe,cap_fi","cap_fp","cap_fver","cap_pa","cap_pe","cap_pi",
"cap_pp","capability","category","cgroup","changed","cipher","class","cmd","code","comm","compat","cwd","daddr","data",
"default-context","dev","dev","device","dir","direction","dmac","dport","egid","enforcing","entries","errno","euid","exe",
"exit","fam","family","fd","fe","feature","fi","file","flags","format","fp","fsgid","fsuid","fver","gid","grantors","grp",
"hook","hostname","icmp_type","id","igid","img-ctx","inif","ino","inode","inode_gid","inode_uid","invalid_context","ioctlcmd",
"ip","ipid","ipx-net","item","items","iuid","kernel","key","kind","ksize","laddr","len","list","lport","mac","macproto","maj",
"major","minor","mode","model","msg","name","nametype","nargs","net","new","new_gid","new_lock","new_pe","new_pi","new_pp",
"new-chardev","new-disk","new-enabled","new-fs","new-level","new-log_passwd","new-mem","new-net","new-range","new-rng","new-role",
"new-seuser","new-vcpu","nlnk-fam","nlnk-grp","nlnk-pid","oauid","obj","obj_gid","obj_uid","ocomm","oflag","ogid","old","old_enforcing",
"old_lock","old_pa","old_pe","old_pi","old_pp","old_prom","old_val","old-auid","old-chardev","old-disk","old-enabled","old-fs",
"old-level","old-log_passwd","old-mem","old-net","old-range","old-rng","old-role","old-ses","old-seuser","old-vcpu","op","opid",
"oses","ouid","outif","pa","parent","path","pe","per","perm","perm_mask","permissive","pfs","pi","pid","pp","ppid","printer",
"proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid",
"scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid",
"sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user",
"uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"],
"auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9",
"acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time",
"audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi",
"cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data",
"default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe",
"exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp",
"hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd",
"ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj",
"major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp",
"new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role",
"new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing",
"old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs",
"old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid",
"oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer",
"proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid",
"scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid",
"sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
"uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"],
"vsftpd":[],
"sshd":[],
"syslog":[],
@@ -142,13 +145,13 @@
"commun": [],
"empty": ["not_found"],
"category":{
"proxy":["c-uri","c-uri-extension","c-uri-query","c-uri-stem","c-useragent","cs-bytes","cs-cookie",
"cs-host","cs-method","r-dns","cs-referrer","cs-version","sc-bytes","sc-status","src_ip","dst_ip",
"proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie",
"cs-host", "cs-method", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip",
"cs-uri"],
"webserver":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method",
"cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status",
"sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent",
"cs-referer","cs-cookie"],
"webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
"cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
"sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
"cs-referer", "cs-cookie"],
"antivirus":[],
"database":[],
"dns":[],
@@ -330,17 +333,17 @@
"commun": [],
"empty": [],
"category":{
"process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName",
"CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes",
"ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"],
"network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname",
"SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort",
"process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
"CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
"ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
"network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
"SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
"DestinationPortName"],
"process_termination": ["ProcessGuid","ProcessId","Image","User"],
"raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"],
"file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
"sysmon_status": ["Configuration","ConfigurationFileHash"],
"file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"]
"process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
"raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
"file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash"],
"file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
},
"service":{
}
@@ -350,16 +353,16 @@
"windows":{
"category":{
"process_creation": ["GrandparentCommandLine"],
"network_connection": ["CommandLine","ParentImage"],
"create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage",
"SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine",
"IsInitialThread","RemoteCreation"],
"file_delete": ["CommandLine","ParentImage","ParentCommandLine"],
"file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"],
"network_connection": ["CommandLine", "ParentImage"],
"create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage",
"SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine",
"IsInitialThread", "RemoteCreation"],
"file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"],
"file_event": ["CommandLine", "ParentImage", "ParentCommandLine", "MagicHeader"],
"image_load": ["CommandLine"],
"process_access": ["SourceCommandLine","CallTraceExtended"],
"file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"],
"file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"]
"process_access": ["SourceCommandLine", "CallTraceExtended"],
"file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"],
"file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"]
},
"service":{}
}
tools/config/elk-windows.yml
+144 -129
View File
@@ -1,132 +1,147 @@
title: ELK Windows Indices and Mappings
logsources:
windows:
product: windows
index: logstash-windows-*
windows-application:
product: windows
service: application
conditions:
EventLog: Application
windows-security:
product: windows
service: security
conditions:
EventLog: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
EventLog: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
EventLog: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
EventLog: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
EventLog:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
EventLog: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
EventLog: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
EventLog: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventLog: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
EventLog: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
EventLog: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
EventLog:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
EventLog: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
EventLog: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
EventLog: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
EventLog: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
EventLog: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: logstash-windows-*
windows-application:
product: windows
service: application
conditions:
EventLog: Application
windows-security:
product: windows
service: security
conditions:
EventLog: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
EventLog: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
EventLog: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
EventLog: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
EventLog:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
EventLog: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
EventLog: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
EventLog: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventLog: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
EventLog: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
EventLog: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
EventLog:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
EventLog: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
EventLog: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
EventLog: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
EventLog: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
EventLog: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
EventLog: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
EventLog: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
EventLog: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: logstash-*
tools/config/elk-winlogbeat-sp.yml
+144 -129
View File
@@ -1,134 +1,149 @@
title: ELK Ingested with Winlogbeat
logsources:
windows:
product: windows
index: <winlogbeat-{now/d}>
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
log_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
log_name: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
log_name: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
log_name:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
log_name: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
log_name: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
log_name: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
log_name: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: <winlogbeat-{now/d}>
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
log_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
log_name: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
log_name: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
log_name:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
log_name: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
log_name: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
log_name: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
log_name: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
log_name: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
log_name: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
log_name: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: <winlogbeat-{now/d}>
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
tools/config/elk-winlogbeat.yml
+144 -129
View File
@@ -1,134 +1,149 @@
title: ELK Ingested with Winlogbeat
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
log_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
log_name: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
logname: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
logname:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
logname: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
logname: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
logname: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
logname: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
logname: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
logname: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
logname: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
log_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
log_name: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
logname: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
logname:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
logname: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
logname: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
logname: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
logname: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
logname: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
logname: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
logname: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
logname: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
