From e5fe4d5f4686f9cd8693a95932e231f092372f2d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 17 Jan 2023 01:00:24 +0100 Subject: [PATCH] feat: update config files - Update indentation of config files to 4 - Add new event logs --- tests/logsource.json | 233 +-- tools/config/elk-windows.yml | 273 +-- tools/config/elk-winlogbeat-sp.yml | 273 +-- tools/config/elk-winlogbeat.yml | 273 +-- tools/config/fireeye-helix.yml | 15 + tools/config/generic/windows-services.yml | 15 + tools/config/hawk.yml | 1860 ++++++++++--------- tools/config/logpoint-windows.yml | 269 +-- tools/config/logstash-windows.yml | 311 ++-- tools/config/powershell.yml | 353 ++-- tools/config/splunk-windows.yml | 393 ++-- tools/config/sumologic.yml | 423 +++-- tools/config/thor.yml | 919 ++++----- tools/config/winlogbeat-modules-enabled.yml | 380 ++-- tools/config/winlogbeat-old.yml | 425 +++-- tools/config/winlogbeat.yml | 35 +- tools/config/zircolite.yml | 17 +- 17 files changed, 3367 insertions(+), 3100 deletions(-) diff --git a/tests/logsource.json b/tests/logsource.json index ade003d67..47ff26a8d 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -1,76 +1,76 @@ { "title": "Field name by logsource", - "version": "20221231", + "version": "20230113", "legit":{ "windows":{ - "commun": ["EventID","Provider_Name"], + "commun": ["EventID", "Provider_Name"], "empty": [], "category":{ - "process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion", - "Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName", - "ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId", - "ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"], - "file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"], - "network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort", - "DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname", - "SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"], - "sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"], - "process_termination":["Image","ProcessGuid","ProcessId","User"], - "driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"], - "image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid", - "ProcessId","Product","Signature","SignatureStatus","Signed","User"], - "create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress", - "StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"], - "raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"], - "process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId", - "SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"], - "raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"], - "file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], - "registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"], - "registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"], - "registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"], - "registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], - "registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], - "create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"], - "pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"], - "wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"], - "dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"], - "file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"], - "clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"], - "process_tampering":["Image","ProcessGuid","ProcessId","Type","User"], - "file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"], - "ps_module":["ContextInfo","UserData","Payload"], - "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"], - "file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"], - "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"], + "process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion", + "Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName", + "ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId", + "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User"], + "file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort", + "DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname", + "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User"], + "sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"], + "process_termination":["Image", "ProcessGuid", "ProcessId", "User"], + "driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"], + "image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid", + "ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"], + "create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress", + "StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"], + "raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"], + "process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId", + "SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"], + "raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], + "registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"], + "registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"], + "registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"], + "registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], + "registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], + "create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"], + "wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"], + "dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"], + "file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"], + "process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"], + "file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], + "ps_module":["ContextInfo", "UserData", "Payload"], + "ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"], + "file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"], + "file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"], "ps_classic_start":[], "ps_classic_provider_start":[], "sysmon_error":[] }, "service":{ "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"], - "bits-client":["RemoteName","LocalName","processPath","processId"], - "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer", - "RequestedPolicy","ValidatedPolicy","Status"], - "diagnosis-scripted": ["PackagePath","PackageId"], - "firewall-as":["Action","ApplicationPath","ModifyingApplication"], - "ldap_debug":["ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","ProcessId"], - "ntlm":["CallerPID","ClientDomainName","ClientLUID","ClientUserName","DomainName","MechanismOID", - "ProcessName","SChannelName","SChannelType","TargetName","UserName","WorkstationName"], - "openssh":["process","payload"], - "security-mitigations":["ProcessPathLength","ProcessPath","ProcessCommandLineLength","ProcessCommandLine", - "ProcessId","ProcessCreateTime","ProcessStartKey","ProcessSignatureLevel", - "ProcessSectionSignatureLevel","ProcessProtection","TargetThreadId","TargetThreadCreateTime", - "RequiredSignatureLevel","SignatureLevel","ImageNameLength","ImageName"], - "shell-core":["Name","AppID","Flags"], - "smbclient-security":["Reason","Status","ShareNameLength","ShareName","ObjectNameLength","ObjectName", - "UserNameLength","UserName","ServerNameLength","ServerName"], - "taskscheduler":["TaskName","UserContext","Path","ProcessID","Priority","UserName"], - "terminalservices-localsessionmanager":["User","SessionID","Address"], - "iis":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", - "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", - "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", - "cs-referer","cs-cookie"], + "bits-client":["RemoteName", "LocalName", "processPath", "processId"], + "codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer", + "RequestedPolicy", "ValidatedPolicy", "Status"], + "diagnosis-scripted": ["PackagePath", "PackageId"], + "firewall-as":["Action", "ApplicationPath", "ModifyingApplication"], + "ldap_debug":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"], + "ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID", + "ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"], + "openssh":["process", "payload"], + "security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine", + "ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel", + "ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime", + "RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"], + "shell-core":["Name", "AppID", "Flags"], + "smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName", + "UserNameLength", "UserName", "ServerNameLength", "ServerName"], + "taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"], + "terminalservices-localsessionmanager":["User", "SessionID", "Address"], + "iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", + "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", + "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", + "cs-referer", "cs-cookie"], "application":[], "sysmon":[], "powershell":[], @@ -89,44 +89,47 @@ "applocker":[], "vhdmp":[], "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"], - "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"] + "appxpackaging-om":["subjectName"], + "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"], + "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address", ""], + "appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"] } }, "linux":{ "commun": [], "empty": [], "category":{ - "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", - "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", - "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"], - "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname", - "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort", + "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", + "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", + "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], + "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", + "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", "DestinationPortName"], - "process_termination": ["ProcessGuid","ProcessId","Image","User"], - "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"], - "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], - "sysmon_status": ["Configuration","ConfigurationFileHash"], - "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"] + "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], + "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], + "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], + "sysmon_status": ["Configuration", "ConfigurationFileHash"], + "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] }, "service":{ - "auditd": ["a0","a1","a2","a3","a4","a5","a6","a7","a8","a9", - "acct","acl","action","added","addr","apparmor","arch","argc","audit_backlog_limit","audit_backlog_wait_time", - "audit_enabled","audit_failure","auid","banners","bool","bus","cap_fe,cap_fi","cap_fp","cap_fver","cap_pa","cap_pe","cap_pi", - "cap_pp","capability","category","cgroup","changed","cipher","class","cmd","code","comm","compat","cwd","daddr","data", - "default-context","dev","dev","device","dir","direction","dmac","dport","egid","enforcing","entries","errno","euid","exe", - "exit","fam","family","fd","fe","feature","fi","file","flags","format","fp","fsgid","fsuid","fver","gid","grantors","grp", - "hook","hostname","icmp_type","id","igid","img-ctx","inif","ino","inode","inode_gid","inode_uid","invalid_context","ioctlcmd", - "ip","ipid","ipx-net","item","items","iuid","kernel","key","kind","ksize","laddr","len","list","lport","mac","macproto","maj", - "major","minor","mode","model","msg","name","nametype","nargs","net","new","new_gid","new_lock","new_pe","new_pi","new_pp", - "new-chardev","new-disk","new-enabled","new-fs","new-level","new-log_passwd","new-mem","new-net","new-range","new-rng","new-role", - "new-seuser","new-vcpu","nlnk-fam","nlnk-grp","nlnk-pid","oauid","obj","obj_gid","obj_uid","ocomm","oflag","ogid","old","old_enforcing", - "old_lock","old_pa","old_pe","old_pi","old_pp","old_prom","old_val","old-auid","old-chardev","old-disk","old-enabled","old-fs", - "old-level","old-log_passwd","old-mem","old-net","old-range","old-rng","old-role","old-ses","old-seuser","old-vcpu","op","opid", - "oses","ouid","outif","pa","parent","path","pe","per","perm","perm_mask","permissive","pfs","pi","pid","pp","ppid","printer", - "proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid", - "scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid", - "sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user", - "uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"], + "auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", + "acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time", + "audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi", + "cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data", + "default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe", + "exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp", + "hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd", + "ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj", + "major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp", + "new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role", + "new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing", + "old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs", + "old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid", + "oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer", + "proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid", + "scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid", + "sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user", + "uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"], "vsftpd":[], "sshd":[], "syslog":[], @@ -142,13 +145,13 @@ "commun": [], "empty": ["not_found"], "category":{ - "proxy":["c-uri","c-uri-extension","c-uri-query","c-uri-stem","c-useragent","cs-bytes","cs-cookie", - "cs-host","cs-method","r-dns","cs-referrer","cs-version","sc-bytes","sc-status","src_ip","dst_ip", + "proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie", + "cs-host", "cs-method", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip", "cs-uri"], - "webserver":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", - "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", - "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", - "cs-referer","cs-cookie"], + "webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", + "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", + "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", + "cs-referer", "cs-cookie"], "antivirus":[], "database":[], "dns":[], @@ -330,17 +333,17 @@ "commun": [], "empty": [], "category":{ - "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", - "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", - "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"], - "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname", - "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort", + "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", + "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", + "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], + "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", + "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", "DestinationPortName"], - "process_termination": ["ProcessGuid","ProcessId","Image","User"], - "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"], - "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], - "sysmon_status": ["Configuration","ConfigurationFileHash"], - "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"] + "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], + "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], + "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], + "sysmon_status": ["Configuration", "ConfigurationFileHash"], + "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] }, "service":{ } @@ -350,16 +353,16 @@ "windows":{ "category":{ "process_creation": ["GrandparentCommandLine"], - "network_connection": ["CommandLine","ParentImage"], - "create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage", - "SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine", - "IsInitialThread","RemoteCreation"], - "file_delete": ["CommandLine","ParentImage","ParentCommandLine"], - "file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"], + "network_connection": ["CommandLine", "ParentImage"], + "create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage", + "SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine", + "IsInitialThread", "RemoteCreation"], + "file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"], + "file_event": ["CommandLine", "ParentImage", "ParentCommandLine", "MagicHeader"], "image_load": ["CommandLine"], - "process_access": ["SourceCommandLine","CallTraceExtended"], - "file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"], - "file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"] + "process_access": ["SourceCommandLine", "CallTraceExtended"], + "file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"], + "file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"] }, "service":{} } diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index f087a54a4..e178e5baa 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -1,132 +1,147 @@ title: ELK Windows Indices and Mappings logsources: - windows: - product: windows - index: logstash-windows-* - windows-application: - product: windows - service: application - conditions: - EventLog: Application - windows-security: - product: windows - service: security - conditions: - EventLog: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - EventLog: Microsoft-Windows-Sysmon - windows-dns-server: - product: windows - service: dns-server - conditions: - EventLog: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - EventLog: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - EventLog: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - EventLog: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - EventLog: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - EventLog: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - EventLog: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - EventLog: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - EventLog: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - EventLog: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - EventLog: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - EventLog: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - EventLog: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - EventLog: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - EventLog: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: logstash-windows-* + windows-application: + product: windows + service: application + conditions: + EventLog: Application + windows-security: + product: windows + service: security + conditions: + EventLog: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + EventLog: Microsoft-Windows-Sysmon + windows-dns-server: + product: windows + service: dns-server + conditions: + EventLog: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + EventLog: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + EventLog: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + EventLog: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + EventLog: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + EventLog: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + EventLog: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventLog: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + EventLog: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + EventLog: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + EventLog: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + EventLog: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + EventLog: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + EventLog: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + EventLog: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + EventLog: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + EventLog: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + EventLog: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + EventLog: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + EventLog: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 422fbd79b..c5adcb9b0 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -1,134 +1,149 @@ title: ELK Ingested with Winlogbeat logsources: - windows: - product: windows - index: - windows-application: - product: windows - service: application - conditions: - log_name: Application - windows-security: - product: windows - service: security - conditions: - log_name: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - log_name: 'Microsoft-Windows-Sysmon/Operational' - windows-dns-server: - product: windows - service: dns-server - conditions: - log_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - log_name: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - log_name: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - log_name: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - log_name: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - log_name: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - log_name: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - log_name: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - log_name: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - log_name: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - log_name: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - log_name: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - log_name: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - log_name: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - log_name: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + log_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + log_name: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + log_name: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + log_name: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + log_name: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + log_name: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + log_name: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + log_name: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + log_name: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + log_name: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + log_name: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index de0288a21..c7ece3026 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -1,134 +1,149 @@ title: ELK Ingested with Winlogbeat logsources: - windows: - product: windows - index: winlogbeat-* - windows-application: - product: windows - service: application - conditions: - log_name: Application - windows-security: - product: windows - service: security - conditions: - log_name: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - log_name: 'Microsoft-Windows-Sysmon/Operational' - windows-dns-server: - product: windows - service: dns-server - conditions: - log_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - log_name: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - log_name: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - log_name: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - log_name: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - log_name: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - log_name: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - log_name: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - logname: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - logname: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - logname: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - logname: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - logname: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - logname: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - logname: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - logname: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - logname: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + log_name: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + log_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + log_name: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + log_name: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + log_name: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + log_name: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + log_name: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + logname: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + logname: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + logname: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + logname: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + logname: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + logname: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + logname: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + logname: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + logname: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + logname: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + logname: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + logname: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 452a8cb1e..fbb3b0f5c 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -157,6 +157,21 @@ logsources: service: lsa-server conditions: channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + channel: 'Microsoft-Windows-AppModel-Runtime/Admin' linux: product: linux index: posix diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 19f3d92f7..b8c2b13b7 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -208,3 +208,18 @@ logsources: service: lsa-server conditions: Channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + Channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + Channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + Channel: 'Microsoft-Windows-AppModel-Runtime/Admin' diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index a33ae0ed6..441ac65d7 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -1,928 +1,942 @@ title: HAWK order: 20 backends: - - hawk + - hawk logsources: - antivirus: - category: antivirus - conditions: - vendor_type: 'Antivirus' - apache: - service: apache - conditions: - product_name: - - 'apache*' - - 'httpd*' - webserver: - category: webserver - conditions: - vendor_type: 'Webserver' - cisco: - product: cisco - conditions: - vendor_name: 'Cisco' - django: - product: django - conditions: - vendor_name: 'Django' - okta: - service: okta - conditions: - vendor_name: "Okta" - product_name: "Identity and Access Management" - onedrive: - service: onedrive - conditions: - vendor_name: "Microsoft" - product_name: "Onedrive" - onelogin-events: - service: onelogin.events - conditions: - vendor_name: "Microsoft" - product_name: "Onelogin" - microsoft365: - product: m365 - service: threat_management - conditions: - vendor_name: "Microsoft" - product_name: "365" - m365: - product: m365 - service: threat_management - conditions: - vendor_name: "Microsoft" - product_name: "365" - google-workspace: - service: google_workspace.admin - conditions: - vendor_name: "Google" - product_name: "Workspace" - guacamole: - service: guacamole - product_name: "Guacamole" - conditions: - vendor_name: "Guacamole" - google-cloud: - service: gcp.audit - conditions: - vendor_name: "Google" - product_name: "Cloud" - sshd: - service: sshd - conditions: - process_name: "sshd*" - syslog: - service: syslog - conditions: - process_name: "syslog*" - spring: - category: application - product: spring - conditions: - vendor_name: "Spring" - linux-audit: - product: linux - service: auditd - conditions: - vendor_name: "Linux" - product_name: "Audit" - modsecurity: - service: modsecurity - conditions: - process_name: "modsec*" - msexchange-management: - service: msexchange-management - conditions: - product_name: "MSExchange Management" - windows: - product: windows - index: windows - conditions: - vendor_name: "Microsoft" - windows-stream-hash: - product: windows - category: create_stream_hash - conditions: - product_name: "Sysmon" - vendor_id: "15" - windows-create-remote-thread: - product: windows - category: create_remote_thread - conditions: - product_name: "Sysmon" - vendor_id: "8" - windows-process-access: - product: windows - category: process_access - conditions: - product_name: "Sysmon" - vendor_id: "10" - windows-process-creation: - product: windows - category: process_creation - conditions: - product_name: "Sysmon" - vendor_id: "1" - windows-bits-client: - product: windows - service: bits-client - conditions: - event_channel: "Microsoft-Windows-Bits-Client/Operational" - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - event_channel: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - event_channel: 'Microsoft-Windows-LSA/Operational' - windows-network-connection: - product: windows - category: network_connection - conditions: - product_name: "Sysmon" - vendor_id: "3" - windows-sysmon-status: - product: windows - category: sysmon_status - conditions: - product_name: "Sysmon" - vendor_id: - - 4 - - 5 - windows-sysmon-error: - product: windows - category: sysmon_error - conditions: - product_name: "Sysmon" - vendor_id: "255" - windows-raw-access-thread: - product: windows - category: raw_access_thread - conditions: - product_name: "Sysmon" - vendor_id: 9 - windows-file-create: - product: windows - category: file_create - conditions: - product_name: "Sysmon" - vendor_id: "11" - windows-file-event: - product: windows - category: file_event - conditions: - product_name: "Sysmon" - vendor_id: "11" - windows-file-change: - product: windows - category: file_change - conditions: - product_name: "Sysmon" - vendor_id: "2" - windows-pipe-created: - product: windows - category: pipe_created - conditions: - product_name: "Sysmon" - vendor_id: - - 17 - - 18 - windows-dns-query: - product: windows - category: dns_query - conditions: - product_name: "Sysmon" - vendor_id: "22" - windows-file-delete: - product: windows - category: file_delete - conditions: - product_name: "Sysmon" - vendor_id: "23" - windows-kernel-file-rename: - product: windows - category: file_rename - conditions: - product_name: "Kernel-File" - windows-kernel-file-access: - product: windows - category: file_access - conditions: - product_name: "Kernel-File" - windows-wmi-sysmon: - product: windows - category: wmi_event - conditions: - product_name: "Sysmon" - vendor_id: - - 19 - - 20 - - 21 - windows-ldap-debug: - product: windows - category: ldap_debug - conditions: - event_channel: "Microsoft-Windows-LDAP-Client/Debug" - windows-driver-load: - product: windows - category: driver_load - conditions: - product_name: "Sysmon" - vendor_id: "6" - windows-image-load: - product: windows - category: image_load - conditions: - product_name: "Sysmon" - vendor_id: "7" - clamav: - service: clamav - conditions: - process_name: "clamav*" - aws-cloudtrail: - service: cloudtrail - conditions: - vendor_name: "AWS CloudTrail" - zeek: - product: zeek - conditions: - vendor_name: "Zeek" - vendor_type: "IDS" - firewall: - category: firewall - conditions: - vendor_type: - - "Firewall" - - "Router" - - "WAP" - zeek-category-dns: - category: dns - rewrite: - product: zeek - service: dns - zeek-category-proxy: - category: proxy - rewrite: - product: zeek - service: http - zeek-conn: - product: zeek - service: conn - conditions: - hawk_source: "conn.log" - zeek-conn_long: - product: zeek - service: conn_long - conditions: - hawk_source: "conn_long.log" - zeek-dce_rpc: - product: zeek - service: dce_rpc - conditions: - hawk_source: "dce_rpc.log" - zeek-dns: - product: zeek - service: dns - conditions: - hawk_source: "dns.log" - zeek-dnp3: - product: zeek - service: dnp3 - conditions: - hawk_source: "dnp3.log" - zeek-dpd: - product: zeek - service: dpd - conditions: - hawk_source: "dpd.log" - zeek-files: - product: zeek - service: files - conditions: - hawk_source: "files.log" - zeek-ftp: - product: zeek - service: ftp - conditions: - hawk_source: "ftp.log" - zeek-gquic: - product: zeek - service: gquic - conditions: - hawk_source: "gquic.log" - zeek-http: - product: zeek - service: http - conditions: - hawk_source: "http.log" - zeek-http2: - product: zeek - service: http2 - conditions: - hawk_source: "http2.log" - zeek-intel: - product: zeek - service: intel - conditions: - hawk_source: "intel.log" - zeek-irc: - product: zeek - service: irc - conditions: - hawk_source: "irc.log" - zeek-kerberos: - product: zeek - service: kerberos - conditions: - hawk_source: "kerberos.log" - zeek-known_certs: - product: zeek - service: known_certs - conditions: - hawk_source: "known_certs.log" - zeek-known_hosts: - product: zeek - service: known_hosts - conditions: - hawk_source: "known_hosts.log" - zeek-known_modbus: - product: zeek - service: known_modbus - conditions: - hawk_source: "known_modbus.log" - zeek-known_services: - product: zeek - service: known_services - conditions: - hawk_source: "known_services.log" - zeek-modbus: - product: zeek - service: modbus - conditions: - hawk_source: "modbus.log" - zeek-modbus_register_change: - product: zeek - service: modbus_register_change - conditions: - hawk_source: "modbus_register_change.log" - zeek-mqtt_connect: - product: zeek - service: mqtt_connect - conditions: - hawk_source: "mqtt_connect.log" - zeek-mqtt_publish: - product: zeek - service: mqtt_publish - conditions: - hawk_source: "mqtt_publish.log" - zeek-mqtt_subscribe: - product: zeek - service: mqtt_subscribe - conditions: - hawk_source: "mqtt_subscribe.log" - zeek-mysql: - product: zeek - service: mysql - conditions: - hawk_source: "mysql.log" - zeek-notice: - product: zeek - service: notice - conditions: - hawk_source: "notice.log" - zeek-ntlm: - product: zeek - service: ntlm - conditions: - hawk_source: "ntlm.log" - zeek-ntp: - product: zeek - service: ntp - conditions: - hawk_source: "ntp.log" - zeek-ocsp: - product: zeek - service: ntp - conditions: - hawk_source: "ocsp.log" - zeek-pe: - product: zeek - service: pe - conditions: - hawk_source: "pe.log" - zeek-pop3: - product: zeek - service: pop3 - conditions: - hawk_source: "pop3.log" - zeek-radius: - product: zeek - service: radius - conditions: - hawk_source: "radius.log" - zeek-rdp: - product: zeek - service: rdp - conditions: - hawk_source: "rdp.log" - zeek-rfb: - product: zeek - service: rfb - conditions: - hawk_source: "rfb.log" - zeek-sip: - product: zeek - service: sip - conditions: - hawk_source: "sip.log" - zeek-smb_files: - product: zeek - service: smb_files - conditions: - hawk_source: "smb_files.log" - zeek-smb_mapping: - product: zeek - service: smb_mapping - conditions: - hawk_source: "smb_mapping.log" - zeek-smtp: - product: zeek - service: smtp - conditions: - hawk_source: "smtp.log" - zeek-smtp_links: - product: zeek - service: smtp_links - conditions: - hawk_source: "smtp_links.log" - zeek-snmp: - product: zeek - service: snmp - conditions: - hawk_source: "snmp.log" - zeek-socks: - product: zeek - service: socks - conditions: - hawk_source: "socks.log" - zeek-software: - product: zeek - service: software - conditions: - hawk_source: "software.log" - zeek-ssh: - product: zeek - service: ssh - conditions: - hawk_source: "ssh.log" - zeek-ssl: - product: zeek - service: ssl - conditions: - hawk_source: "tls.log" - zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that - product: zeek - service: tls - conditions: - hawk_source: "tls.log" - zeek-syslog: - product: zeek - service: syslog - conditions: - hawk_source: "syslog.log" - zeek-tunnel: - product: zeek - service: tunnel - conditions: - hawk_source: "tunnel.log" - zeek-traceroute: - product: zeek - service: traceroute - conditions: - hawk_source: "traceroute.log" - zeek-weird: - product: zeek - service: weird - conditions: - hawk_source: "weird.log" - zeek-x509: - product: zeek - service: x509 - conditions: - hawk_source: "x509.log" - zeek-ip_search: - product: zeek - service: network - conditions: - hawk_source: - - "conn.log" - - "conn_long.log" - - "dce_rpc.log" - - "dhcp.log" - - "dnp3.log" - - "dns.log" - - "ftp.log" - - "gquic.log" - - "http.log" - - "irc.log" - - "kerberos.log" - - "modbus.log" - - "mqtt_connect.log" - - "mqtt_publish.log" - - "mqtt_subscribe.log" - - "mysql.log" - - "ntlm.log" - - "ntp.log" - - "radius.log" - - "rfb.log" - - "sip.log" - - "smb_files.log" - - "smb_mapping.log" - - "smtp.log" - - "smtp_links.log" - - "snmp.log" - - "socks.log" - - "ssh.log" - - "tls.log" #SSL - - "tunnel.log" - - "weird.log" - azure-signin: - product: azure - service: signinlogs - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - product_source: "signInAudits" - azure-auditlogs: - product: azure - service: auditlogs - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - product_source: "directoryAudits" - azure-activitylogs: - product: azure - service: activitylogs - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - azure-activity: - product: azure - service: azureactivity - conditions: - vendor_name: "Microsoft" - product_name: "Azure" - microsoft-servicebus-client: - product: windows - service: microsoft-servicebus-client - conditions: - event_channel: 'Microsoft-ServiceBus-Client' - windows-application: - product: windows - service: application - conditions: - event_channel: 'Application' - windows-security: - product: windows - service: security - conditions: - event_channel: 'Security' - windows-system: - product: windows - service: system - conditions: - event_channel: 'System' - windows-sysmon: - product: windows - service: sysmon - conditions: - product_name: 'Sysmon' - windows-powershell: - product: windows - service: powershell - conditions: - product_name: 'PowerShell' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - product_name: 'Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - product_name: 'TaskScheduler' - windows-wmi: - product: windows - service: wmi - conditions: - product_name: 'WMI-Activity' - windows-dns-server: - product: windows - service: dns-server - conditions: - product_name: 'DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - product_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - product_name: 'DriverFrameworks-UserMode' - windows-ntlm: - product: windows - service: ntlm - conditions: - product_name: 'NTLM' - windows-dhcp: - product: windows - service: dhcp - conditions: - product_name: 'DHCP-Server' - windows-defender: - product: windows - service: windefend - conditions: - product_name: 'Windows Defender' - windows-applocker: - product: windows - service: applocker - conditions: - product_name: - - 'AppLocker' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - product_name: 'Windows Firewall With Advanced Security' - windows-ps-module: - product: windows - category: ps_module - conditions: - product_name: 'PowerShell' - vendor_id: 4103 - windows-ps-script: - product: windows - category: ps_script - conditions: - product_name: 'PowerShell' - vendor_id: 4104 - windows-ps-classic-start: - product: windows - category: ps_classic_start - conditions: - EventID: 400 - product_name: 'Windows PowerShell' - windows-ps-classic-provider: - product: windows - category: ps_classic_provider_start - conditions: - vendor_id: 600 - product_name: 'Windows PowerShell' - windows-ps-classic-script: - product: windows - category: ps_classic_script - conditions: - vendor_id: 800 - product_name: 'Windows PowerShell' - windows-service-bus: - service: Microsoft-ServiceBus-Client - conditions: - product_name: "Microsoft-ServiceBus-Client" - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - product_name: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - product_name: 'PrintService' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - product_name: 'PrintService' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - product_name: 'TerminalServices-LocalSessionManager' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - product_name: 'CodeIntegrity' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - product_name: 'SmbClient' - windows-registry: - product: windows - category: registry_event - conditions: - product_name: "Sysmon" - vendor_id: - - 12 - - 13 - - 14 - windows-registry-add: - product: windows - category: registry_add - conditions: - product_name: "Sysmon" - vendor_id: 12 - windows-registry-delete: - product: windows - category: registry_delete - conditions: - product_name: "Sysmon" - vendor_id: 12 - windows-registry-set: - product: windows - category: registry_set - conditions: - product_name: "Sysmon" - vendor_id: 13 - windows-registry-rename: - product: windows - category: registry_rename - conditions: - product_name: "Sysmon" - vendor_id: 14 - windows-file-block-executable: - product: windows - category: file_block - conditions: - product_name: "Sysmon" - vendor_id: 27 - #dns: - # category: dns - # conditions: - qflow: - product: qflow - netflow: - service: netflow - ipfix: - product: ipfix - flow: - product: flow + antivirus: + category: antivirus + conditions: + vendor_type: 'Antivirus' + apache: + service: apache + conditions: + product_name: + - 'apache*' + - 'httpd*' + webserver: + category: webserver + conditions: + vendor_type: 'Webserver' + cisco: + product: cisco + conditions: + vendor_name: 'Cisco' + django: + product: django + conditions: + vendor_name: 'Django' + okta: + service: okta + conditions: + vendor_name: "Okta" + product_name: "Identity and Access Management" + onedrive: + service: onedrive + conditions: + vendor_name: "Microsoft" + product_name: "Onedrive" + onelogin-events: + service: onelogin.events + conditions: + vendor_name: "Microsoft" + product_name: "Onelogin" + microsoft365: + product: m365 + service: threat_management + conditions: + vendor_name: "Microsoft" + product_name: "365" + m365: + product: m365 + service: threat_management + conditions: + vendor_name: "Microsoft" + product_name: "365" + google-workspace: + service: google_workspace.admin + conditions: + vendor_name: "Google" + product_name: "Workspace" + guacamole: + service: guacamole + product_name: "Guacamole" + conditions: + vendor_name: "Guacamole" + google-cloud: + service: gcp.audit + conditions: + vendor_name: "Google" + product_name: "Cloud" + sshd: + service: sshd + conditions: + process_name: "sshd*" + syslog: + service: syslog + conditions: + process_name: "syslog*" + spring: + category: application + product: spring + conditions: + vendor_name: "Spring" + linux-audit: + product: linux + service: auditd + conditions: + vendor_name: "Linux" + product_name: "Audit" + modsecurity: + service: modsecurity + conditions: + process_name: "modsec*" + msexchange-management: + service: msexchange-management + conditions: + product_name: "MSExchange Management" + windows: + product: windows + index: windows + conditions: + vendor_name: "Microsoft" + windows-stream-hash: + product: windows + category: create_stream_hash + conditions: + product_name: "Sysmon" + vendor_id: "15" + windows-create-remote-thread: + product: windows + category: create_remote_thread + conditions: + product_name: "Sysmon" + vendor_id: "8" + windows-process-access: + product: windows + category: process_access + conditions: + product_name: "Sysmon" + vendor_id: "10" + windows-process-creation: + product: windows + category: process_creation + conditions: + product_name: "Sysmon" + vendor_id: "1" + windows-bits-client: + product: windows + service: bits-client + conditions: + event_channel: "Microsoft-Windows-Bits-Client/Operational" + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + event_channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + event_channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + event_channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + event_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' + windows-network-connection: + product: windows + category: network_connection + conditions: + product_name: "Sysmon" + vendor_id: "3" + windows-sysmon-status: + product: windows + category: sysmon_status + conditions: + product_name: "Sysmon" + vendor_id: + - 4 + - 5 + windows-sysmon-error: + product: windows + category: sysmon_error + conditions: + product_name: "Sysmon" + vendor_id: "255" + windows-raw-access-thread: + product: windows + category: raw_access_thread + conditions: + product_name: "Sysmon" + vendor_id: 9 + windows-file-create: + product: windows + category: file_create + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-event: + product: windows + category: file_event + conditions: + product_name: "Sysmon" + vendor_id: "11" + windows-file-change: + product: windows + category: file_change + conditions: + product_name: "Sysmon" + vendor_id: "2" + windows-pipe-created: + product: windows + category: pipe_created + conditions: + product_name: "Sysmon" + vendor_id: + - 17 + - 18 + windows-dns-query: + product: windows + category: dns_query + conditions: + product_name: "Sysmon" + vendor_id: "22" + windows-file-delete: + product: windows + category: file_delete + conditions: + product_name: "Sysmon" + vendor_id: "23" + windows-kernel-file-rename: + product: windows + category: file_rename + conditions: + product_name: "Kernel-File" + windows-kernel-file-access: + product: windows + category: file_access + conditions: + product_name: "Kernel-File" + windows-wmi-sysmon: + product: windows + category: wmi_event + conditions: + product_name: "Sysmon" + vendor_id: + - 19 + - 20 + - 21 + windows-ldap-debug: + product: windows + category: ldap_debug + conditions: + event_channel: "Microsoft-Windows-LDAP-Client/Debug" + windows-driver-load: + product: windows + category: driver_load + conditions: + product_name: "Sysmon" + vendor_id: "6" + windows-image-load: + product: windows + category: image_load + conditions: + product_name: "Sysmon" + vendor_id: "7" + clamav: + service: clamav + conditions: + process_name: "clamav*" + aws-cloudtrail: + service: cloudtrail + conditions: + vendor_name: "AWS CloudTrail" + zeek: + product: zeek + conditions: + vendor_name: "Zeek" + vendor_type: "IDS" + firewall: + category: firewall + conditions: + vendor_type: + - "Firewall" + - "Router" + - "WAP" + zeek-category-dns: + category: dns + rewrite: + product: zeek + service: dns + zeek-category-proxy: + category: proxy + rewrite: + product: zeek + service: http + zeek-conn: + product: zeek + service: conn + conditions: + hawk_source: "conn.log" + zeek-conn_long: + product: zeek + service: conn_long + conditions: + hawk_source: "conn_long.log" + zeek-dce_rpc: + product: zeek + service: dce_rpc + conditions: + hawk_source: "dce_rpc.log" + zeek-dns: + product: zeek + service: dns + conditions: + hawk_source: "dns.log" + zeek-dnp3: + product: zeek + service: dnp3 + conditions: + hawk_source: "dnp3.log" + zeek-dpd: + product: zeek + service: dpd + conditions: + hawk_source: "dpd.log" + zeek-files: + product: zeek + service: files + conditions: + hawk_source: "files.log" + zeek-ftp: + product: zeek + service: ftp + conditions: + hawk_source: "ftp.log" + zeek-gquic: + product: zeek + service: gquic + conditions: + hawk_source: "gquic.log" + zeek-http: + product: zeek + service: http + conditions: + hawk_source: "http.log" + zeek-http2: + product: zeek + service: http2 + conditions: + hawk_source: "http2.log" + zeek-intel: + product: zeek + service: intel + conditions: + hawk_source: "intel.log" + zeek-irc: + product: zeek + service: irc + conditions: + hawk_source: "irc.log" + zeek-kerberos: + product: zeek + service: kerberos + conditions: + hawk_source: "kerberos.log" + zeek-known_certs: + product: zeek + service: known_certs + conditions: + hawk_source: "known_certs.log" + zeek-known_hosts: + product: zeek + service: known_hosts + conditions: + hawk_source: "known_hosts.log" + zeek-known_modbus: + product: zeek + service: known_modbus + conditions: + hawk_source: "known_modbus.log" + zeek-known_services: + product: zeek + service: known_services + conditions: + hawk_source: "known_services.log" + zeek-modbus: + product: zeek + service: modbus + conditions: + hawk_source: "modbus.log" + zeek-modbus_register_change: + product: zeek + service: modbus_register_change + conditions: + hawk_source: "modbus_register_change.log" + zeek-mqtt_connect: + product: zeek + service: mqtt_connect + conditions: + hawk_source: "mqtt_connect.log" + zeek-mqtt_publish: + product: zeek + service: mqtt_publish + conditions: + hawk_source: "mqtt_publish.log" + zeek-mqtt_subscribe: + product: zeek + service: mqtt_subscribe + conditions: + hawk_source: "mqtt_subscribe.log" + zeek-mysql: + product: zeek + service: mysql + conditions: + hawk_source: "mysql.log" + zeek-notice: + product: zeek + service: notice + conditions: + hawk_source: "notice.log" + zeek-ntlm: + product: zeek + service: ntlm + conditions: + hawk_source: "ntlm.log" + zeek-ntp: + product: zeek + service: ntp + conditions: + hawk_source: "ntp.log" + zeek-ocsp: + product: zeek + service: ntp + conditions: + hawk_source: "ocsp.log" + zeek-pe: + product: zeek + service: pe + conditions: + hawk_source: "pe.log" + zeek-pop3: + product: zeek + service: pop3 + conditions: + hawk_source: "pop3.log" + zeek-radius: + product: zeek + service: radius + conditions: + hawk_source: "radius.log" + zeek-rdp: + product: zeek + service: rdp + conditions: + hawk_source: "rdp.log" + zeek-rfb: + product: zeek + service: rfb + conditions: + hawk_source: "rfb.log" + zeek-sip: + product: zeek + service: sip + conditions: + hawk_source: "sip.log" + zeek-smb_files: + product: zeek + service: smb_files + conditions: + hawk_source: "smb_files.log" + zeek-smb_mapping: + product: zeek + service: smb_mapping + conditions: + hawk_source: "smb_mapping.log" + zeek-smtp: + product: zeek + service: smtp + conditions: + hawk_source: "smtp.log" + zeek-smtp_links: + product: zeek + service: smtp_links + conditions: + hawk_source: "smtp_links.log" + zeek-snmp: + product: zeek + service: snmp + conditions: + hawk_source: "snmp.log" + zeek-socks: + product: zeek + service: socks + conditions: + hawk_source: "socks.log" + zeek-software: + product: zeek + service: software + conditions: + hawk_source: "software.log" + zeek-ssh: + product: zeek + service: ssh + conditions: + hawk_source: "ssh.log" + zeek-ssl: + product: zeek + service: ssl + conditions: + hawk_source: "tls.log" + zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that + product: zeek + service: tls + conditions: + hawk_source: "tls.log" + zeek-syslog: + product: zeek + service: syslog + conditions: + hawk_source: "syslog.log" + zeek-tunnel: + product: zeek + service: tunnel + conditions: + hawk_source: "tunnel.log" + zeek-traceroute: + product: zeek + service: traceroute + conditions: + hawk_source: "traceroute.log" + zeek-weird: + product: zeek + service: weird + conditions: + hawk_source: "weird.log" + zeek-x509: + product: zeek + service: x509 + conditions: + hawk_source: "x509.log" + zeek-ip_search: + product: zeek + service: network + conditions: + hawk_source: + - "conn.log" + - "conn_long.log" + - "dce_rpc.log" + - "dhcp.log" + - "dnp3.log" + - "dns.log" + - "ftp.log" + - "gquic.log" + - "http.log" + - "irc.log" + - "kerberos.log" + - "modbus.log" + - "mqtt_connect.log" + - "mqtt_publish.log" + - "mqtt_subscribe.log" + - "mysql.log" + - "ntlm.log" + - "ntp.log" + - "radius.log" + - "rfb.log" + - "sip.log" + - "smb_files.log" + - "smb_mapping.log" + - "smtp.log" + - "smtp_links.log" + - "snmp.log" + - "socks.log" + - "ssh.log" + - "tls.log" #SSL + - "tunnel.log" + - "weird.log" + azure-signin: + product: azure + service: signinlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + product_source: "signInAudits" + azure-auditlogs: + product: azure + service: auditlogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + product_source: "directoryAudits" + azure-activitylogs: + product: azure + service: activitylogs + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + azure-activity: + product: azure + service: azureactivity + conditions: + vendor_name: "Microsoft" + product_name: "Azure" + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + event_channel: 'Microsoft-ServiceBus-Client' + windows-application: + product: windows + service: application + conditions: + event_channel: 'Application' + windows-security: + product: windows + service: security + conditions: + event_channel: 'Security' + windows-system: + product: windows + service: system + conditions: + event_channel: 'System' + windows-sysmon: + product: windows + service: sysmon + conditions: + product_name: 'Sysmon' + windows-powershell: + product: windows + service: powershell + conditions: + product_name: 'PowerShell' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + product_name: 'Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + product_name: 'TaskScheduler' + windows-wmi: + product: windows + service: wmi + conditions: + product_name: 'WMI-Activity' + windows-dns-server: + product: windows + service: dns-server + conditions: + product_name: 'DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + product_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + product_name: 'DriverFrameworks-UserMode' + windows-ntlm: + product: windows + service: ntlm + conditions: + product_name: 'NTLM' + windows-dhcp: + product: windows + service: dhcp + conditions: + product_name: 'DHCP-Server' + windows-defender: + product: windows + service: windefend + conditions: + product_name: 'Windows Defender' + windows-applocker: + product: windows + service: applocker + conditions: + product_name: 'AppLocker' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + product_name: 'Windows Firewall With Advanced Security' + windows-ps-module: + product: windows + category: ps_module + conditions: + product_name: 'PowerShell' + vendor_id: 4103 + windows-ps-script: + product: windows + category: ps_script + conditions: + product_name: 'PowerShell' + vendor_id: 4104 + windows-ps-classic-start: + product: windows + category: ps_classic_start + conditions: + EventID: 400 + product_name: 'Windows PowerShell' + windows-ps-classic-provider: + product: windows + category: ps_classic_provider_start + conditions: + vendor_id: 600 + product_name: 'Windows PowerShell' + windows-ps-classic-script: + product: windows + category: ps_classic_script + conditions: + vendor_id: 800 + product_name: 'Windows PowerShell' + windows-service-bus: + service: Microsoft-ServiceBus-Client + conditions: + product_name: "Microsoft-ServiceBus-Client" + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + product_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + product_name: 'PrintService' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + product_name: 'PrintService' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + product_name: 'TerminalServices-LocalSessionManager' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + product_name: 'CodeIntegrity' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + product_name: 'SmbClient' + windows-registry: + product: windows + category: registry_event + conditions: + product_name: "Sysmon" + vendor_id: + - 12 + - 13 + - 14 + windows-registry-add: + product: windows + category: registry_add + conditions: + product_name: "Sysmon" + vendor_id: 12 + windows-registry-delete: + product: windows + category: registry_delete + conditions: + product_name: "Sysmon" + vendor_id: 12 + windows-registry-set: + product: windows + category: registry_set + conditions: + product_name: "Sysmon" + vendor_id: 13 + windows-registry-rename: + product: windows + category: registry_rename + conditions: + product_name: "Sysmon" + vendor_id: 14 + windows-file-block-executable: + product: windows + category: file_block + conditions: + product_name: "Sysmon" + vendor_id: 27 + #dns: + # category: dns + # conditions: + qflow: + product: qflow + netflow: + service: netflow + ipfix: + product: ipfix + flow: + product: flow fieldmappings: - dst: - - ip_dst_host - dst_ip: - - ip_dst - src: - - ip_src_host - src_ip: - - ip_src - IPAddress: ip_src - DNSAddress: dns_address - DCIPAddress: ip_src - category: vendor_category - error: error_code - key: event_key - payload: event_payload - weight: event_weight - account type: account_type - PrivilegeList: process_privileges - pid_user: event_username - sid: correlation_session_id - UserSid: correlation_session_id - TargetSid: target_session_id - TargetUserName: target_username - SamAccountName: target_username - AccountName: target_username - TargetDomainName: target_domain - DnsServerIpAddress: dns_address - QueryName: dns_query - AuthenticationPackageName: package_name - HostProcess: image - Application: image - ProcessName: image - TargetImage: target_image - ParentImage: parent_image - CallerProcessName: parent_image - ParentProcessName: parent_image - CommandLine: command - ProcessCommandLine: command - ParentCommandLine: parent_command - Imphash: file_hash_imphash - sha256: file_hash_sha256 - md5: file_hash_md5 - sha1: file_hash_sha1 - SubjectUserSid: correlation_session_id - SubjectSid: correlation_session_id - SubjectUserName: correlation_username - SubjectDomainName: correlation_domain - SubjectLogonId: correlation_logon_id - pid: event_pid - ProccessId: pid - NewProcessName: image - ServiceName: service_name - Service: service_name - ServiceFileName: filename - EventID: vendor_id - SourceImage: parent_image - ImageLoaded: image_loaded - Description: image_description - ScriptBlockText: value - Product: image_product - Company: image_company - CurrentDirectory: path - ShareName: path - RelativeTargetName: filename - TargetName: value - Initiated: value - Accesses: access_mask - LDAPDisplayName: distinguished_name - AttributeLDAPDisplayName: distinguished_name - AttributeValue: value - ParentProcessId: parent_pid - SourceProcessId: source_pid - TargetProcessId: target_pid - Signed: signature - Status: value - TargetFilename: filename - FileName: filename - TargetObject: object_target - ObjectClass: object_type - ObjectValueName: object_name - ObjectName: object_name - DeviceClassName: object_name - CallTrace: calltrace - IpAddress: ip_src - WorkstationName: ip_src_host - Workstation: ip_src_host - DestinationIp: ip_dst - DestinationHostname: ip_dst_host - DestinationPort: ip_dport - DestAddress: ip_dst - DestPort: ip_dport - SourceAddress: ip_src - SourcePort: ip_sport - GrantedAccess: access_mask - StartModule: target_process_name - TargetProcessAddress: process_address - TicketOptions: sys.ticket.options - TicketEncryptionType: sys.ticket.encryption.type - DetectionSource: value - Priority: event_priority - event_type_id: vendor_id - destination.port: ip_dport - user: correlation_username - User: correlation_username - # Provider_Name: channel - c-referer: http_referer - cs-referer: http_referer - cs-host: http_host - cs-method: http_method - c-uri: http_path - c-uri-stem: http_path - cs-uri: http_path - cs-uri-stem: http_path - c-agent: http_user_agent - cs-agent: http_user_agent - c-useragent: http_user_agent - cs-useragent: http_user_agent - cs-user-agent: http_user_agent - c-ip: ip_src - cs-ip: ip_src - s-ip: ip_dst - sc-ip: ip_dst - c-username: correlation_username - cs-username: correlation_username - s-computername: ip_dst_host - cs-uri-query: http_query - c-uri-query: http_query - sc-status: http_status_code - sc-bytes: http_content_length - user-agent: http_user_agent - cs-User-Agent: http_user_agent - r-dns: http_host - id.orig_h: ip_src - id.orig_p: ip_sport - id.resp_h: ip_dst - id.resp_p: ip_dport - host: ip_src - hostname: ip_src_host - port_num: ip_dport - dst_port: ip_dport - query: dns_query - orig_ip_bytes: net_if_out_bytes - resp_ip_bytes: net_if_in_bytes - QNAME: qname - Channel: event_channel + dst: + - ip_dst_host + dst_ip: + - ip_dst + src: + - ip_src_host + src_ip: + - ip_src + IPAddress: ip_src + DNSAddress: dns_address + DCIPAddress: ip_src + category: vendor_category + error: error_code + key: event_key + payload: event_payload + weight: event_weight + account type: account_type + PrivilegeList: process_privileges + pid_user: event_username + sid: correlation_session_id + UserSid: correlation_session_id + TargetSid: target_session_id + TargetUserName: target_username + SamAccountName: target_username + AccountName: target_username + TargetDomainName: target_domain + DnsServerIpAddress: dns_address + QueryName: dns_query + AuthenticationPackageName: package_name + HostProcess: image + Application: image + ProcessName: image + TargetImage: target_image + ParentImage: parent_image + CallerProcessName: parent_image + ParentProcessName: parent_image + CommandLine: command + ProcessCommandLine: command + ParentCommandLine: parent_command + Imphash: file_hash_imphash + sha256: file_hash_sha256 + md5: file_hash_md5 + sha1: file_hash_sha1 + SubjectUserSid: correlation_session_id + SubjectSid: correlation_session_id + SubjectUserName: correlation_username + SubjectDomainName: correlation_domain + SubjectLogonId: correlation_logon_id + pid: event_pid + ProccessId: pid + NewProcessName: image + ServiceName: service_name + Service: service_name + ServiceFileName: filename + EventID: vendor_id + SourceImage: parent_image + ImageLoaded: image_loaded + Description: image_description + ScriptBlockText: value + Product: image_product + Company: image_company + CurrentDirectory: path + ShareName: path + RelativeTargetName: filename + TargetName: value + Initiated: value + Accesses: access_mask + LDAPDisplayName: distinguished_name + AttributeLDAPDisplayName: distinguished_name + AttributeValue: value + ParentProcessId: parent_pid + SourceProcessId: source_pid + TargetProcessId: target_pid + Signed: signature + Status: value + TargetFilename: filename + FileName: filename + TargetObject: object_target + ObjectClass: object_type + ObjectValueName: object_name + ObjectName: object_name + DeviceClassName: object_name + CallTrace: calltrace + IpAddress: ip_src + WorkstationName: ip_src_host + Workstation: ip_src_host + DestinationIp: ip_dst + DestinationHostname: ip_dst_host + DestinationPort: ip_dport + DestAddress: ip_dst + DestPort: ip_dport + SourceAddress: ip_src + SourcePort: ip_sport + GrantedAccess: access_mask + StartModule: target_process_name + TargetProcessAddress: process_address + TicketOptions: sys.ticket.options + TicketEncryptionType: sys.ticket.encryption.type + DetectionSource: value + Priority: event_priority + event_type_id: vendor_id + destination.port: ip_dport + user: correlation_username + User: correlation_username + # Provider_Name: channel + c-referer: http_referer + cs-referer: http_referer + cs-host: http_host + cs-method: http_method + c-uri: http_path + c-uri-stem: http_path + cs-uri: http_path + cs-uri-stem: http_path + c-agent: http_user_agent + cs-agent: http_user_agent + c-useragent: http_user_agent + cs-useragent: http_user_agent + cs-user-agent: http_user_agent + c-ip: ip_src + cs-ip: ip_src + s-ip: ip_dst + sc-ip: ip_dst + c-username: correlation_username + cs-username: correlation_username + s-computername: ip_dst_host + cs-uri-query: http_query + c-uri-query: http_query + sc-status: http_status_code + sc-bytes: http_content_length + user-agent: http_user_agent + cs-User-Agent: http_user_agent + r-dns: http_host + id.orig_h: ip_src + id.orig_p: ip_sport + id.resp_h: ip_dst + id.resp_p: ip_dport + host: ip_src + hostname: ip_src_host + port_num: ip_dport + dst_port: ip_dport + query: dns_query + orig_ip_bytes: net_if_out_bytes + resp_ip_bytes: net_if_in_bytes + QNAME: qname + Channel: event_channel diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index c595abfd9..f66b38872 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -1,134 +1,149 @@ title: Logpoint order: 20 backends: - - logpoint + - logpoint logsources: - windows-security: - product: windows - service: security - conditions: - event_source: 'Microsoft-Windows-Security-Auditing' - windows-system: - product: windows - service: system - conditions: - event_source: 'Microsoft-Windows-Security-Auditing' - windows-dns-server: - product: windows - service: dns-server - conditions: - event_source: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - event_source: 'Microsoft-Windows-DHCP-Server/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - event_source: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - event_source: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - event_source: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - event_source: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - event_source: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - event_source: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - event_source: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - event_source: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - event_source: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - event_source: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - event_source: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - event_source: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - event_source: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - event_source: 'Microsoft-Windows-LSA/Operational' + windows-security: + product: windows + service: security + conditions: + event_source: 'Microsoft-Windows-Security-Auditing' + windows-system: + product: windows + service: system + conditions: + event_source: 'Microsoft-Windows-Security-Auditing' + windows-dns-server: + product: windows + service: dns-server + conditions: + event_source: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + event_source: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + event_source: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + event_source: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + event_source: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + event_source: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + event_source: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + event_source: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + event_source: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + event_source: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + event_source: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + event_source: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + event_source: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + event_source: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_source: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + event_source: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + event_source: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + event_source: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + event_source: 'Microsoft-Windows-AppModel-Runtime/Admin' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index cdf8d65f1..db51c787e 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -1,153 +1,168 @@ title: Logstash Windows common log sources order: 20 backends: - - es-qs - - es-dsl - - es-rule - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers logsources: - windows: - product: windows - index: logstash-windows-* - windows-application: - product: windows - service: application - conditions: - Channel: Application - windows-security: - product: windows - service: security - conditions: - Channel: Security - windows-sysmon: - product: windows - service: sysmon - conditions: - Channel: Microsoft-Windows-Sysmon - windows-dns-server: - product: windows - service: dns-server - conditions: - Channel: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - Channel: 'Microsoft-Windows-DHCP-Server/Operational' - windows-defender: - product: windows - service: windefend - conditions: - Channel: 'Microsoft-Windows-Windows Defender/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - Channel: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - Channel: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - Channel: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - Channel: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - Channel: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - Channel: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - Channel: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - Channel: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - Channel: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - Channel: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - Channel: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - Channel: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - Channel: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - Channel: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: logstash-windows-* + windows-application: + product: windows + service: application + conditions: + Channel: Application + windows-security: + product: windows + service: security + conditions: + Channel: Security + windows-sysmon: + product: windows + service: sysmon + conditions: + Channel: Microsoft-Windows-Sysmon + windows-dns-server: + product: windows + service: dns-server + conditions: + Channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + Channel: 'Microsoft-Windows-DHCP-Server/Operational' + windows-defender: + product: windows + service: windefend + conditions: + Channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + Channel: 'Microsoft-Windows-NTLM/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + Channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + Channel: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + Channel: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + Channel: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + Channel: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + Channel: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + Channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + Channel: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + Channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + Channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + Channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + Channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + Channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + Channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + Channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + Channel: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index e26815896..9a912c3c2 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -1,173 +1,188 @@ title: Logsource to LogName mappings for PowerShell backend order: 20 backends: - - powershell + - powershell logsources: - windows-application: - product: windows - service: application - conditions: - LogName: 'Application' - windows-security: - product: windows - service: security - conditions: - LogName: 'Security' - windows-system: - product: windows - service: system - conditions: - LogName: 'System' - windows-sysmon: - product: windows - service: sysmon - conditions: - LogName: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - LogName: - - 'Microsoft-Windows-PowerShell/Operational' - - 'PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - LogName: 'Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - LogName: 'Microsoft-Windows-TaskScheduler/Operational' - windows-wmi: - product: windows - service: wmi - conditions: - LogName: 'Microsoft-Windows-WMI-Activity/Operational' - windows-dns-server: - product: windows - service: dns-server - conditions: - LogName: 'DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - LogName: 'Microsoft-Windows-DNS-Server/Audit' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - LogName: 'Microsoft-Windows-NTLM/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - LogName: 'Microsoft-Windows-DHCP-Server/Operational' - windows-defender: - product: windows - service: windefend - conditions: - LogName: 'Microsoft-Windows-Windows Defender/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - LogName: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - LogName: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - LogName: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - LogName: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - LogName: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - LogName: 'Microsoft-Windows-SmbClient/Security' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - LogName: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - LogName: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - LogName: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - LogName: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - LogName: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - LogName: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - LogName: 'Microsoft-Windows-LSA/Operational' + windows-application: + product: windows + service: application + conditions: + LogName: 'Application' + windows-security: + product: windows + service: security + conditions: + LogName: 'Security' + windows-system: + product: windows + service: system + conditions: + LogName: 'System' + windows-sysmon: + product: windows + service: sysmon + conditions: + LogName: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + LogName: + - 'Microsoft-Windows-PowerShell/Operational' + - 'PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + LogName: 'Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + LogName: 'Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + conditions: + LogName: 'Microsoft-Windows-WMI-Activity/Operational' + windows-dns-server: + product: windows + service: dns-server + conditions: + LogName: 'DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + LogName: 'Microsoft-Windows-DNS-Server/Audit' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + LogName: 'Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + LogName: 'Microsoft-Windows-DHCP-Server/Operational' + windows-defender: + product: windows + service: windefend + conditions: + LogName: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + LogName: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + LogName: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + LogName: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + LogName: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + LogName: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + LogName: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + LogName: 'Microsoft-Windows-SmbClient/Security' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + LogName: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + LogName: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + LogName: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + LogName: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + LogName: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + LogName: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + LogName: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + LogName: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + LogName: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + LogName: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + LogName: 'Microsoft-Windows-AppModel-Runtime/Admin' diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index a9f42d18d..bb5177e05 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -1,195 +1,210 @@ title: Splunk Windows log source conditions order: 20 backends: - - splunk - - splunkxml - - splunkdm + - splunk + - splunkxml + - splunkdm logsources: - windows-application: - product: windows - service: application - conditions: - source: 'WinEventLog:Application' - windows-security: - product: windows - service: security - conditions: - source: 'WinEventLog:Security' - windows-system: - product: windows - service: system - conditions: - source: 'WinEventLog:System' - windows-sysmon: - product: windows - service: sysmon - conditions: - source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' - windows-process-creation: - product: windows - service: sysmon - category: process_creation - # Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. - # This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here. - search: 'ParentProcessGuid EventCode=1' - windows-file-creation: - product: windows - service: sysmon - category: file_creation - search: 'TargetFilename EventCode=11' - windows-powershell: - product: windows - service: powershell - conditions: - source: - - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' - - 'WinEventLog:PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - source: 'WinEventLog:Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' - windows-wmi: - product: windows - service: wmi - conditions: - source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' - windows-dns-server: - product: windows - service: dns-server - category: dns - conditions: - source: 'WinEventLog:DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - source: 'WinEventLog:Microsoft-Windows-NTLM/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - source: - - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' - - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - source: 'WinEventLog:MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - source: 'WinEventLog:Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' - windows-rpc-firewall: - product: rpc_firewall - category: application - conditions: - source: 'WinEventLog:RPCFW' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - source: - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - source: 'WinEventLog:OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' - windows-defender: - product: windows - service: windefend - conditions: - source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - source: 'WinEventLog:Microsoft-Windows-LSA/Operational' + windows-application: + product: windows + service: application + conditions: + source: 'WinEventLog:Application' + windows-security: + product: windows + service: security + conditions: + source: 