logname: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
logname: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
tools/config/fireeye-helix.yml
+15
View File
@@ -157,6 +157,21 @@ logsources:
service: lsa-server
conditions:
channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
linux:
product: linux
index: posix
tools/config/generic/windows-services.yml
+15
View File
@@ -208,3 +208,18 @@ logsources:
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
Channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
Channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
tools/config/hawk.yml
+937 -923
View File
@@ -1,928 +1,942 @@
title: HAWK
order: 20
backends:
- hawk
- hawk
logsources:
antivirus:
category: antivirus
conditions:
vendor_type: 'Antivirus'
apache:
service: apache
conditions:
product_name:
- 'apache*'
- 'httpd*'
webserver:
category: webserver
conditions:
vendor_type: 'Webserver'
cisco:
product: cisco
conditions:
vendor_name: 'Cisco'
django:
product: django
conditions:
vendor_name: 'Django'
okta:
service: okta
conditions:
vendor_name: "Okta"
product_name: "Identity and Access Management"
onedrive:
service: onedrive
conditions:
vendor_name: "Microsoft"
product_name: "Onedrive"
onelogin-events:
service: onelogin.events
conditions:
vendor_name: "Microsoft"
product_name: "Onelogin"
microsoft365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
m365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
google-workspace:
service: google_workspace.admin
conditions:
vendor_name: "Google"
product_name: "Workspace"
guacamole:
service: guacamole
product_name: "Guacamole"
conditions:
vendor_name: "Guacamole"
google-cloud:
service: gcp.audit
conditions:
vendor_name: "Google"
product_name: "Cloud"
sshd:
service: sshd
conditions:
process_name: "sshd*"
syslog:
service: syslog
conditions:
process_name: "syslog*"
spring:
category: application
product: spring
conditions:
vendor_name: "Spring"
linux-audit:
product: linux
service: auditd
conditions:
vendor_name: "Linux"
product_name: "Audit"
modsecurity:
service: modsecurity
conditions:
process_name: "modsec*"
msexchange-management:
service: msexchange-management
conditions:
product_name: "MSExchange Management"
windows:
product: windows
index: windows
conditions:
vendor_name: "Microsoft"
windows-stream-hash:
product: windows
category: create_stream_hash
conditions:
product_name: "Sysmon"
vendor_id: "15"
windows-create-remote-thread:
product: windows
category: create_remote_thread
conditions:
product_name: "Sysmon"
vendor_id: "8"
windows-process-access:
product: windows
category: process_access
conditions:
product_name: "Sysmon"
vendor_id: "10"
windows-process-creation:
product: windows
category: process_creation
conditions:
product_name: "Sysmon"
vendor_id: "1"
windows-bits-client:
product: windows
service: bits-client
conditions:
event_channel: "Microsoft-Windows-Bits-Client/Operational"
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
event_channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
event_channel: 'Microsoft-Windows-LSA/Operational'
windows-network-connection:
product: windows
category: network_connection
conditions:
product_name: "Sysmon"
vendor_id: "3"
windows-sysmon-status:
product: windows
category: sysmon_status
conditions:
product_name: "Sysmon"
vendor_id:
- 4
- 5
windows-sysmon-error:
product: windows
category: sysmon_error
conditions:
product_name: "Sysmon"
vendor_id: "255"
windows-raw-access-thread:
product: windows
category: raw_access_thread
conditions:
product_name: "Sysmon"
vendor_id: 9
windows-file-create:
product: windows
category: file_create
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-event:
product: windows
category: file_event
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-change:
product: windows
category: file_change
conditions:
product_name: "Sysmon"
vendor_id: "2"
windows-pipe-created:
product: windows
category: pipe_created
conditions:
product_name: "Sysmon"
vendor_id:
- 17
- 18
windows-dns-query:
product: windows
category: dns_query
conditions:
product_name: "Sysmon"
vendor_id: "22"
windows-file-delete:
product: windows
category: file_delete
conditions:
product_name: "Sysmon"
vendor_id: "23"
windows-kernel-file-rename:
product: windows
category: file_rename
conditions:
product_name: "Kernel-File"
windows-kernel-file-access:
product: windows
category: file_access
conditions:
product_name: "Kernel-File"
windows-wmi-sysmon:
product: windows
category: wmi_event
conditions:
product_name: "Sysmon"
vendor_id:
- 19
- 20
- 21
windows-ldap-debug:
product: windows
category: ldap_debug
conditions:
event_channel: "Microsoft-Windows-LDAP-Client/Debug"
windows-driver-load:
product: windows
category: driver_load
conditions:
product_name: "Sysmon"
vendor_id: "6"
windows-image-load:
product: windows
category: image_load
conditions:
product_name: "Sysmon"
vendor_id: "7"
clamav:
service: clamav
conditions:
process_name: "clamav*"
aws-cloudtrail:
service: cloudtrail
conditions:
vendor_name: "AWS CloudTrail"
zeek:
product: zeek
conditions:
vendor_name: "Zeek"
vendor_type: "IDS"
firewall:
category: firewall
conditions:
vendor_type:
- "Firewall"
- "Router"
- "WAP"
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
hawk_source: "conn.log"
zeek-conn_long:
product: zeek
service: conn_long
conditions:
hawk_source: "conn_long.log"
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
hawk_source: "dce_rpc.log"
zeek-dns:
product: zeek
service: dns
conditions:
hawk_source: "dns.log"
zeek-dnp3:
product: zeek
service: dnp3
conditions:
hawk_source: "dnp3.log"
zeek-dpd:
product: zeek
service: dpd
conditions:
hawk_source: "dpd.log"
zeek-files:
product: zeek
service: files
conditions:
hawk_source: "files.log"
zeek-ftp:
product: zeek
service: ftp
conditions:
hawk_source: "ftp.log"
zeek-gquic:
product: zeek
service: gquic
conditions:
hawk_source: "gquic.log"
zeek-http:
product: zeek
service: http
conditions:
hawk_source: "http.log"
zeek-http2:
product: zeek
service: http2
conditions:
hawk_source: "http2.log"
zeek-intel:
product: zeek
service: intel
conditions:
hawk_source: "intel.log"
zeek-irc:
product: zeek
service: irc
conditions:
hawk_source: "irc.log"
zeek-kerberos:
product: zeek
service: kerberos
conditions:
hawk_source: "kerberos.log"
zeek-known_certs:
product: zeek
service: known_certs
conditions:
hawk_source: "known_certs.log"
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
hawk_source: "known_hosts.log"
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
hawk_source: "known_modbus.log"
zeek-known_services:
product: zeek
service: known_services
conditions:
hawk_source: "known_services.log"
zeek-modbus:
product: zeek
service: modbus
conditions:
hawk_source: "modbus.log"
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
hawk_source: "modbus_register_change.log"
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
hawk_source: "mqtt_connect.log"
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
hawk_source: "mqtt_publish.log"
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
hawk_source: "mqtt_subscribe.log"
zeek-mysql:
product: zeek
service: mysql
conditions:
hawk_source: "mysql.log"
zeek-notice:
product: zeek
service: notice
conditions:
hawk_source: "notice.log"
zeek-ntlm:
product: zeek
service: ntlm
conditions:
hawk_source: "ntlm.log"
zeek-ntp:
product: zeek
service: ntp
conditions:
hawk_source: "ntp.log"
zeek-ocsp:
product: zeek
service: ntp
conditions:
hawk_source: "ocsp.log"
zeek-pe:
product: zeek
service: pe
conditions:
hawk_source: "pe.log"
zeek-pop3:
product: zeek
service: pop3
conditions:
hawk_source: "pop3.log"
zeek-radius:
product: zeek
service: radius
conditions:
hawk_source: "radius.log"
zeek-rdp:
product: zeek
service: rdp
conditions:
hawk_source: "rdp.log"
zeek-rfb:
product: zeek
service: rfb
conditions:
hawk_source: "rfb.log"
zeek-sip:
product: zeek
service: sip
conditions:
hawk_source: "sip.log"
zeek-smb_files:
product: zeek
service: smb_files
conditions:
hawk_source: "smb_files.log"
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
hawk_source: "smb_mapping.log"
zeek-smtp:
product: zeek
service: smtp
conditions:
hawk_source: "smtp.log"
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
hawk_source: "smtp_links.log"
zeek-snmp:
product: zeek
service: snmp
conditions:
hawk_source: "snmp.log"
zeek-socks:
product: zeek
service: socks
conditions:
hawk_source: "socks.log"
zeek-software:
product: zeek
service: software
conditions:
hawk_source: "software.log"
zeek-ssh:
product: zeek
service: ssh
conditions:
hawk_source: "ssh.log"
zeek-ssl:
product: zeek
service: ssl
conditions:
hawk_source: "tls.log"
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
product: zeek
service: tls
conditions:
hawk_source: "tls.log"
zeek-syslog:
product: zeek
service: syslog
conditions:
hawk_source: "syslog.log"
zeek-tunnel:
product: zeek
service: tunnel
conditions:
hawk_source: "tunnel.log"
zeek-traceroute:
product: zeek
service: traceroute
conditions:
hawk_source: "traceroute.log"
zeek-weird:
product: zeek
service: weird
conditions:
hawk_source: "weird.log"
zeek-x509:
product: zeek
service: x509
conditions:
hawk_source: "x509.log"
zeek-ip_search:
product: zeek
service: network
conditions:
hawk_source:
- "conn.log"
- "conn_long.log"
- "dce_rpc.log"
- "dhcp.log"
- "dnp3.log"
- "dns.log"
- "ftp.log"
- "gquic.log"
- "http.log"
- "irc.log"
- "kerberos.log"
- "modbus.log"
- "mqtt_connect.log"
- "mqtt_publish.log"
- "mqtt_subscribe.log"
- "mysql.log"
- "ntlm.log"
- "ntp.log"
- "radius.log"
- "rfb.log"
- "sip.log"
- "smb_files.log"
- "smb_mapping.log"
- "smtp.log"
- "smtp_links.log"
- "snmp.log"
- "socks.log"
- "ssh.log"
- "tls.log" #SSL
- "tunnel.log"
- "weird.log"
azure-signin:
product: azure
service: signinlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "signInAudits"
azure-auditlogs:
product: azure
service: auditlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "directoryAudits"
azure-activitylogs:
product: azure
service: activitylogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
azure-activity:
product: azure
service: azureactivity
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
event_channel: 'Microsoft-ServiceBus-Client'
windows-application:
product: windows
service: application
conditions:
event_channel: 'Application'
windows-security:
product: windows
service: security
conditions:
event_channel: 'Security'
windows-system:
product: windows
service: system
conditions:
event_channel: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
product_name: 'Sysmon'
windows-powershell:
product: windows
service: powershell
conditions:
product_name: 'PowerShell'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
product_name: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
product_name: 'TaskScheduler'
windows-wmi:
product: windows
service: wmi
conditions:
product_name: 'WMI-Activity'
windows-dns-server:
product: windows
service: dns-server
conditions:
product_name: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
product_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
product_name: 'DriverFrameworks-UserMode'
windows-ntlm:
product: windows
service: ntlm
conditions:
product_name: 'NTLM'
windows-dhcp:
product: windows
service: dhcp
conditions:
product_name: 'DHCP-Server'
windows-defender:
product: windows
service: windefend
conditions:
product_name: 'Windows Defender'
windows-applocker:
product: windows
service: applocker
conditions:
product_name:
- 'AppLocker'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
product_name: 'Windows Firewall With Advanced Security'
windows-ps-module:
product: windows
category: ps_module
conditions:
product_name: 'PowerShell'
vendor_id: 4103
windows-ps-script:
product: windows
category: ps_script
conditions:
product_name: 'PowerShell'
vendor_id: 4104
windows-ps-classic-start:
product: windows
category: ps_classic_start
conditions:
EventID: 400
product_name: 'Windows PowerShell'
windows-ps-classic-provider:
product: windows
category: ps_classic_provider_start
conditions:
vendor_id: 600
product_name: 'Windows PowerShell'
windows-ps-classic-script:
product: windows
category: ps_classic_script
conditions:
vendor_id: 800
product_name: 'Windows PowerShell'
windows-service-bus:
service: Microsoft-ServiceBus-Client
conditions:
product_name: "Microsoft-ServiceBus-Client"
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
product_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
product_name: 'PrintService'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
product_name: 'PrintService'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
product_name: 'TerminalServices-LocalSessionManager'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
product_name: 'CodeIntegrity'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
product_name: 'SmbClient'
windows-registry:
product: windows
category: registry_event
conditions:
product_name: "Sysmon"
vendor_id:
- 12
- 13
- 14
windows-registry-add:
product: windows
category: registry_add
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-delete:
product: windows
category: registry_delete
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-set:
product: windows
category: registry_set
conditions:
product_name: "Sysmon"
vendor_id: 13
windows-registry-rename:
product: windows
category: registry_rename
conditions:
product_name: "Sysmon"
vendor_id: 14
windows-file-block-executable:
product: windows
category: file_block
conditions:
product_name: "Sysmon"
vendor_id: 27
#dns:
# category: dns
# conditions:
qflow:
product: qflow
netflow:
service: netflow
ipfix:
product: ipfix
flow:
product: flow
antivirus:
category: antivirus
conditions:
vendor_type: 'Antivirus'
apache:
service: apache
conditions:
product_name:
- 'apache*'
- 'httpd*'
webserver:
category: webserver
conditions:
vendor_type: 'Webserver'
cisco:
product: cisco
conditions:
vendor_name: 'Cisco'
django:
product: django
conditions:
vendor_name: 'Django'
okta:
service: okta
conditions:
vendor_name: "Okta"
product_name: "Identity and Access Management"
onedrive:
service: onedrive
conditions:
vendor_name: "Microsoft"
product_name: "Onedrive"
onelogin-events:
service: onelogin.events
conditions:
vendor_name: "Microsoft"
product_name: "Onelogin"
microsoft365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
m365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
google-workspace:
service: google_workspace.admin
conditions:
vendor_name: "Google"
product_name: "Workspace"
guacamole:
service: guacamole
product_name: "Guacamole"
conditions:
vendor_name: "Guacamole"
google-cloud:
service: gcp.audit
conditions:
vendor_name: "Google"
product_name: "Cloud"
sshd:
service: sshd
conditions:
process_name: "sshd*"
syslog:
service: syslog
conditions:
process_name: "syslog*"
spring:
category: application
product: spring
conditions:
vendor_name: "Spring"
linux-audit:
product: linux
service: auditd
conditions:
vendor_name: "Linux"
product_name: "Audit"
modsecurity:
service: modsecurity
conditions:
process_name: "modsec*"
msexchange-management:
service: msexchange-management
conditions:
product_name: "MSExchange Management"
windows:
product: windows
index: windows
conditions:
vendor_name: "Microsoft"
windows-stream-hash:
product: windows
category: create_stream_hash
conditions:
product_name: "Sysmon"
vendor_id: "15"
windows-create-remote-thread:
product: windows
category: create_remote_thread
conditions:
product_name: "Sysmon"
vendor_id: "8"
windows-process-access:
product: windows
category: process_access
conditions:
product_name: "Sysmon"
vendor_id: "10"
windows-process-creation:
product: windows
category: process_creation
conditions:
product_name: "Sysmon"
vendor_id: "1"
windows-bits-client:
product: windows
service: bits-client
conditions:
event_channel: "Microsoft-Windows-Bits-Client/Operational"
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
event_channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
event_channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
event_channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
event_channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
event_channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
windows-network-connection:
product: windows
category: network_connection
conditions:
product_name: "Sysmon"
vendor_id: "3"
windows-sysmon-status:
product: windows
category: sysmon_status
conditions:
product_name: "Sysmon"
vendor_id:
- 4
- 5
windows-sysmon-error:
product: windows
category: sysmon_error
conditions:
product_name: "Sysmon"
vendor_id: "255"
windows-raw-access-thread:
product: windows
category: raw_access_thread
conditions:
product_name: "Sysmon"
vendor_id: 9
windows-file-create:
product: windows
category: file_create
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-event:
product: windows
category: file_event
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-change:
product: windows
category: file_change
conditions:
product_name: "Sysmon"
vendor_id: "2"
windows-pipe-created:
product: windows
category: pipe_created
conditions:
product_name: "Sysmon"
vendor_id:
- 17
- 18
windows-dns-query:
product: windows
category: dns_query
conditions:
product_name: "Sysmon"
vendor_id: "22"
windows-file-delete:
product: windows
category: file_delete
conditions:
product_name: "Sysmon"
vendor_id: "23"
windows-kernel-file-rename:
product: windows
category: file_rename
conditions:
product_name: "Kernel-File"
windows-kernel-file-access:
product: windows
category: file_access
conditions:
product_name: "Kernel-File"
windows-wmi-sysmon:
product: windows
category: wmi_event
conditions:
product_name: "Sysmon"
vendor_id:
- 19
- 20
- 21
windows-ldap-debug:
product: windows
category: ldap_debug
conditions:
event_channel: "Microsoft-Windows-LDAP-Client/Debug"
windows-driver-load:
product: windows
category: driver_load
conditions:
product_name: "Sysmon"
vendor_id: "6"
windows-image-load:
product: windows
category: image_load
conditions:
product_name: "Sysmon"
vendor_id: "7"
clamav:
service: clamav
conditions:
process_name: "clamav*"
aws-cloudtrail:
service: cloudtrail
conditions:
vendor_name: "AWS CloudTrail"
zeek:
product: zeek
conditions:
vendor_name: "Zeek"
vendor_type: "IDS"
firewall:
category: firewall
conditions:
vendor_type:
- "Firewall"
- "Router"
- "WAP"
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
hawk_source: "conn.log"
zeek-conn_long:
product: zeek
service: conn_long
conditions:
hawk_source: "conn_long.log"
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
hawk_source: "dce_rpc.log"
zeek-dns:
product: zeek
service: dns
conditions:
hawk_source: "dns.log"
zeek-dnp3:
product: zeek
service: dnp3
conditions:
hawk_source: "dnp3.log"
zeek-dpd:
product: zeek
service: dpd
conditions:
hawk_source: "dpd.log"
zeek-files:
product: zeek
service: files
conditions:
hawk_source: "files.log"
zeek-ftp:
product: zeek
service: ftp
conditions:
hawk_source: "ftp.log"
zeek-gquic:
product: zeek
service: gquic
conditions:
hawk_source: "gquic.log"
zeek-http:
product: zeek
service: http
conditions:
hawk_source: "http.log"
zeek-http2:
product: zeek
service: http2
conditions:
hawk_source: "http2.log"
zeek-intel:
product: zeek
service: intel
conditions:
hawk_source: "intel.log"
zeek-irc:
product: zeek
service: irc
conditions:
hawk_source: "irc.log"
zeek-kerberos:
product: zeek
service: kerberos
conditions:
hawk_source: "kerberos.log"
zeek-known_certs:
product: zeek
service: known_certs
conditions:
hawk_source: "known_certs.log"
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
hawk_source: "known_hosts.log"
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
hawk_source: "known_modbus.log"
zeek-known_services:
product: zeek
service: known_services
conditions:
hawk_source: "known_services.log"
zeek-modbus:
product: zeek
service: modbus
conditions:
hawk_source: "modbus.log"
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
hawk_source: "modbus_register_change.log"
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
hawk_source: "mqtt_connect.log"
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
hawk_source: "mqtt_publish.log"
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
hawk_source: "mqtt_subscribe.log"
zeek-mysql:
product: zeek
service: mysql
conditions:
hawk_source: "mysql.log"
zeek-notice:
product: zeek
service: notice
conditions:
hawk_source: "notice.log"
zeek-ntlm:
product: zeek
service: ntlm
conditions:
hawk_source: "ntlm.log"
zeek-ntp:
product: zeek
service: ntp
conditions:
hawk_source: "ntp.log"
zeek-ocsp:
product: zeek
service: ntp
conditions:
hawk_source: "ocsp.log"
zeek-pe:
product: zeek
service: pe
conditions:
hawk_source: "pe.log"
zeek-pop3:
product: zeek
service: pop3
conditions:
hawk_source: "pop3.log"
zeek-radius:
product: zeek
service: radius
conditions:
hawk_source: "radius.log"
zeek-rdp:
product: zeek
service: rdp
conditions:
hawk_source: "rdp.log"
zeek-rfb:
product: zeek
service: rfb
conditions:
hawk_source: "rfb.log"
zeek-sip:
product: zeek
service: sip
conditions:
hawk_source: "sip.log"
zeek-smb_files:
product: zeek
service: smb_files
conditions:
hawk_source: "smb_files.log"
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
hawk_source: "smb_mapping.log"
zeek-smtp:
product: zeek
service: smtp
conditions:
hawk_source: "smtp.log"
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
hawk_source: "smtp_links.log"
zeek-snmp:
product: zeek
service: snmp
conditions:
hawk_source: "snmp.log"
zeek-socks:
product: zeek
service: socks
conditions:
hawk_source: "socks.log"
zeek-software:
product: zeek
service: software
conditions:
hawk_source: "software.log"
zeek-ssh:
product: zeek
service: ssh
conditions:
hawk_source: "ssh.log"
zeek-ssl:
product: zeek
service: ssl
conditions:
hawk_source: "tls.log"
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
product: zeek
service: tls
conditions:
hawk_source: "tls.log"
zeek-syslog:
product: zeek
service: syslog
conditions:
hawk_source: "syslog.log"
zeek-tunnel:
product: zeek
service: tunnel
conditions:
hawk_source: "tunnel.log"
zeek-traceroute:
product: zeek
service: traceroute
conditions:
hawk_source: "traceroute.log"
zeek-weird:
product: zeek
service: weird
conditions:
hawk_source: "weird.log"
zeek-x509:
product: zeek
service: x509
conditions:
hawk_source: "x509.log"
zeek-ip_search:
product: zeek
service: network
conditions:
hawk_source:
- "conn.log"
- "conn_long.log"
- "dce_rpc.log"
- "dhcp.log"
- "dnp3.log"
- "dns.log"
- "ftp.log"
- "gquic.log"
- "http.log"
- "irc.log"
- "kerberos.log"
- "modbus.log"
- "mqtt_connect.log"
- "mqtt_publish.log"
- "mqtt_subscribe.log"
- "mysql.log"
- "ntlm.log"
- "ntp.log"
- "radius.log"
- "rfb.log"
- "sip.log"
- "smb_files.log"
- "smb_mapping.log"
- "smtp.log"
- "smtp_links.log"
- "snmp.log"
- "socks.log"
- "ssh.log"
- "tls.log" #SSL
- "tunnel.log"
- "weird.log"
azure-signin:
product: azure
service: signinlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "signInAudits"
azure-auditlogs:
product: azure
service: auditlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "directoryAudits"
azure-activitylogs:
product: azure
service: activitylogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
azure-activity:
product: azure
service: azureactivity
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
event_channel: 'Microsoft-ServiceBus-Client'
windows-application:
product: windows
service: application
conditions:
event_channel: 'Application'
windows-security:
product: windows
service: security
conditions:
event_channel: 'Security'
windows-system:
product: windows
service: system
conditions:
event_channel: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
product_name: 'Sysmon'
windows-powershell:
product: windows
service: powershell
conditions:
product_name: 'PowerShell'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
product_name: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
product_name: 'TaskScheduler'
windows-wmi:
product: windows
service: wmi
conditions:
product_name: 'WMI-Activity'
windows-dns-server:
product: windows
service: dns-server
conditions:
product_name: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
product_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
product_name: 'DriverFrameworks-UserMode'
windows-ntlm:
product: windows
service: ntlm
conditions:
product_name: 'NTLM'
windows-dhcp:
product: windows
service: dhcp
conditions:
product_name: 'DHCP-Server'
windows-defender:
product: windows
service: windefend
conditions:
product_name: 'Windows Defender'