'WinEventLog:Security' + windows-system: + product: windows + service: system + conditions: + source: 'WinEventLog:System' + windows-sysmon: + product: windows + service: sysmon + conditions: + source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' + windows-process-creation: + product: windows + service: sysmon + category: process_creation + # Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. + # This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here. + search: 'ParentProcessGuid EventCode=1' + windows-file-creation: + product: windows + service: sysmon + category: file_creation + search: 'TargetFilename EventCode=11' + windows-powershell: + product: windows + service: powershell + conditions: + source: + - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' + - 'WinEventLog:PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + source: 'WinEventLog:Windows PowerShell' + windows-taskscheduler: + product: windows + service: taskscheduler + conditions: + source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + conditions: + source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' + windows-dns-server: + product: windows + service: dns-server + category: dns + conditions: + source: 'WinEventLog:DNS Server' + windows-dns-server-audit: + product: windows + service: dns-server-audit + conditions: + source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + source: 'WinEventLog:Microsoft-Windows-NTLM/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + source: + - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' + - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + source: 'WinEventLog:MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + source: 'WinEventLog:Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + source: 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' + windows-rpc-firewall: + product: rpc_firewall + category: application + conditions: + source: 'WinEventLog:RPCFW' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + source: + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + source: 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + source: 'WinEventLog:OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' + windows-defender: + product: windows + service: windefend + conditions: + source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + source: 'WinEventLog:Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + source: 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + source: 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + source: 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index c6addce9d..e5e427726 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -1,200 +1,241 @@ title: SumoLogic order: 20 backends: - - sumologic + - sumologic afl_fields: - - _index - - EventID - - CommandLine - - NewProcessName - - Image - - ParentImage - - ParentCommandLine - - ParentProcessName + - _index + - EventID + - CommandLine + - NewProcessName + - Image + - ParentImage + - ParentCommandLine + - ParentProcessName # Sumulogic mapping depends on customer configuration. Adapt to your context! # typically rule on _sourceCategory, _index or Field Extraction Rules (FER) # supposing existing FER for service, EventChannel, EventID logsources: - unix: - product: unix - index: UNIX - linux: - product: linux - index: LINUX - linux-sshd: - product: linux - service: sshd - index: LINUX - linux-auth: - product: linux - service: auth - index: LINUX - linux-clamav: - product: linux - service: clamav - index: LINUX - windows: - product: windows - index: WINDOWS - windows-sysmon: - product: windows - service: sysmon - conditions: - EventChannel: Microsoft-Windows-Sysmon - index: WINDOWS - windows-security: - product: windows - service: security - conditions: - EventChannel: Security - index: WINDOWS - windows-powershell: - product: windows - service: powershell - conditions: - EventChannel: - - Microsoft-Windows-Powershell - - PowerShellCore - index: WINDOWS - windows-system: - product: windows - service: system - conditions: - EventChannel: System - index: WINDOWS - windows-dhcp: - product: windows - service: dhcp - conditions: - EventChannel: Microsoft-Windows-DHCP-Server - index: WINDOWS - windows-ntlm: - product: windows - service: ntlm - conditions: - EventChannel: 'Microsoft-Windows-NTLM/Operational' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - EventChannel: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - EventChannel: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - EventChannel: 'Microsoft-Windows-SmbClient/Security' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - EventChannel: 'MSExchange Management' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - EventChannel: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - EventChannel: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - EventChannel: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - EventChannel: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - source: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - source: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - source: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - source: 'Microsoft-Windows-AppXDeploymentServer/Operational' - apache: - service: apache - index: WEBSERVER - apache2: - service: apache - index: WEBSERVER - webserver: - category: webserver - index: WEBSERVER - firewall: - category: firewall - index: FIREWALL - firewall2: - product: firewall - index: FIREWALL - network-dns: - category: dns - index: DNS - network-dns2: - product: dns - index: DNS - proxy: - category: proxy - index: PROXY - antivirus: - category: antivirus - index: ANTIVIRUS - application-sql: - product: sql - index: DATABASE - application-python: - product: python - index: APPLICATIONS - application-django: - product: django - index: DJANGO - application-rails: - product: rails - index: RAILS - application-spring: - product: spring - index: SPRING + unix: + product: unix + index: UNIX + linux: + product: linux + index: LINUX + linux-sshd: + product: linux + service: sshd + index: LINUX + linux-auth: + product: linux + service: auth + index: LINUX + linux-clamav: + product: linux + service: clamav + index: LINUX + windows: + product: windows + index: WINDOWS + windows-sysmon: + product: windows + service: sysmon + conditions: + EventChannel: Microsoft-Windows-Sysmon + index: WINDOWS + windows-security: + product: windows + service: security + conditions: + EventChannel: Security + index: WINDOWS + windows-powershell: + product: windows + service: powershell + conditions: + EventChannel: + - Microsoft-Windows-Powershell + - PowerShellCore + index: WINDOWS + windows-system: + product: windows + service: system + conditions: + EventChannel: System + index: WINDOWS + windows-dhcp: + product: windows + service: dhcp + conditions: + EventChannel: Microsoft-Windows-DHCP-Server + index: WINDOWS + windows-ntlm: + product: windows + service: ntlm + conditions: + EventChannel: 'Microsoft-Windows-NTLM/Operational' + index: WINDOWS + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + EventChannel: 'Microsoft-Windows-PrintService/Admin' + index: WINDOWS + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + EventChannel: 'Microsoft-Windows-PrintService/Operational' + index: WINDOWS + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + index: WINDOWS + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' + index: WINDOWS + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + EventChannel: 'Microsoft-Windows-SmbClient/Security' + index: WINDOWS + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + EventChannel: 'MSExchange Management' + index: WINDOWS + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + index: WINDOWS + windows-bits-client: + product: windows + service: bits-client + conditions: + EventChannel: 'Microsoft-Windows-Bits-Client/Operational' + index: WINDOWS + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + EventChannel: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + index: WINDOWS + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + index: WINDOWS + windows-shell-core: + product: windows + service: shell-core + conditions: + EventChannel: 'Microsoft-Windows-Shell-Core/Operational' + index: WINDOWS + windows-openssh: + product: windows + service: openssh + conditions: + EventChannel: 'OpenSSH/Operational' + index: WINDOWS + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + EventChannel: 'Microsoft-Windows-LDAP-Client/Debug' + index: WINDOWS + windows-bitlocker: + product: windows + service: bitlocker + conditions: + EventChannel: 'Microsoft-Windows-BitLocker/BitLocker Management' + index: WINDOWS + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + EventChannel: 'Microsoft-Windows-VHDMP/Operational' + index: WINDOWS + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + EventChannel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + index: WINDOWS + windows-lsa-server: + product: windows + service: lsa-server + conditions: + EventChannel: 'Microsoft-Windows-LSA/Operational' + index: WINDOWS + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + EventChannel: 'Microsoft-Windows-AppxPackaging/Operational' + index: WINDOWS + windows-dns-client: + product: windows + service: dns-client + conditions: + EventChannel: 'Microsoft-Windows-DNS Client Events/Operational' + index: WINDOWS + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + EventChannel: 'Microsoft-Windows-AppModel-Runtime/Admin' + index: WINDOWS + apache: + service: apache + index: WEBSERVER + apache2: + service: apache + index: WEBSERVER + webserver: + category: webserver + index: WEBSERVER + firewall: + category: firewall + index: FIREWALL + firewall2: + product: firewall + index: FIREWALL + network-dns: + category: dns + index: DNS + network-dns2: + product: dns + index: DNS + proxy: + category: proxy + index: PROXY + antivirus: + category: antivirus + index: ANTIVIRUS + application-sql: + product: sql + index: DATABASE + application-python: + product: python + index: APPLICATIONS + application-django: + product: django + index: DJANGO + application-rails: + product: rails + index: RAILS + application-spring: + product: spring + index: SPRING # if no index, search in all indexes diff --git a/tools/config/thor.yml b/tools/config/thor.yml index f62d844c3..bdc8238a2 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -1,458 +1,473 @@ title: THOR order: 20 backends: - - thor + - thor # this configuration differs from other configurations and can not be used # with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK. logsources: - # log source configurations for generic sigma rules - process_creation_1: - category: process_creation - product: windows - conditions: - EventID: 1 - rewrite: - product: windows - service: sysmon - process_creation_2: - category: process_creation - product: windows - conditions: - EventID: 4688 - rewrite: - product: windows - service: security - fieldmappings: - Image: NewProcessName - ParentImage: ParentProcessName - network_connection: - category: network_connection - product: windows - conditions: - EventID: 3 - rewrite: - product: windows - service: sysmon - sysmon_status1: - category: sysmon_status - product: windows - conditions: - EventID: 4 - rewrite: - product: windows - service: sysmon - sysmon_status2: - category: sysmon_status - product: windows - conditions: - EventID: 16 - rewrite: - product: windows - service: sysmon - process_terminated: - category: process_termination - product: windows - conditions: - EventID: 5 - rewrite: - product: windows - service: sysmon - driver_loaded: - category: driver_load - product: windows - conditions: - EventID: 6 - rewrite: - product: windows - service: sysmon - image_loaded: - category: image_load - product: windows - conditions: - EventID: 7 - rewrite: - product: windows - service: sysmon - create_remote_thread: - category: create_remote_thread - product: windows - conditions: - EventID: 8 - rewrite: - product: windows - service: sysmon - raw_access_thread: - category: raw_access_thread - product: windows - conditions: - EventID: 9 - rewrite: - product: windows - service: sysmon - process_access: - category: process_access - product: windows - conditions: - EventID: 10 - rewrite: - product: windows - service: sysmon - file_creation: - category: file_event - product: windows - conditions: - EventID: 11 - rewrite: - product: windows - service: sysmon - registry_event1: - category: registry_event - product: windows - conditions: - EventID: 12 - rewrite: - product: windows - service: sysmon - registry_event2: - category: registry_event - product: windows - conditions: - EventID: 13 - rewrite: - product: windows - service: sysmon - registry_event3: - category: registry_event - product: windows - conditions: - EventID: 14 - rewrite: - product: windows - service: sysmon - registry_add: - category: registry_add - product: windows - conditions: - EventID: 12 - rewrite: - product: windows - service: sysmon - registry_delete: - category: registry_delete - product: windows - conditions: - EventID: 12 - rewrite: - product: windows - service: sysmon - registry_set: - category: registry_set - product: windows - conditions: - EventID: 13 - rewrite: - product: windows - service: sysmon - registry_rename: - category: registry_rename - product: windows - conditions: - EventID: 14 - rewrite: - product: windows - service: sysmon - create_stream_hash: - category: create_stream_hash - product: windows - conditions: - EventID: 15 - rewrite: - product: windows - service: sysmon - pipe_created1: - category: pipe_created - product: windows - conditions: - EventID: 17 - rewrite: - product: windows - service: sysmon - pipe_created2: - category: pipe_created - product: windows - conditions: - EventID: 18 - rewrite: - product: windows - service: sysmon - wmi_event1: - category: wmi_event - product: windows - conditions: - EventID: 19 - rewrite: - product: windows - service: sysmon - wmi_event2: - category: wmi_event - product: windows - conditions: - EventID: 20 - rewrite: - product: windows - service: sysmon - wmi_event3: - category: wmi_event - product: windows - conditions: - EventID: 21 - rewrite: - product: windows - service: sysmon - dns_query: - category: dns_query - product: windows - conditions: - EventID: 22 - rewrite: - product: windows - service: sysmon - file_delete: - category: file_delete - product: windows - conditions: - EventID: 23 - rewrite: - product: windows - service: sysmon - file_block: - category: file_block - product: windows - conditions: - EventID: 27 - rewrite: - product: windows - service: sysmon - sysmon_error: - category: sysmon_error - product: windows - conditions: - EventID: 255 - rewrite: - product: windows - service: sysmon - #PowerShell Operational - ps_module: - category: ps_module - product: windows - conditions: - EventID: 4103 - rewrite: - product: windows - service: powershell - ps_script: - category: ps_script - product: windows - conditions: - EventID: 4104 - rewrite: - product: windows - service: powershell - #Powershell "classic" channel - ps_classic_start: - category: ps_classic_start - product: windows - conditions: - EventID: 400 - rewrite: - product: windows - service: powershell-classic - ps_classic_provider_start: - category: ps_classic_provider_start - product: windows - conditions: - EventID: 600 - rewrite: - product: windows - service: powershell-classic - ps_classic_script: - category: ps_classic_script - product: windows - conditions: - EventID: 800 - rewrite: - product: windows - service: powershell-classic - # target system configurations - windows-application: - product: windows - service: application - sources: - - "WinEventLog:Application" - windows-security: - product: windows - service: security - sources: - - "WinEventLog:Security" - windows-system: - product: windows - service: system - sources: - - "WinEventLog:System" - windows-ntlm: - product: windows - service: ntlm - sources: - - "WinEventLog:Microsoft-Windows-NTLM/Operational" - windows-sysmon: - product: windows - service: sysmon - sources: - - "WinEventLog:Microsoft-Windows-Sysmon/Operational" - windows-powershell: - product: windows - service: powershell - sources: - - "WinEventLog:Microsoft-Windows-PowerShell/Operational" - - "WinEventLog:PowerShellCore/Operational" - windows-classicpowershell: - product: windows - service: powershell-classic - sources: - - "WinEventLog:Windows PowerShell" - windows-taskscheduler: - product: windows - service: taskscheduler - sources: - - "WinEventLog:Microsoft-Windows-TaskScheduler/Operational" - windows-wmi: - product: windows - service: wmi - sources: - - "WinEventLog:Microsoft-Windows-WMI-Activity/Operational" - windows-dhcp: - product: windows - service: dhcp - sources: - - "WinEventLog:Microsoft-Windows-DHCP-Server/Operational" - windows-printservice-admin: - product: windows - service: printservice-admin - sources: - - "WinEventLog:Microsoft-Windows-PrintService/Admin" - windows-smbclient-security: - product: windows - service: smbclient-security - sources: - - "WinEventLog:Microsoft-Windows-SmbClient/Security" - windows-printservice-operational: - product: windows - service: printservice-operational - sources: - - "WinEventLog:Microsoft-Windows-PrintService/Operational" - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - sources: - - 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - sources: - - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational" - windows-applocker: - product: windows - service: applocker - sources: - - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' - - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - sources: - - 'WinEventLog:MSExchange Management' - windows-defender: - product: windows - service: windefend - sources: - - 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' - windows-firewall-advanced-security: - product: windows - service: firewall-as - sources: - - 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - sources: - - 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - sources: - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - sources: - - 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - sources: - - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - sources: - - 'WinEventLog:OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - sources: - - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - sources: - - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp: - product: windows - service: vhdmp - sources: - - 'WinEventLog:Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - sources: - - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - sources: - - 'WinEventLog:Microsoft-Windows-LSA/Operational' - apache: - category: webserver - sources: - - "File:/var/log/apache/*.log" - - "File:/var/log/apache2/*.log" - - "File:/var/log/httpd/*.log" - linux-auth: - product: linux - service: auth - sources: - - "File:/var/log/auth.log" - - "File:/var/log/auth.log.?" - linux-syslog: - product: linux - service: syslog - sources: - - "File:/var/log/syslog" - - "File:/var/log/syslog.?" - logfiles: - category: logfile - sources: - - "File:*.log" + # log source configurations for generic sigma rules + process_creation_1: + category: process_creation + product: windows + conditions: + EventID: 1 + rewrite: + product: windows + service: sysmon + process_creation_2: + category: process_creation + product: windows + conditions: + EventID: 4688 + rewrite: + product: windows + service: security + fieldmappings: + Image: NewProcessName + ParentImage: ParentProcessName + network_connection: + category: network_connection + product: windows + conditions: + EventID: 3 + rewrite: + product: windows + service: sysmon + sysmon_status1: + category: sysmon_status + product: windows + conditions: + EventID: 4 + rewrite: + product: windows + service: sysmon + sysmon_status2: + category: sysmon_status + product: windows + conditions: + EventID: 16 + rewrite: + product: windows + service: sysmon + process_terminated: + category: process_termination + product: windows + conditions: + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 + rewrite: + product: windows + service: sysmon + registry_event1: + category: registry_event + product: windows + conditions: + EventID: 12 + rewrite: + product: windows + service: sysmon + registry_event2: + category: registry_event + product: windows + conditions: + EventID: 13 + rewrite: + product: windows + service: sysmon + registry_event3: + category: registry_event + product: windows + conditions: + EventID: 14 + rewrite: + product: windows + service: sysmon + registry_add: + category: registry_add + product: windows + conditions: + EventID: 12 + rewrite: + product: windows + service: sysmon + registry_delete: + category: registry_delete + product: windows + conditions: + EventID: 12 + rewrite: + product: windows + service: sysmon + registry_set: + category: registry_set + product: windows + conditions: + EventID: 13 + rewrite: + product: windows + service: sysmon + registry_rename: + category: registry_rename + product: windows + conditions: + EventID: 14 + rewrite: + product: windows + service: sysmon + create_stream_hash: + category: create_stream_hash + product: windows + conditions: + EventID: 15 + rewrite: + product: windows + service: sysmon + pipe_created1: + category: pipe_created + product: windows + conditions: + EventID: 17 + rewrite: + product: windows + service: sysmon + pipe_created2: + category: pipe_created + product: windows + conditions: + EventID: 18 + rewrite: + product: windows + service: sysmon + wmi_event1: + category: wmi_event + product: windows + conditions: + EventID: 19 + rewrite: + product: windows + service: sysmon + wmi_event2: + category: wmi_event + product: windows + conditions: + EventID: 20 + rewrite: + product: windows + service: sysmon + wmi_event3: + category: wmi_event + product: windows + conditions: + EventID: 21 + rewrite: + product: windows + service: sysmon + dns_query: + category: dns_query + product: windows + conditions: + EventID: 22 + rewrite: + product: windows + service: sysmon + file_delete: + category: file_delete + product: windows + conditions: + EventID: 23 + rewrite: + product: windows + service: sysmon + file_block: + category: file_block + product: windows + conditions: + EventID: 27 + rewrite: + product: windows + service: sysmon + sysmon_error: + category: sysmon_error + product: windows + conditions: + EventID: 255 + rewrite: + product: windows + service: sysmon + #PowerShell Operational + ps_module: + category: ps_module + product: windows + conditions: + EventID: 4103 + rewrite: + product: windows + service: powershell + ps_script: + category: ps_script + product: windows + conditions: + EventID: 4104 + rewrite: + product: windows + service: powershell + #Powershell "classic" channel + ps_classic_start: + category: ps_classic_start + product: windows + conditions: + EventID: 400 + rewrite: + product: windows + service: powershell-classic + ps_classic_provider_start: + category: ps_classic_provider_start + product: windows + conditions: + EventID: 600 + rewrite: + product: windows + service: powershell-classic + ps_classic_script: + category: ps_classic_script + product: windows + conditions: + EventID: 800 + rewrite: + product: windows + service: powershell-classic + # target system configurations + windows-application: + product: windows + service: application + sources: + - "WinEventLog:Application" + windows-security: + product: windows + service: security + sources: + - "WinEventLog:Security" + windows-system: + product: windows + service: system + sources: + - "WinEventLog:System" + windows-ntlm: + product: windows + service: ntlm + sources: + - "WinEventLog:Microsoft-Windows-NTLM/Operational" + windows-sysmon: + product: windows + service: sysmon + sources: + - "WinEventLog:Microsoft-Windows-Sysmon/Operational" + windows-powershell: + product: windows + service: powershell + sources: + - "WinEventLog:Microsoft-Windows-PowerShell/Operational" + - "WinEventLog:PowerShellCore/Operational" + windows-classicpowershell: + product: windows + service: powershell-classic + sources: + - "WinEventLog:Windows PowerShell" + windows-taskscheduler: + product: windows + service: taskscheduler + sources: + - "WinEventLog:Microsoft-Windows-TaskScheduler/Operational" + windows-wmi: + product: windows + service: wmi + sources: + - "WinEventLog:Microsoft-Windows-WMI-Activity/Operational" + windows-dhcp: + product: windows + service: dhcp + sources: + - "WinEventLog:Microsoft-Windows-DHCP-Server/Operational" + windows-printservice-admin: + product: windows + service: printservice-admin + sources: + - "WinEventLog:Microsoft-Windows-PrintService/Admin" + windows-smbclient-security: + product: windows + service: smbclient-security + sources: + - "WinEventLog:Microsoft-Windows-SmbClient/Security" + windows-printservice-operational: + product: windows + service: printservice-operational + sources: + - "WinEventLog:Microsoft-Windows-PrintService/Operational" + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + sources: + - 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + sources: + - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational" + windows-applocker: + product: windows + service: applocker + sources: + - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' + - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + sources: + - 'WinEventLog:MSExchange Management' + windows-defender: + product: windows + service: windefend + sources: + - 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' + windows-firewall-advanced-security: + product: windows + service: firewall-as + sources: + - 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + sources: + - 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + sources: + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + sources: + - 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + sources: + - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + sources: + - 'WinEventLog:OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + sources: + - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + sources: + - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp: + product: windows + service: vhdmp + sources: + - 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + sources: + - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + sources: + - 'WinEventLog:Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + sources: + - 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + sources: + - 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + sources: + - 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin' + apache: + category: webserver + sources: + - "File:/var/log/apache/*.log" + - "File:/var/log/apache2/*.log" + - "File:/var/log/httpd/*.log" + linux-auth: + product: linux + service: auth + sources: + - "File:/var/log/auth.log" + - "File:/var/log/auth.log.?" + linux-syslog: + product: linux + service: syslog + sources: + - "File:/var/log/syslog" + - "File:/var/log/syslog.?" + logfiles: + category: logfile + sources: + - "File:*.log" diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index a9a6398a8..7ec1a3dee 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -1,179 +1,194 @@ title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules order: 20 backends: - - es-qs - - es-dsl - - es-rule - - es-rule-eql - - es-eql - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers + - es-qs + - es-dsl + - es-rule + - es-rule-eql + - es-eql + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers logsources: - windows: - product: windows - index: winlogbeat-* - windows-application: - product: windows - service: application - conditions: - winlog.channel: Application - windows-security: - product: windows - service: security - conditions: - winlog.channel: Security - windows-system: - product: windows - service: system - conditions: - winlog.channel: System - windows-sysmon: - product: windows - service: sysmon - conditions: - winlog.channel: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - winlog.channel: - - 'Microsoft-Windows-PowerShell/Operational' - - 'PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - winlog.channel: 'Windows PowerShell' - windows-dns-server: - product: windows - service: dns-server - conditions: - winlog.channel: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - winlog.channel: 'Microsoft-Windows-NTLM/Operational' - windows-defender: - product: windows - service: windefend - conditions: - winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - winlog.channel: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - winlog.channel: 'Microsoft-Windows-PrintService/Operational' - windows-terminalservices-localsessionmanager-operational: - product: windows - service: terminalservices-localsessionmanager - conditions: - winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - windows-codeintegrity-operational: - product: windows - service: codeintegrity-operational - conditions: - winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - winlog.channel: 'Microsoft-Windows-SmbClient/Security' - windows-applocker: - product: windows - service: applocker - conditions: - winlog.channel: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - winlog.channel: 'MSExchange Management' - microsoft-servicebus-client: - product: windows - service: microsoft-servicebus-client - conditions: - winlog.channel: 'Microsoft-ServiceBus-Client' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - winlog.channel: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - winlog.channel: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - winlog.channel: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - winlog_channel: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - winlog_channel: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + winlog.channel: Application + windows-security: + product: windows + service: security + conditions: + winlog.channel: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System + windows-sysmon: + product: windows + service: sysmon + conditions: + winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: + - 'Microsoft-Windows-PowerShell/Operational' + - 'PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' + windows-dns-server: + product: windows + service: dns-server + conditions: + winlog.channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + winlog.channel: 'Microsoft-Windows-NTLM/Operational' + windows-defender: + product: windows + service: windefend + conditions: + winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + winlog.channel: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + winlog.channel: 'Microsoft-Windows-PrintService/Operational' + windows-terminalservices-localsessionmanager-operational: + product: windows + service: terminalservices-localsessionmanager + conditions: + winlog.channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + windows-codeintegrity-operational: + product: windows + service: codeintegrity-operational + conditions: + winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + winlog.channel: 'Microsoft-Windows-SmbClient/Security' + windows-applocker: + product: windows + service: applocker + conditions: + winlog.channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + winlog.channel: 'MSExchange Management' + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + winlog.channel: 'Microsoft-ServiceBus-Client' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + winlog.channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + winlog.channel: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + winlog.channel: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + winlog_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + winlog_channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' @@ -215,7 +230,7 @@ fieldmappings: default: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath # Filename => category: antivirus - Filename: winlog.event_data.Filename + Filename: winlog.event_data.Filename LDAPDisplayName: winlog.event_data.LDAPDisplayName # Level => Source: MSExchange Control Panel EventID: 4 Level: winlog.event_data.Level @@ -229,7 +244,7 @@ fieldmappings: ProcessGuid: process.entity_id ProcessId: process.pid Image: process.executable - FileVersion: + FileVersion: category=process_creation: process.pe.file_version category=image_load: file.pe.file_version default: winlog.event_data.FileVersion @@ -242,15 +257,15 @@ fieldmappings: category=process_creation: process.pe.product category=image_load: file.pe.product default: winlog.event_data.Product - Company: + Company: category=process_creation: process.pe.company category=image_load: file.pe.company default: winlog.event_data.Company - OriginalFileName: + OriginalFileName: category=process_creation: process.pe.original_file_name category=image_load: file.pe.original_file_name default: winlog.event_data.OriginalFileName - CommandLine: + CommandLine: category=process_creation: process.command_line service=security: process.command_line service=powershell-classic: powershell.command.value @@ -270,10 +285,10 @@ fieldmappings: TargetFilename: file.path CreationUtcTime: winlog.event_data.CreationUtcTime PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime - Protocol: + Protocol: category=network_connection: network.transport default: winlog.event_data.Protocol - Initiated: + Initiated: category=network_connection: network.direction default: winlog.event_data.Initiated #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 @@ -291,7 +306,7 @@ fieldmappings: SchemaVersion: winlog.event_data.SchemaVersion ImageLoaded: file.path Signed: file.code_signature.signed - Signature: + Signature: category=driver_loaded: file.code_signature.subject_name category=image_loaded: file.code_signature.subject_name default: winlog.event_data.Signature @@ -347,7 +362,7 @@ fieldmappings: category=driver_load: hash.sha256 category=image_load: file.hash.sha256 default: process.hash.sha256 - Imphash: + Imphash: category=driver_load: hash.imphash category=image_load: file.hash.imphash default: process.pe.imphash @@ -357,7 +372,7 @@ fieldmappings: CommandName: powershell.command.name CommandPath: powershell.command.path CommandType: powershell.command.type - EngineVersion: + EngineVersion: service=powershell-classic: powershell.engine.version service=windefend: winlog.event_data.Engine\ Version default: winlog.event_data.EngineVersion @@ -630,4 +645,3 @@ fieldmappings: ApplicationPath: winlog.event_data.ApplicationPath ModifyingApplication: winlog.event_data.ModifyingApplication Action: winlog.event_data.Action - diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 8154dea1b..8c0a81c60 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -1,214 +1,229 @@ title: Elastic Winlogbeat (<=6.x) index pattern and field mapping order: 20 backends: - - es-qs - - es-dsl - - es-rule - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers logsources: - windows: - product: windows - index: winlogbeat-* - windows-application: - product: windows - service: application - conditions: - log_name: Application - windows-security: - product: windows - service: security - conditions: - log_name: Security - windows-system: - product: windows - service: system - conditions: - winlog.channel: System - windows-sysmon: - product: windows - service: sysmon - conditions: - log_name: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - winlog.channel: - - 'Microsoft-Windows-PowerShell/Operational' - - 'PowerShellCore/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - winlog.channel: 'Windows PowerShell' - windows-dns-server: - product: windows - service: dns-server - conditions: - log_name: 'DNS Server' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-dhcp: - product: windows - service: dhcp - conditions: - log_name: 'Microsoft-Windows-DHCP-Server/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - log_name: 'Microsoft-Windows-NTLM/Operational' - windows-defender: - product: windows - service: windefend - conditions: - log_name: 'Microsoft-Windows-Windows Defender/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - log_name: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-firewall-advanced-security: - product: windows - service: firewall-as - conditions: - log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' - windows-bits-client: - product: windows - service: bits-client - conditions: - log_name: 'Microsoft-Windows-Bits-Client/Operational' - windows-security-mitigations: - product: windows - service: security-mitigations - conditions: - log_name: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' - windows-diagnosis: - product: windows - service: diagnosis-scripted - conditions: - log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' - windows-shell-core: - product: windows - service: shell-core - conditions: - log_name: 'Microsoft-Windows-Shell-Core/Operational' - windows-openssh: - product: windows - service: openssh - conditions: - log_name: 'OpenSSH/Operational' - windows-ldap-debug: - product: windows - service: ldap_debug - conditions: - log_name: 'Microsoft-Windows-LDAP-Client/Debug' - windows-bitlocker: - product: windows - service: bitlocker - conditions: - log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' - windows-vhdmp-operational: - product: windows - service: vhdmp - conditions: - log_name: 'Microsoft-Windows-VHDMP/Operational' - windows-appxdeployment-server: - product: windows - service: appxdeployment-server - conditions: - log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' - windows-lsa-server: - product: windows - service: lsa-server - conditions: - log_name: 'Microsoft-Windows-LSA/Operational' + windows: + product: windows + index: winlogbeat-* + windows-application: + product: windows + service: application + conditions: + log_name: Application + windows-security: + product: windows + service: security + conditions: + log_name: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System + windows-sysmon: + product: windows + service: sysmon + conditions: + log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: + - 'Microsoft-Windows-PowerShell/Operational' + - 'PowerShellCore/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' + windows-dns-server: + product: windows + service: dns-server + conditions: + log_name: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + log_name: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + log_name: 'Microsoft-Windows-NTLM/Operational' + windows-defender: + product: windows + service: windefend + conditions: + log_name: 'Microsoft-Windows-Windows Defender/Operational' + windows-applocker: + product: windows + service: applocker + conditions: + log_name: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-firewall-advanced-security: + product: windows + service: firewall-as + conditions: + log_name: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + windows-bits-client: + product: windows + service: bits-client + conditions: + log_name: 'Microsoft-Windows-Bits-Client/Operational' + windows-security-mitigations: + product: windows + service: security-mitigations + conditions: + log_name: + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: openssh + conditions: + log_name: 'OpenSSH/Operational' + windows-ldap-debug: + product: windows + service: ldap_debug + conditions: + log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' + windows-lsa-server: + product: windows + service: lsa-server + conditions: + log_name: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + log_name: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + log_name: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + log_name: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: - EventID: event_id - AccessMask: event_data.AccessMask - AccountName: event_data.AccountName - AllowedToDelegateTo: event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName - AuditPolicyChanges: event_data.AuditPolicyChanges - AuthenticationPackageName: event_data.AuthenticationPackageName - CallingProcessName: event_data.CallingProcessName - CallTrace: event_data.CallTrace - Channel: winlog.channel - CommandLine: event_data.CommandLine - ComputerName: event_data.ComputerName - CurrentDirectory: event_data.CurrentDirectory - Description: event_data.Description - DestinationHostname: event_data.DestinationHostname - DestinationIp: event_data.DestinationIp - DestinationIsIpv6: event_data.DestinationIsIpv6 - DestinationPort: event_data.DestinationPort - Details: event_data.Details - EngineVersion: event_data.EngineVersion - EventType: event_data.EventType - FailureCode: event_data.FailureCode - FileName: event_data.FileName - GrantedAccess: event_data.GrantedAccess - GroupName: event_data.GroupName - GroupSid: event_data.GroupSid - Hashes: event_data.Hashes - HiveName: event_data.HiveName - HostVersion: event_data.HostVersion - Image: event_data.Image - ImageLoaded: event_data.ImageLoaded - ImagePath: event_data.ImagePath - Imphash: event_data.Imphash - IpAddress: event_data.IpAddress - KeyLength: event_data.KeyLength - LogonProcessName: event_data.LogonProcessName - LogonType: event_data.LogonType - NewProcessName: event_data.NewProcessName - ObjectClass: event_data.ObjectClass - ObjectName: event_data.ObjectName - ObjectType: event_data.ObjectType - ObjectValueName: event_data.ObjectValueName - ParentCommandLine: event_data.ParentCommandLine - ParentProcessName: event_data.ParentProcessName - ParentImage: event_data.ParentImage - Path: event_data.Path - PipeName: event_data.PipeName - ProcessCommandLine: event_data.ProcessCommandLine - ProcessName: event_data.ProcessName - Product: event_data.Product - Properties: event_data.Properties - ScriptBlockText: winlog.event_data.ScriptBlockText - SecurityID: event_data.SecurityID - ServiceFileName: event_data.ServiceFileName - ServiceName: event_data.ServiceName - ShareName: event_data.ShareName - Signature: event_data.Signature - Source: event_data.Source - SourceImage: event_data.SourceImage - StartModule: event_data.StartModule - Status: event_data.Status - SubjectUserName: event_data.SubjectUserName - SubjectUserSid: event_data.SubjectUserSid - TargetFilename: event_data.TargetFilename - TargetImage: event_data.TargetImage - TargetObject: event_data.TargetObject - TicketEncryptionType: event_data.TicketEncryptionType - TicketOptions: event_data.TicketOptions - User: event_data.User - WorkstationName: event_data.WorkstationName + EventID: event_id + AccessMask: event_data.AccessMask + AccountName: event_data.AccountName + AllowedToDelegateTo: event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName + AuditPolicyChanges: event_data.AuditPolicyChanges + AuthenticationPackageName: event_data.AuthenticationPackageName + CallingProcessName: event_data.CallingProcessName + CallTrace: event_data.CallTrace + Channel: winlog.channel + CommandLine: event_data.CommandLine + ComputerName: event_data.ComputerName + CurrentDirectory: event_data.CurrentDirectory + Description: event_data.Description + DestinationHostname: event_data.DestinationHostname + DestinationIp: event_data.DestinationIp + DestinationIsIpv6: event_data.DestinationIsIpv6 + DestinationPort: event_data.DestinationPort + Details: event_data.Details + EngineVersion: event_data.EngineVersion + EventType: event_data.EventType + FailureCode: event_data.FailureCode + FileName: event_data.FileName + GrantedAccess: event_data.GrantedAccess + GroupName: event_data.GroupName + GroupSid: event_data.GroupSid + Hashes: event_data.Hashes + HiveName: event_data.HiveName + HostVersion: event_data.HostVersion + Image: event_data.Image + ImageLoaded: event_data.ImageLoaded + ImagePath: event_data.ImagePath + Imphash: event_data.Imphash + IpAddress: event_data.IpAddress + KeyLength: event_data.KeyLength + LogonProcessName: event_data.LogonProcessName + LogonType: event_data.LogonType + NewProcessName: event_data.NewProcessName + ObjectClass: event_data.ObjectClass + ObjectName: event_data.ObjectName + ObjectType: event_data.ObjectType + ObjectValueName: event_data.ObjectValueName + ParentCommandLine: event_data.ParentCommandLine + ParentProcessName: event_data.ParentProcessName + ParentImage: event_data.ParentImage + Path: event_data.Path + PipeName: event_data.PipeName + ProcessCommandLine: event_data.ProcessCommandLine + ProcessName: event_data.ProcessName + Product: event_data.Product + Properties: event_data.Properties + ScriptBlockText: winlog.event_data.ScriptBlockText + SecurityID: event_data.SecurityID + ServiceFileName: event_data.ServiceFileName + ServiceName: event_data.ServiceName + ShareName: event_data.ShareName + Signature: event_data.Signature + Source: event_data.Source + SourceImage: event_data.SourceImage + StartModule: event_data.StartModule + Status: event_data.Status + SubjectUserName: event_data.SubjectUserName + SubjectUserSid: event_data.SubjectUserSid + TargetFilename: event_data.TargetFilename + TargetImage: event_data.TargetImage + TargetObject: event_data.TargetObject + TicketEncryptionType: event_data.TicketEncryptionType + TicketOptions: event_data.TicketOptions + User: event_data.User + WorkstationName: event_data.WorkstationName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index b7b9a5f5c..0fbbae00c 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -1,16 +1,16 @@ title: Elastic Winlogbeat (from 7.x) index pattern and field mapping order: 20 backends: - - es-qs - - es-dsl - - es-rule - - kibana - - kibana-ndjson - - xpack-watcher - - elastalert - - elastalert-dsl - - ee-outliers - - opensearch-monitor + - es-qs + - es-dsl + - es-rule + - kibana + - kibana-ndjson + - xpack-watcher + - elastalert + - elastalert-dsl + - ee-outliers + - opensearch-monitor logsources: windows: product: windows @@ -163,6 +163,21 @@ logsources: service: lsa-server conditions: winlog_channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + winlog_channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + winlog_channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + winlog_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index b93527f5f..e1fa9f60d 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -128,4 +128,19 @@ logsources: product: windows service: lsa-server conditions: - Channel: 'Microsoft-Windows-LSA/Operational' \ No newline at end of file + Channel: 'Microsoft-Windows-LSA/Operational' + windows-appxpackaging-om: + product: windows + service: appxpackaging-om + conditions: + Channel: 'Microsoft-Windows-AppxPackaging/Operational' + windows-dns-client: + product: windows + service: dns-client + conditions: + Channel: 'Microsoft-Windows-DNS Client Events/Operational' + windows-appmodel-runtime: + product: windows + service: appmodel-runtime + conditions: + Channel: 'Microsoft-Windows-AppModel-Runtime/Admin'