windows-applocker:
product: windows
service: applocker
conditions:
product_name: 'AppLocker'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
product_name: 'Windows Firewall With Advanced Security'
windows-ps-module:
product: windows
category: ps_module
conditions:
product_name: 'PowerShell'
vendor_id: 4103
windows-ps-script:
product: windows
category: ps_script
conditions:
product_name: 'PowerShell'
vendor_id: 4104
windows-ps-classic-start:
product: windows
category: ps_classic_start
conditions:
EventID: 400
product_name: 'Windows PowerShell'
windows-ps-classic-provider:
product: windows
category: ps_classic_provider_start
conditions:
vendor_id: 600
product_name: 'Windows PowerShell'
windows-ps-classic-script:
product: windows
category: ps_classic_script
conditions:
vendor_id: 800
product_name: 'Windows PowerShell'
windows-service-bus:
service: Microsoft-ServiceBus-Client
conditions:
product_name: "Microsoft-ServiceBus-Client"
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
product_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
product_name: 'PrintService'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
product_name: 'PrintService'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
product_name: 'TerminalServices-LocalSessionManager'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
product_name: 'CodeIntegrity'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
product_name: 'SmbClient'
windows-registry:
product: windows
category: registry_event
conditions:
product_name: "Sysmon"
vendor_id:
- 12
- 13
- 14
windows-registry-add:
product: windows
category: registry_add
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-delete:
product: windows
category: registry_delete
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-set:
product: windows
category: registry_set
conditions:
product_name: "Sysmon"
vendor_id: 13
windows-registry-rename:
product: windows
category: registry_rename
conditions:
product_name: "Sysmon"
vendor_id: 14
windows-file-block-executable:
product: windows
category: file_block
conditions:
product_name: "Sysmon"
vendor_id: 27
#dns:
# category: dns
# conditions:
qflow:
product: qflow
netflow:
service: netflow
ipfix:
product: ipfix
flow:
product: flow
fieldmappings:
dst:
- ip_dst_host
dst_ip:
- ip_dst
src:
- ip_src_host
src_ip:
- ip_src
IPAddress: ip_src
DNSAddress: dns_address
DCIPAddress: ip_src
category: vendor_category
error: error_code
key: event_key
payload: event_payload
weight: event_weight
account type: account_type
PrivilegeList: process_privileges
pid_user: event_username
sid: correlation_session_id
UserSid: correlation_session_id
TargetSid: target_session_id
TargetUserName: target_username
SamAccountName: target_username
AccountName: target_username
TargetDomainName: target_domain
DnsServerIpAddress: dns_address
QueryName: dns_query
AuthenticationPackageName: package_name
HostProcess: image
Application: image
ProcessName: image
TargetImage: target_image
ParentImage: parent_image
CallerProcessName: parent_image
ParentProcessName: parent_image
CommandLine: command
ProcessCommandLine: command
ParentCommandLine: parent_command
Imphash: file_hash_imphash
sha256: file_hash_sha256
md5: file_hash_md5
sha1: file_hash_sha1
SubjectUserSid: correlation_session_id
SubjectSid: correlation_session_id
SubjectUserName: correlation_username
SubjectDomainName: correlation_domain
SubjectLogonId: correlation_logon_id
pid: event_pid
ProccessId: pid
NewProcessName: image
ServiceName: service_name
Service: service_name
ServiceFileName: filename
EventID: vendor_id
SourceImage: parent_image
ImageLoaded: image_loaded
Description: image_description
ScriptBlockText: value
Product: image_product
Company: image_company
CurrentDirectory: path
ShareName: path
RelativeTargetName: filename
TargetName: value
Initiated: value
Accesses: access_mask
LDAPDisplayName: distinguished_name
AttributeLDAPDisplayName: distinguished_name
AttributeValue: value
ParentProcessId: parent_pid
SourceProcessId: source_pid
TargetProcessId: target_pid
Signed: signature
Status: value
TargetFilename: filename
FileName: filename
TargetObject: object_target
ObjectClass: object_type
ObjectValueName: object_name
ObjectName: object_name
DeviceClassName: object_name
CallTrace: calltrace
IpAddress: ip_src
WorkstationName: ip_src_host
Workstation: ip_src_host
DestinationIp: ip_dst
DestinationHostname: ip_dst_host
DestinationPort: ip_dport
DestAddress: ip_dst
DestPort: ip_dport
SourceAddress: ip_src
SourcePort: ip_sport
GrantedAccess: access_mask
StartModule: target_process_name
TargetProcessAddress: process_address
TicketOptions: sys.ticket.options
TicketEncryptionType: sys.ticket.encryption.type
DetectionSource: value
Priority: event_priority
event_type_id: vendor_id
destination.port: ip_dport
user: correlation_username
User: correlation_username
# Provider_Name: channel
c-referer: http_referer
cs-referer: http_referer
cs-host: http_host
cs-method: http_method
c-uri: http_path
c-uri-stem: http_path
cs-uri: http_path
cs-uri-stem: http_path
c-agent: http_user_agent
cs-agent: http_user_agent
c-useragent: http_user_agent
cs-useragent: http_user_agent
cs-user-agent: http_user_agent
c-ip: ip_src
cs-ip: ip_src
s-ip: ip_dst
sc-ip: ip_dst
c-username: correlation_username
cs-username: correlation_username
s-computername: ip_dst_host
cs-uri-query: http_query
c-uri-query: http_query
sc-status: http_status_code
sc-bytes: http_content_length
user-agent: http_user_agent
cs-User-Agent: http_user_agent
r-dns: http_host
id.orig_h: ip_src
id.orig_p: ip_sport
id.resp_h: ip_dst
id.resp_p: ip_dport
host: ip_src
hostname: ip_src_host
port_num: ip_dport
dst_port: ip_dport
query: dns_query
orig_ip_bytes: net_if_out_bytes
resp_ip_bytes: net_if_in_bytes
QNAME: qname
Channel: event_channel
dst:
- ip_dst_host
dst_ip:
- ip_dst
src:
- ip_src_host
src_ip:
- ip_src
IPAddress: ip_src
DNSAddress: dns_address
DCIPAddress: ip_src
category: vendor_category
error: error_code
key: event_key
payload: event_payload
weight: event_weight
account type: account_type
PrivilegeList: process_privileges
pid_user: event_username
sid: correlation_session_id
UserSid: correlation_session_id
TargetSid: target_session_id
TargetUserName: target_username
SamAccountName: target_username
AccountName: target_username
TargetDomainName: target_domain
DnsServerIpAddress: dns_address
QueryName: dns_query
AuthenticationPackageName: package_name
HostProcess: image
Application: image
ProcessName: image
TargetImage: target_image
ParentImage: parent_image
CallerProcessName: parent_image
ParentProcessName: parent_image
CommandLine: command
ProcessCommandLine: command
ParentCommandLine: parent_command
Imphash: file_hash_imphash
sha256: file_hash_sha256
md5: file_hash_md5
sha1: file_hash_sha1
SubjectUserSid: correlation_session_id
SubjectSid: correlation_session_id
SubjectUserName: correlation_username
SubjectDomainName: correlation_domain
SubjectLogonId: correlation_logon_id
pid: event_pid
ProccessId: pid
NewProcessName: image
ServiceName: service_name
Service: service_name
ServiceFileName: filename
EventID: vendor_id
SourceImage: parent_image
ImageLoaded: image_loaded
Description: image_description
ScriptBlockText: value
Product: image_product
Company: image_company
CurrentDirectory: path
ShareName: path
RelativeTargetName: filename
TargetName: value
Initiated: value
Accesses: access_mask
LDAPDisplayName: distinguished_name
AttributeLDAPDisplayName: distinguished_name
AttributeValue: value
ParentProcessId: parent_pid
SourceProcessId: source_pid
TargetProcessId: target_pid
Signed: signature
Status: value
TargetFilename: filename
FileName: filename
TargetObject: object_target
ObjectClass: object_type
ObjectValueName: object_name
ObjectName: object_name
DeviceClassName: object_name
CallTrace: calltrace
IpAddress: ip_src
WorkstationName: ip_src_host
Workstation: ip_src_host
DestinationIp: ip_dst
DestinationHostname: ip_dst_host
DestinationPort: ip_dport
DestAddress: ip_dst
DestPort: ip_dport
SourceAddress: ip_src
SourcePort: ip_sport
GrantedAccess: access_mask
StartModule: target_process_name
TargetProcessAddress: process_address
TicketOptions: sys.ticket.options
TicketEncryptionType: sys.ticket.encryption.type
DetectionSource: value
Priority: event_priority
event_type_id: vendor_id
destination.port: ip_dport
user: correlation_username
User: correlation_username
# Provider_Name: channel
c-referer: http_referer
cs-referer: http_referer
cs-host: http_host
cs-method: http_method
c-uri: http_path
c-uri-stem: http_path
cs-uri: http_path
cs-uri-stem: http_path
c-agent: http_user_agent
cs-agent: http_user_agent
c-useragent: http_user_agent
cs-useragent: http_user_agent
cs-user-agent: http_user_agent
c-ip: ip_src
cs-ip: ip_src
s-ip: ip_dst
sc-ip: ip_dst
c-username: correlation_username
cs-username: correlation_username
s-computername: ip_dst_host
cs-uri-query: http_query
c-uri-query: http_query
sc-status: http_status_code
sc-bytes: http_content_length
user-agent: http_user_agent
cs-User-Agent: http_user_agent
r-dns: http_host
id.orig_h: ip_src
id.orig_p: ip_sport
id.resp_h: ip_dst
id.resp_p: ip_dport
host: ip_src
hostname: ip_src_host
port_num: ip_dport
dst_port: ip_dport
query: dns_query
orig_ip_bytes: net_if_out_bytes
resp_ip_bytes: net_if_in_bytes
QNAME: qname
Channel: event_channel
tools/config/logpoint-windows.yml
+142 -127
View File
@@ -1,134 +1,149 @@
title: Logpoint
order: 20
backends:
- logpoint
- logpoint
logsources:
windows-security:
product: windows
service: security
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-system:
product: windows
service: system
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-dns-server:
product: windows
service: dns-server
conditions:
event_source: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
event_source: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
event_source: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
event_source:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
event_source: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
event_source: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
event_source: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
event_source: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
event_source: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
event_source: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
event_source:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
event_source: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
event_source: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
event_source: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
event_source: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
event_source: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
event_source: 'Microsoft-Windows-LSA/Operational'
windows-security:
product: windows
service: security
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-system:
product: windows
service: system
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-dns-server:
product: windows
service: dns-server
conditions:
event_source: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
event_source: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
event_source: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
event_source:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
event_source: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
event_source: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
event_source: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
event_source: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
event_source: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
event_source: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
event_source:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
event_source: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
event_source: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
event_source: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
event_source: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
event_source: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
event_source: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
event_source: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
event_source: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
event_source: 'Microsoft-Windows-AppModel-Runtime/Admin'
fieldmappings:
EventID: event_id
FailureCode: result_code
tools/config/logstash-windows.yml
+163 -148
View File
@@ -1,153 +1,168 @@
title: Logstash Windows common log sources
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
windows:
product: windows
index: logstash-windows-*
windows-application:
product: windows
service: application
conditions:
Channel: Application
windows-security:
product: windows
service: security
conditions:
Channel: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
Channel: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
Channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
Channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-defender:
product: windows
service: windefend
conditions:
Channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
Channel: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
Channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
Channel: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
Channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
Channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
Channel: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
Channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
Channel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
Channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
Channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
Channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
Channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
Channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: logstash-windows-*
windows-application:
product: windows
service: application
conditions:
Channel: Application
windows-security:
product: windows
service: security
conditions:
Channel: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
Channel: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
Channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
Channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-defender:
product: windows
service: windefend
conditions:
Channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
Channel: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
Channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
Channel: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
Channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
Channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
Channel: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
Channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
Channel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
Channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
Channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
Channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
Channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
Channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
Channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
Channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: logstash-*
tools/config/powershell.yml
+184 -169
View File
@@ -1,173 +1,188 @@
title: Logsource to LogName mappings for PowerShell backend
order: 20
backends:
- powershell
- powershell
logsources:
windows-application:
product: windows
service: application
conditions:
LogName: 'Application'
windows-security:
product: windows
service: security
conditions:
LogName: 'Security'
windows-system:
product: windows
service: system
conditions:
LogName: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
LogName: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
LogName:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
LogName: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
LogName: 'Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
LogName: 'Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
LogName: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
LogName: 'Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
LogName: 'Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
LogName: 'Microsoft-Windows-DHCP-Server/Operational'
windows-defender:
product: windows
service: windefend
conditions:
LogName: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
LogName:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
LogName: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
LogName: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
LogName: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
LogName: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
LogName: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
LogName: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
LogName:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
LogName: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
LogName: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
LogName: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
LogName: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
LogName: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
LogName: 'Microsoft-Windows-LSA/Operational'
windows-application:
product: windows
service: application
conditions:
LogName: 'Application'
windows-security:
product: windows
service: security
conditions:
LogName: 'Security'
windows-system:
product: windows
service: system
conditions:
LogName: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
LogName: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
LogName:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
LogName: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
LogName: 'Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
LogName: 'Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
LogName: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
LogName: 'Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
LogName: 'Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
LogName: 'Microsoft-Windows-DHCP-Server/Operational'
windows-defender:
product: windows
service: windefend
conditions:
LogName: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
LogName:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
LogName: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
LogName: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
LogName: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
LogName: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
LogName: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
LogName: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
LogName:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
LogName: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
LogName: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
LogName: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
LogName: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
LogName: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
LogName: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
LogName: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
LogName: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
LogName: 'Microsoft-Windows-AppModel-Runtime/Admin'
tools/config/splunk-windows.yml
+204 -189
View File
@@ -1,195 +1,210 @@
title: Splunk Windows log source conditions
order: 20
backends:
- splunk
- splunkxml
- splunkdm
- splunk
- splunkxml
- splunkdm
logsources:
windows-application:
product: windows
service: application
conditions:
source: 'WinEventLog:Application'
windows-security:
product: windows
service: security
conditions:
source: 'WinEventLog:Security'
windows-system:
product: windows
service: system
conditions:
source: 'WinEventLog:System'
windows-sysmon:
product: windows
service: sysmon
conditions:
source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
windows-process-creation:
product: windows
service: sysmon
category: process_creation
# Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data.
# This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here.
search: 'ParentProcessGuid EventCode=1'
windows-file-creation:
product: windows
service: sysmon
category: file_creation
search: 'TargetFilename EventCode=11'
windows-powershell:
product: windows
service: powershell
conditions:
source:
- 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
- 'WinEventLog:PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
source: 'WinEventLog:Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
category: dns
conditions:
source: 'WinEventLog:DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
source: 'WinEventLog:Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
source:
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
source: 'WinEventLog:MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
source: 'WinEventLog:Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
source: 'WinEventLog:Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
source: 'WinEventLog:Microsoft-Windows-SmbClient/Security'
windows-rpc-firewall:
product: rpc_firewall
category: application
conditions:
source: 'WinEventLog:RPCFW'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
source:
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
source: 'WinEventLog:OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
windows-defender:
product: windows
service: windefend
conditions:
source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
source: 'WinEventLog:Microsoft-Windows-LSA/Operational'
windows-application:
product: windows
service: application
conditions:
source: 'WinEventLog:Application'
windows-security:
product: windows
service: security
conditions:
source: 'WinEventLog:Security'
windows-system:
product: windows
service: system
conditions:
source: 'WinEventLog:System'
windows-sysmon:
product: windows
service: sysmon
conditions:
source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
windows-process-creation:
product: windows
service: sysmon
category: process_creation
# Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data.
# This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here.
search: 'ParentProcessGuid EventCode=1'
windows-file-creation:
product: windows
service: sysmon
category: file_creation
search: 'TargetFilename EventCode=11'
windows-powershell:
product: windows
service: powershell
conditions:
source:
- 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
- 'WinEventLog:PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
source: 'WinEventLog:Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
windows-wmi:
product: windows
service: wmi
conditions:
source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
windows-dns-server:
product: windows
service: dns-server
category: dns
conditions:
source: 'WinEventLog:DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
source: 'WinEventLog:Microsoft-Windows-NTLM/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
source:
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
source: 'WinEventLog:MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
source: 'WinEventLog:Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
source: 'WinEventLog:Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
source: 'WinEventLog:Microsoft-Windows-SmbClient/Security'
windows-rpc-firewall:
product: rpc_firewall
category: application
conditions:
source: 'WinEventLog:RPCFW'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
source:
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
source: 'WinEventLog:OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
windows-defender:
product: windows
service: windefend
conditions:
source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
source: 'WinEventLog:Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
source: 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
source: 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
source: 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'
fieldmappings:
EventID: EventCode
tools/config/sumologic.yml
+232 -191
View File
@@ -1,200 +1,241 @@
title: SumoLogic
order: 20
backends:
- sumologic
- sumologic
afl_fields:
- _index
- EventID
- CommandLine
- NewProcessName
- Image
- ParentImage
- ParentCommandLine
- ParentProcessName
- _index
- EventID
- CommandLine
- NewProcessName
- Image
- ParentImage
- ParentCommandLine
- ParentProcessName
# Sumulogic mapping depends on customer configuration. Adapt to your context!
# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
# supposing existing FER for service, EventChannel, EventID
logsources:
unix:
product: unix
index: UNIX
linux:
product: linux
index: LINUX
linux-sshd:
product: linux
service: sshd
index: LINUX
linux-auth:
product: linux
service: auth
index: LINUX
linux-clamav:
product: linux
service: clamav
index: LINUX
windows:
product: windows
index: WINDOWS
windows-sysmon:
product: windows
service: sysmon
conditions:
EventChannel: Microsoft-Windows-Sysmon
index: WINDOWS
windows-security:
product: windows
service: security
conditions:
EventChannel: Security
index: WINDOWS
windows-powershell:
product: windows
service: powershell
conditions:
EventChannel:
- Microsoft-Windows-Powershell
- PowerShellCore
index: WINDOWS
windows-system:
product: windows
service: system
conditions:
EventChannel: System
index: WINDOWS
windows-dhcp:
product: windows
service: dhcp
conditions:
EventChannel: Microsoft-Windows-DHCP-Server
index: WINDOWS
windows-ntlm:
product: windows
service: ntlm
conditions:
EventChannel: 'Microsoft-Windows-NTLM/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
EventChannel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
EventChannel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
EventChannel: 'Microsoft-Windows-SmbClient/Security'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
EventChannel: 'MSExchange Management'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
EventChannel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
EventChannel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
EventChannel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
EventChannel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
source: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
source: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
source: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
source: 'Microsoft-Windows-AppXDeploymentServer/Operational'
apache:
service: apache
index: WEBSERVER
apache2:
service: apache
index: WEBSERVER
webserver:
category: webserver
index: WEBSERVER
firewall:
category: firewall
index: FIREWALL
firewall2:
product: firewall
index: FIREWALL
network-dns:
category: dns
index: DNS
network-dns2:
product: dns
index: DNS
proxy:
category: proxy
index: PROXY
antivirus:
category: antivirus
index: ANTIVIRUS
application-sql:
product: sql
index: DATABASE
application-python:
product: python
index: APPLICATIONS
application-django:
product: django
index: DJANGO
application-rails:
product: rails
index: RAILS
application-spring:
product: spring
index: SPRING
unix:
product: unix
index: UNIX
linux:
product: linux
index: LINUX
linux-sshd:
product: linux
service: sshd
index: LINUX
linux-auth:
product: linux
service: auth
index: LINUX
linux-clamav:
product: linux
service: clamav
index: LINUX
windows:
product: windows
index: WINDOWS
windows-sysmon:
product: windows
service: sysmon
conditions:
EventChannel: Microsoft-Windows-Sysmon
index: WINDOWS
windows-security:
product: windows
service: security
conditions:
EventChannel: Security
index: WINDOWS
windows-powershell:
product: windows
service: powershell
conditions:
EventChannel:
- Microsoft-Windows-Powershell
- PowerShellCore
index: WINDOWS
windows-system:
product: windows
service: system
conditions:
EventChannel: System
index: WINDOWS
windows-dhcp:
product: windows
service: dhcp
conditions:
EventChannel: Microsoft-Windows-DHCP-Server
index: WINDOWS
windows-ntlm:
product: windows
service: ntlm
conditions:
EventChannel: 'Microsoft-Windows-NTLM/Operational'
index: WINDOWS
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
EventChannel: 'Microsoft-Windows-PrintService/Admin'
index: WINDOWS
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
EventChannel: 'Microsoft-Windows-PrintService/Operational'
index: WINDOWS
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
index: WINDOWS
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational'
index: WINDOWS
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
EventChannel: 'Microsoft-Windows-SmbClient/Security'
index: WINDOWS
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
EventChannel: 'MSExchange Management'
index: WINDOWS
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
index: WINDOWS
windows-bits-client:
product: windows
service: bits-client
conditions:
EventChannel: 'Microsoft-Windows-Bits-Client/Operational'
index: WINDOWS
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
EventChannel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
index: WINDOWS
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
index: WINDOWS
windows-shell-core:
product: windows
service: shell-core
conditions:
EventChannel: 'Microsoft-Windows-Shell-Core/Operational'
index: WINDOWS
windows-openssh:
product: windows
service: openssh
conditions:
EventChannel: 'OpenSSH/Operational'
index: WINDOWS
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
EventChannel: 'Microsoft-Windows-LDAP-Client/Debug'
index: WINDOWS
windows-bitlocker:
product: windows
service: bitlocker
conditions:
EventChannel: 'Microsoft-Windows-BitLocker/BitLocker Management'
index: WINDOWS
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
EventChannel: 'Microsoft-Windows-VHDMP/Operational'
index: WINDOWS
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
EventChannel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
index: WINDOWS
windows-lsa-server:
product: windows
service: lsa-server
conditions:
EventChannel: 'Microsoft-Windows-LSA/Operational'
index: WINDOWS
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
EventChannel: 'Microsoft-Windows-AppxPackaging/Operational'
index: WINDOWS
windows-dns-client:
product: windows
service: dns-client
conditions:
EventChannel: 'Microsoft-Windows-DNS Client Events/Operational'
index: WINDOWS
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
EventChannel: 'Microsoft-Windows-AppModel-Runtime/Admin'
index: WINDOWS
apache:
service: apache
index: WEBSERVER
apache2:
service: apache
index: WEBSERVER
webserver:
category: webserver
index: WEBSERVER
firewall:
category: firewall
index: FIREWALL
firewall2:
product: firewall
index: FIREWALL
network-dns:
category: dns
index: DNS
network-dns2:
product: dns
index: DNS
proxy:
category: proxy
index: PROXY
antivirus:
category: antivirus
index: ANTIVIRUS
application-sql:
product: sql
index: DATABASE
application-python:
product: python
index: APPLICATIONS
application-django:
product: django
index: DJANGO
application-rails:
product: rails
index: RAILS
application-spring:
product: spring
index: SPRING
# if no index, search in all indexes
tools/config/thor.yml
+467 -452
View File
@@ -1,458 +1,473 @@
title: THOR
order: 20
backends:
- thor
- thor
# this configuration differs from other configurations and can not be used
# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.
logsources:
# log source configurations for generic sigma rules
process_creation_1:
category: process_creation
product: windows
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
process_creation_2:
category: process_creation
product: windows
conditions:
EventID: 4688
rewrite:
product: windows
service: security
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
network_connection:
category: network_connection
product: windows
conditions:
EventID: 3
rewrite:
product: windows
service: sysmon
sysmon_status1:
category: sysmon_status
product: windows
conditions:
EventID: 4
rewrite:
product: windows
service: sysmon
sysmon_status2:
category: sysmon_status
product: windows
conditions:
EventID: 16
rewrite:
product: windows
service: sysmon
process_terminated:
category: process_termination
product: windows
conditions:
EventID: 5
rewrite:
product: windows
service: sysmon
driver_loaded:
category: driver_load
product: windows
conditions:
EventID: 6
rewrite:
product: windows
service: sysmon
image_loaded:
category: image_load
product: windows
conditions:
EventID: 7
rewrite:
product: windows
service: sysmon
create_remote_thread:
category: create_remote_thread
product: windows
conditions:
EventID: 8
rewrite:
product: windows
service: sysmon
raw_access_thread:
category: raw_access_thread
product: windows
conditions:
EventID: 9
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
product: windows
conditions:
EventID: 10
rewrite:
product: windows
service: sysmon
file_creation:
category: file_event
product: windows
conditions:
EventID: 11
rewrite:
product: windows
service: sysmon
registry_event1:
category: registry_event
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_event2:
category: registry_event
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_event3:
category: registry_event
product: windows
conditions:
EventID: 14
rewrite:
product: windows
service: sysmon
registry_add:
category: registry_add
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_delete:
category: registry_delete
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_set:
category: registry_set
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_rename:
category: registry_rename
product: windows
conditions:
EventID: 14
rewrite:
product: windows
service: sysmon
create_stream_hash:
category: create_stream_hash
product: windows
conditions:
EventID: 15
rewrite:
product: windows
service: sysmon
pipe_created1:
category: pipe_created
product: windows
conditions:
EventID: 17
rewrite:
product: windows
service: sysmon
pipe_created2:
category: pipe_created
product: windows
conditions:
EventID: 18
rewrite:
product: windows
service: sysmon
wmi_event1:
category: wmi_event
product: windows
conditions:
EventID: 19
rewrite:
product: windows
service: sysmon
wmi_event2:
category: wmi_event
product: windows
conditions:
EventID: 20
rewrite:
product: windows
service: sysmon
wmi_event3:
category: wmi_event
product: windows
conditions:
EventID: 21
rewrite:
product: windows
service: sysmon
dns_query:
category: dns_query
product: windows
conditions:
EventID: 22
rewrite:
product: windows
service: sysmon
file_delete:
category: file_delete
product: windows
conditions:
EventID: 23
rewrite:
product: windows
service: sysmon
file_block:
category: file_block
product: windows
conditions:
EventID: 27
rewrite:
product: windows
service: sysmon
sysmon_error:
category: sysmon_error
product: windows
conditions:
EventID: 255
rewrite:
product: windows
service: sysmon
#PowerShell Operational
ps_module:
category: ps_module
product: windows
conditions:
EventID: 4103
rewrite:
product: windows
service: powershell
ps_script:
category: ps_script
product: windows
conditions:
EventID: 4104
rewrite:
product: windows
service: powershell
#Powershell "classic" channel
ps_classic_start:
category: ps_classic_start
product: windows
conditions:
EventID: 400
rewrite:
product: windows
service: powershell-classic
ps_classic_provider_start:
category: ps_classic_provider_start
product: windows
conditions:
EventID: 600
rewrite:
product: windows
service: powershell-classic
ps_classic_script:
category: ps_classic_script
product: windows
conditions:
EventID: 800
rewrite:
product: windows
service: powershell-classic
# target system configurations
windows-application:
product: windows
service: application
sources:
- "WinEventLog:Application"
windows-security:
product: windows
service: security
sources:
- "WinEventLog:Security"
windows-system:
product: windows
service: system
sources:
- "WinEventLog:System"
windows-ntlm:
product: windows
service: ntlm
sources:
- "WinEventLog:Microsoft-Windows-NTLM/Operational"
windows-sysmon:
product: windows
service: sysmon
sources:
- "WinEventLog:Microsoft-Windows-Sysmon/Operational"
windows-powershell:
product: windows
service: powershell
sources:
- "WinEventLog:Microsoft-Windows-PowerShell/Operational"
- "WinEventLog:PowerShellCore/Operational"
windows-classicpowershell:
product: windows
service: powershell-classic
sources:
- "WinEventLog:Windows PowerShell"
windows-taskscheduler:
product: windows
service: taskscheduler
sources:
- "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
windows-wmi:
product: windows
service: wmi
sources:
- "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
windows-dhcp:
product: windows
service: dhcp
sources:
- "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"
windows-printservice-admin:
product: windows
service: printservice-admin
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Admin"
windows-smbclient-security:
product: windows
service: smbclient-security
sources:
- "WinEventLog:Microsoft-Windows-SmbClient/Security"
windows-printservice-operational:
product: windows
service: printservice-operational
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Operational"
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
sources:
- 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
sources:
- "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"
windows-applocker:
product: windows
service: applocker
sources:
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
sources:
- 'WinEventLog:MSExchange Management'
windows-defender:
product: windows
service: windefend
sources:
- 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
windows-firewall-advanced-security:
product: windows
service: firewall-as
sources:
- 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
sources:
- 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
sources:
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
sources:
- 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
sources:
- 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
sources:
- 'WinEventLog:OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
sources:
- 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
sources:
- 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp:
product: windows
service: vhdmp
sources:
- 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
sources:
- 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
sources:
- 'WinEventLog:Microsoft-Windows-LSA/Operational'
apache:
category: webserver
sources:
- "File:/var/log/apache/*.log"
- "File:/var/log/apache2/*.log"
- "File:/var/log/httpd/*.log"
linux-auth:
product: linux
service: auth
sources:
- "File:/var/log/auth.log"
- "File:/var/log/auth.log.?"
linux-syslog:
product: linux
service: syslog
sources:
- "File:/var/log/syslog"
- "File:/var/log/syslog.?"
logfiles:
category: logfile
sources:
- "File:*.log"
# log source configurations for generic sigma rules
process_creation_1:
category: process_creation
product: windows
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
process_creation_2:
category: process_creation
product: windows
conditions:
EventID: 4688
rewrite:
product: windows
service: security
fieldmappings:
Image: NewProcessName
ParentImage: ParentProcessName
network_connection:
category: network_connection
product: windows
conditions:
EventID: 3
rewrite:
product: windows
service: sysmon
sysmon_status1:
category: sysmon_status
product: windows
conditions:
EventID: 4
rewrite:
product: windows
service: sysmon
sysmon_status2:
category: sysmon_status
product: windows
conditions:
EventID: 16
rewrite:
product: windows
service: sysmon
process_terminated:
category: process_termination
product: windows
conditions:
EventID: 5
rewrite:
product: windows
service: sysmon
driver_loaded:
category: driver_load
product: windows
conditions:
EventID: 6
rewrite:
product: windows
service: sysmon
image_loaded:
category: image_load
product: windows
conditions:
EventID: 7
rewrite:
product: windows
service: sysmon
create_remote_thread:
category: create_remote_thread
product: windows
conditions:
EventID: 8
rewrite:
product: windows
service: sysmon
raw_access_thread:
category: raw_access_thread
product: windows
conditions:
EventID: 9
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
product: windows
conditions:
EventID: 10
rewrite:
product: windows
service: sysmon
file_creation:
category: file_event
product: windows
conditions:
EventID: 11
rewrite:
product: windows
service: sysmon
registry_event1:
category: registry_event
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_event2:
category: registry_event
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_event3:
category: registry_event
product: windows
conditions:
EventID: 14
rewrite:
product: windows
service: sysmon
registry_add:
category: registry_add
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_delete:
category: registry_delete
product: windows
conditions:
EventID: 12
rewrite:
product: windows
service: sysmon
registry_set:
category: registry_set
product: windows
conditions:
EventID: 13
rewrite:
product: windows
service: sysmon
registry_rename:
category: registry_rename
product: windows
conditions:
EventID: 14
rewrite:
product: windows
service: sysmon
create_stream_hash:
category: create_stream_hash
product: windows
conditions:
EventID: 15
rewrite:
product: windows
service: sysmon
pipe_created1:
category: pipe_created
product: windows
conditions:
EventID: 17
rewrite:
product: windows
service: sysmon
pipe_created2:
category: pipe_created
product: windows
conditions:
EventID: 18
rewrite:
product: windows
service: sysmon
wmi_event1:
category: wmi_event
product: windows
conditions:
EventID: 19
rewrite:
product: windows
service: sysmon
wmi_event2:
category: wmi_event
product: windows
conditions:
EventID: 20
rewrite:
product: windows
service: sysmon
wmi_event3:
category: wmi_event
product: windows
conditions:
EventID: 21
rewrite:
product: windows
service: sysmon
dns_query:
category: dns_query
product: windows
conditions:
EventID: 22
rewrite:
product: windows
service: sysmon
file_delete:
category: file_delete
product: windows
conditions:
EventID: 23
rewrite:
product: windows
service: sysmon
file_block:
category: file_block
product: windows
conditions:
EventID: 27
rewrite:
product: windows
service: sysmon
sysmon_error:
category: sysmon_error
product: windows
conditions:
EventID: 255
rewrite:
product: windows
service: sysmon
#PowerShell Operational
ps_module:
category: ps_module
product: windows
conditions:
EventID: 4103
rewrite:
product: windows
service: powershell
ps_script:
category: ps_script
product: windows
conditions:
EventID: 4104
rewrite:
product: windows
service: powershell
#Powershell "classic" channel
ps_classic_start:
category: ps_classic_start
product: windows
conditions:
EventID: 400
rewrite:
product: windows
service: powershell-classic
ps_classic_provider_start:
category: ps_classic_provider_start
product: windows
conditions:
EventID: 600
rewrite:
product: windows
service: powershell-classic
ps_classic_script:
category: ps_classic_script
product: windows
conditions:
EventID: 800
rewrite:
product: windows
service: powershell-classic
# target system configurations
windows-application:
product: windows
service: application
sources:
- "WinEventLog:Application"
windows-security:
product: windows
service: security
sources:
- "WinEventLog:Security"
windows-system:
product: windows
service: system
sources:
- "WinEventLog:System"
windows-ntlm:
product: windows
service: ntlm
sources:
- "WinEventLog:Microsoft-Windows-NTLM/Operational"
windows-sysmon:
product: windows
service: sysmon
sources:
- "WinEventLog:Microsoft-Windows-Sysmon/Operational"
windows-powershell:
product: windows
service: powershell
sources:
- "WinEventLog:Microsoft-Windows-PowerShell/Operational"
- "WinEventLog:PowerShellCore/Operational"
windows-classicpowershell:
product: windows
service: powershell-classic
sources:
- "WinEventLog:Windows PowerShell"
windows-taskscheduler:
product: windows
service: taskscheduler
sources:
- "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
windows-wmi:
product: windows
service: wmi
sources:
- "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
windows-dhcp:
product: windows
service: dhcp
sources:
- "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"
windows-printservice-admin:
product: windows
service: printservice-admin
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Admin"
windows-smbclient-security:
product: windows
service: smbclient-security
sources:
- "WinEventLog:Microsoft-Windows-SmbClient/Security"
windows-printservice-operational:
product: windows
service: printservice-operational
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Operational"
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
sources:
- 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
sources:
- "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"
windows-applocker:
product: windows
service: applocker
sources:
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
sources:
- 'WinEventLog:MSExchange Management'
windows-defender:
product: windows
service: windefend
sources:
- 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
windows-firewall-advanced-security:
product: windows
service: firewall-as
sources:
- 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
sources:
- 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
sources:
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
sources:
- 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
sources:
- 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
sources:
- 'WinEventLog:OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
sources:
- 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
sources:
- 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp:
product: windows
service: vhdmp
sources:
- 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
sources:
- 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
sources:
- 'WinEventLog:Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
sources:
- 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
sources:
- 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
sources:
- 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'
apache:
category: webserver
sources:
- "File:/var/log/apache/*.log"
- "File:/var/log/apache2/*.log"
- "File:/var/log/httpd/*.log"
linux-auth:
product: linux
service: auth
sources:
- "File:/var/log/auth.log"
- "File:/var/log/auth.log.?"
linux-syslog:
product: linux
service: syslog
sources:
- "File:/var/log/syslog"
- "File:/var/log/syslog.?"
logfiles:
category: logfile
sources:
- "File:*.log"
tools/config/winlogbeat-modules-enabled.yml
+197 -183
View File
@@ -1,179 +1,194 @@
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- es-rule-eql
- es-eql
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- es-qs
- es-dsl
- es-rule
- es-rule-eql
- es-eql
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
winlog.channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
winlog.channel: 'MSExchange Management'
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
winlog.channel: 'Microsoft-ServiceBus-Client'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
winlog.channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
winlog.channel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
winlog.channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
winlog.channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
winlog_channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
winlog_channel: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
winlog.channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
winlog.channel: 'MSExchange Management'
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
winlog.channel: 'Microsoft-ServiceBus-Client'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
winlog.channel: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
winlog.channel:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
winlog.channel: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
winlog.channel: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
winlog_channel: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
winlog_channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
@@ -215,7 +230,7 @@ fieldmappings:
default: winlog.event_data.ErrorCode
FilePath: winlog.event_data.FilePath
# Filename => category: antivirus
Filename: winlog.event_data.Filename
Filename: winlog.event_data.Filename
LDAPDisplayName: winlog.event_data.LDAPDisplayName
# Level => Source: MSExchange Control Panel EventID: 4
Level: winlog.event_data.Level
@@ -229,7 +244,7 @@ fieldmappings:
ProcessGuid: process.entity_id
ProcessId: process.pid
Image: process.executable
FileVersion:
FileVersion:
category=process_creation: process.pe.file_version
category=image_load: file.pe.file_version
default: winlog.event_data.FileVersion
@@ -242,15 +257,15 @@ fieldmappings:
category=process_creation: process.pe.product
category=image_load: file.pe.product
default: winlog.event_data.Product
Company:
Company:
category=process_creation: process.pe.company
category=image_load: file.pe.company
default: winlog.event_data.Company
OriginalFileName:
OriginalFileName:
category=process_creation: process.pe.original_file_name
category=image_load: file.pe.original_file_name
default: winlog.event_data.OriginalFileName
CommandLine:
CommandLine:
category=process_creation: process.command_line
service=security: process.command_line
service=powershell-classic: powershell.command.value
@@ -270,10 +285,10 @@ fieldmappings:
TargetFilename: file.path
CreationUtcTime: winlog.event_data.CreationUtcTime
PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime
Protocol:
Protocol:
category=network_connection: network.transport
default: winlog.event_data.Protocol
Initiated:
Initiated:
category=network_connection: network.direction
default: winlog.event_data.Initiated
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
@@ -291,7 +306,7 @@ fieldmappings:
SchemaVersion: winlog.event_data.SchemaVersion
ImageLoaded: file.path
Signed: file.code_signature.signed
Signature:
Signature:
category=driver_loaded: file.code_signature.subject_name
category=image_loaded: file.code_signature.subject_name
default: winlog.event_data.Signature
@@ -347,7 +362,7 @@ fieldmappings:
category=driver_load: hash.sha256
category=image_load: file.hash.sha256
default: process.hash.sha256
Imphash:
Imphash:
category=driver_load: hash.imphash
category=image_load: file.hash.imphash
default: process.pe.imphash
@@ -357,7 +372,7 @@ fieldmappings:
CommandName: powershell.command.name
CommandPath: powershell.command.path
CommandType: powershell.command.type
EngineVersion:
EngineVersion:
service=powershell-classic: powershell.engine.version
service=windefend: winlog.event_data.Engine\ Version
default: winlog.event_data.EngineVersion
@@ -630,4 +645,3 @@ fieldmappings:
ApplicationPath: winlog.event_data.ApplicationPath
ModifyingApplication: winlog.event_data.ModifyingApplication
Action: winlog.event_data.Action
tools/config/winlogbeat-old.yml
+220 -205
View File
@@ -1,214 +1,229 @@
title: Elastic Winlogbeat (<=6.x) index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
log_name: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
log_name: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
log_name: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
log_name:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
log_name: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
log_name: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
log_name: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
log_name: 'Microsoft-Windows-LSA/Operational'
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
log_name: Application
windows-security:
product: windows
service: security
conditions:
log_name: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
log_name: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'PowerShellCore/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
log_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
log_name: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
log_name: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
log_name: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
log_name:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
log_name: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
log_name:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
log_name: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
log_name: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
log_name: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
log_name: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
log_name: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
log_name: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
log_name: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
EventID: event_id
AccessMask: event_data.AccessMask
AccountName: event_data.AccountName
AllowedToDelegateTo: event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
AuditPolicyChanges: event_data.AuditPolicyChanges
AuthenticationPackageName: event_data.AuthenticationPackageName
CallingProcessName: event_data.CallingProcessName
CallTrace: event_data.CallTrace
Channel: winlog.channel
CommandLine: event_data.CommandLine
ComputerName: event_data.ComputerName
CurrentDirectory: event_data.CurrentDirectory
Description: event_data.Description
DestinationHostname: event_data.DestinationHostname
DestinationIp: event_data.DestinationIp
DestinationIsIpv6: event_data.DestinationIsIpv6
DestinationPort: event_data.DestinationPort
Details: event_data.Details
EngineVersion: event_data.EngineVersion
EventType: event_data.EventType
FailureCode: event_data.FailureCode
FileName: event_data.FileName
GrantedAccess: event_data.GrantedAccess
GroupName: event_data.GroupName
GroupSid: event_data.GroupSid
Hashes: event_data.Hashes
HiveName: event_data.HiveName
HostVersion: event_data.HostVersion
Image: event_data.Image
ImageLoaded: event_data.ImageLoaded
ImagePath: event_data.ImagePath
Imphash: event_data.Imphash
IpAddress: event_data.IpAddress
KeyLength: event_data.KeyLength
LogonProcessName: event_data.LogonProcessName
LogonType: event_data.LogonType
NewProcessName: event_data.NewProcessName
ObjectClass: event_data.ObjectClass
ObjectName: event_data.ObjectName
ObjectType: event_data.ObjectType
ObjectValueName: event_data.ObjectValueName
ParentCommandLine: event_data.ParentCommandLine
ParentProcessName: event_data.ParentProcessName
ParentImage: event_data.ParentImage
Path: event_data.Path
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
Product: event_data.Product
Properties: event_data.Properties
ScriptBlockText: winlog.event_data.ScriptBlockText
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
ServiceName: event_data.ServiceName
ShareName: event_data.ShareName
Signature: event_data.Signature
Source: event_data.Source
SourceImage: event_data.SourceImage
StartModule: event_data.StartModule
Status: event_data.Status
SubjectUserName: event_data.SubjectUserName
SubjectUserSid: event_data.SubjectUserSid
TargetFilename: event_data.TargetFilename
TargetImage: event_data.TargetImage
TargetObject: event_data.TargetObject
TicketEncryptionType: event_data.TicketEncryptionType
TicketOptions: event_data.TicketOptions
User: event_data.User
WorkstationName: event_data.WorkstationName
EventID: event_id
AccessMask: event_data.AccessMask
AccountName: event_data.AccountName
AllowedToDelegateTo: event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
AuditPolicyChanges: event_data.AuditPolicyChanges
AuthenticationPackageName: event_data.AuthenticationPackageName
CallingProcessName: event_data.CallingProcessName
CallTrace: event_data.CallTrace
Channel: winlog.channel
CommandLine: event_data.CommandLine
ComputerName: event_data.ComputerName
CurrentDirectory: event_data.CurrentDirectory
Description: event_data.Description
DestinationHostname: event_data.DestinationHostname
DestinationIp: event_data.DestinationIp
DestinationIsIpv6: event_data.DestinationIsIpv6
DestinationPort: event_data.DestinationPort
Details: event_data.Details
EngineVersion: event_data.EngineVersion
EventType: event_data.EventType
FailureCode: event_data.FailureCode
FileName: event_data.FileName
GrantedAccess: event_data.GrantedAccess
GroupName: event_data.GroupName
GroupSid: event_data.GroupSid
Hashes: event_data.Hashes
HiveName: event_data.HiveName
HostVersion: event_data.HostVersion
Image: event_data.Image
ImageLoaded: event_data.ImageLoaded
ImagePath: event_data.ImagePath
Imphash: event_data.Imphash
IpAddress: event_data.IpAddress
KeyLength: event_data.KeyLength
LogonProcessName: event_data.LogonProcessName
LogonType: event_data.LogonType
NewProcessName: event_data.NewProcessName
ObjectClass: event_data.ObjectClass
ObjectName: event_data.ObjectName
ObjectType: event_data.ObjectType
ObjectValueName: event_data.ObjectValueName
ParentCommandLine: event_data.ParentCommandLine
ParentProcessName: event_data.ParentProcessName
ParentImage: event_data.ParentImage
Path: event_data.Path
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
Product: event_data.Product
Properties: event_data.Properties
ScriptBlockText: winlog.event_data.ScriptBlockText
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
ServiceName: event_data.ServiceName
ShareName: event_data.ShareName
Signature: event_data.Signature
Source: event_data.Source
SourceImage: event_data.SourceImage
StartModule: event_data.StartModule
Status: event_data.Status
SubjectUserName: event_data.SubjectUserName
SubjectUserSid: event_data.SubjectUserSid
TargetFilename: event_data.TargetFilename
TargetImage: event_data.TargetImage
TargetObject: event_data.TargetObject
TicketEncryptionType: event_data.TicketEncryptionType
TicketOptions: event_data.TicketOptions
User: event_data.User
WorkstationName: event_data.WorkstationName
tools/config/winlogbeat.yml
+25 -10
View File
@@ -1,16 +1,16 @@
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- opensearch-monitor
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
- opensearch-monitor
logsources:
windows:
product: windows
@@ -163,6 +163,21 @@ logsources:
service: lsa-server
conditions:
winlog_channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
tools/config/zircolite.yml
+16 -1
View File
@@ -128,4 +128,19 @@ logsources:
product: windows
service: lsa-server
conditions:
Channel: 'Microsoft-Windows-LSA/Operational'
Channel: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
Channel: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
Channel: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'