From e8b956f575c0af942d20ee3a6b951f52c04d3baa Mon Sep 17 00:00:00 2001 From: vh Date: Wed, 20 May 2020 12:35:00 +0300 Subject: [PATCH] Updated config --- tools/config/arcsight-zeek.yml | 135 ++++- tools/config/arcsight.yml | 130 ++++- tools/config/ecs-proxy.yml | 49 +- tools/config/ecs-zeek-corelight.yml | 356 ++++++++----- tools/config/humio.yml | 536 +++++++++++++++++++- tools/config/logstash-zeek-default-json.yml | 140 ++++- tools/config/qradar.yml | 140 +++-- tools/config/splunk-zeek.yml | 24 +- tools/config/winlogbeat-modules-enabled.yml | 1 - tools/config/winlogbeat-old.yml | 5 +- tools/config/winlogbeat.yml | 22 +- 11 files changed, 1324 insertions(+), 214 deletions(-) diff --git a/tools/config/arcsight-zeek.yml b/tools/config/arcsight-zeek.yml index e27316b45..f902641dd 100644 --- a/tools/config/arcsight-zeek.yml +++ b/tools/config/arcsight-zeek.yml @@ -15,12 +15,14 @@ logsources: service: syslog zeek-category-firewall: category: firewall - conditions: - deviceEventCategory: conn + rewrite: + product: zeek + service: conn zeek-category-dns: category: dns - conditions: - deviceEventCategory: dns + rewrite: + product: zeek + service: dns zeek-category-proxy: category: proxy rewrite: @@ -28,8 +30,6 @@ logsources: service: http zeek-category-webserver: category: webserver - conditions: - deviceEventCategory: http rewrite: product: zeek service: http @@ -321,7 +321,6 @@ fieldmappings: - destinationDnsDomain - destinationHost # All Logs Applied Mapping & Taxonomy - clientip: sourceAddress dst: destinationAddress dst_ip: destinationAddress dst_port: destinationPort @@ -499,7 +498,7 @@ fieldmappings: #service=socks: status_msg: - 'message' - #subject: + subject: - 'message' #service=known_certs: #service=sip: @@ -1050,4 +1049,122 @@ fieldmappings: - sourceAddress san.uri: - requestUrl - - requestUrlQuery \ No newline at end of file + - requestUrlQuery + # Few other variations of names from zeek source itself + id_orig_h: sourceAddress + id_orig_p: sourcePort + id_resp_h: destinationAddress + id_resp_p: destinationPort + # Temporary one off rule name fields + cs-uri: requestUrl + destination.domain: + destination.ip: destinationAddress + destination.port: destinationPort + http.response.status_code: deviceSeverity + #http.request.body.content + source.domain: + #sourceAddress: #TONOTE: is arcsight + source.port: sourcePort + agent.version: deviceCustomString2 + c-ip: sourceAddress + clientip: sourceAddress + clientIP: sourceAddress + dest_domain: + - url.domain + dest_ip: destinationAddress + dest_port: destinationPort + #TODO:WhatShouldThisBe?==dest: + #TODO:WhatShouldThisBe?==destination: + #TODO:WhatShouldThisBe?==Destination: + destination.hostname: destinationHostName + #DestinationAddress: #TONOTE: is arcsight + #DestinationHostname: #TONOTE: is arcsight + DestinationIp: destinationAddress + DestinationIP: destinationAddress + DestinationPort: destinationPort + dst-ip: destinationAddress + dstip: destinationAddress + dstport: destinationPort + Host: requestHost + #host: + HostVersion: deviceCustomString2 + http_host: destinationHostName + http_uri: requestUrl + http_url: requestUrl + http_user_agent: + - deviceCustomString5 + - requestClientApplication + http.request.url-query-params: + - requestUrl + - requestUrlQuery + HttpMethod: requestMethod + in_url: requestUrl + #parent_domain: + # - url.registered_domain + # - destination.registered_domain + post_url_parameter: requestUrl + Request Url: requestUrl + request_url: requestUrl + request_URL: requestUrl + RequestUrl: requestUrl + #response: http.response.status_code + resource.url: requestUrl + resource.URL: requestUrl + sc_status: deviceSeverity + sender_domain: message + service.response_code: deviceSeverity + SourceAddr: sourceAddress + SourceAddress: sourceAddress + SourceIP: sourceAddress + SourceIp: sourceAddress + SourceNetworkAddress: + - source.address + - sourceAddress + SourcePort: sourcePort + srcip: sourceAddress + Status: deviceSeverity + #status: deviceSeverity + url: requestUrl + URL: requestUrl + url_query: + - requestUrl + - requestUrlQuery + url.query: + - requestUrl + - requestUrlQuery + uri_path: requestUrl + #user_agent: user_agent.original + user_agent.name: + - deviceCustomString5 + - requestClientApplication + user-agent: + - deviceCustomString5 + - requestClientApplication + User-Agent: + - deviceCustomString5 + - requestClientApplication + useragent: + - deviceCustomString5 + - requestClientApplication + UserAgent: + - deviceCustomString5 + - requestClientApplication + User Agent: + - deviceCustomString5 + - requestClientApplication + web_dest: destinationHostName + web.dest: destinationHostName + Web.dest: destinationHostName + web.host: destinationHostName + Web.host: destinationHostName + web_method: requestMethod + Web_method: requestMethod + web.method: requestMethod + Web.method: requestMethod + web_src: sourceAddress + web_status: deviceSeverity + Web_status: deviceSeverity + web.status: deviceSeverity + Web.status: deviceSeverity + web_uri: requestUrl + web_url: requestUrl \ No newline at end of file diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index f6a9bc537..d9dd1d7b7 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -349,4 +349,132 @@ fieldmappings: keywords: - deviceCustomString1 ScriptBlockText: - - deviceCustomString1 \ No newline at end of file + - deviceCustomString1 + AccessMask: deviceCustomString1 + AccountName: deviceCustomString1 + AllowedToDelegateTo: deviceCustomString1 + AttributeLDAPDisplayName: deviceCustomString1 + AuditPolicyChanges: deviceCustomString1 + AuthenticationPackageName: deviceCustomString1 + CallingProcessName: deviceCustomString1 + Command: deviceCustomString1 + Command_Line: deviceCustomString1 + ComputerName: deviceCustomString1 + destination.domain: deviceCustomString1 + DestinationIP: deviceCustomString1 + EngineVersion: deviceCustomString1 + Event: deviceCustomString1 + event.category: deviceCustomString1 + event.raw: deviceCustomString1 + event_data.AccessMask: deviceCustomString1 + event_data.AccountName: deviceCustomString1 + event_data.AllowedToDelegateTo: deviceCustomString1 + event_data.AttributeLDAPDisplayName: deviceCustomString1 + event_data.AuditPolicyChanges: deviceCustomString1 + event_data.AuthenticationPackageName: deviceCustomString1 + event_data.CallingProcessName: deviceCustomString1 + event_data.CallTrace: deviceCustomString1 + event_data.CommandLine: deviceCustomString1 + event_data.ComputerName: deviceCustomString1 + event_data.CurrentDirectory: deviceCustomString1 + event_data.Description: deviceCustomString1 + event_data.DestinationHostname: deviceCustomString1 + event_data.DestinationIp: deviceCustomString1 + event_data.DestinationIsIpv6: deviceCustomString1 + event_data.DestinationPort: deviceCustomString1 + event_data.Details: deviceCustomString1 + event_data.EngineVersion: deviceCustomString1 + event_data.EventType: deviceCustomString1 + event_data.FailureCode: deviceCustomString1 + event_data.FileName: deviceCustomString1 + event_data.GrantedAccess: deviceCustomString1 + event_data.GroupName: deviceCustomString1 + event_data.GroupSid: deviceCustomString1 + event_data.Hashes: deviceCustomString1 + event_data.HiveName: deviceCustomString1 + event_data.HostVersion: deviceCustomString1 + event_data.Image: deviceCustomString1 + event_data.ImageLoaded: deviceCustomString1 + event_data.ImagePath: deviceCustomString1 + event_data.Imphash: deviceCustomString1 + event_data.IpAddress: deviceCustomString1 + event_data.KeyLength: deviceCustomString1 + event_data.LogonProcessName: deviceCustomString1 + event_data.LogonType: deviceCustomString1 + event_data.NewProcessName: deviceCustomString1 + event_data.ObjectClass: deviceCustomString1 + event_data.ObjectName: deviceCustomString1 + event_data.ObjectType: deviceCustomString1 + event_data.ObjectValueName: deviceCustomString1 + event_data.ParentCommandLine: deviceCustomString1 + event_data.ParentImage: deviceCustomString1 + event_data.ParentProcessName: deviceCustomString1 + event_data.Path: deviceCustomString1 + event_data.PipeName: deviceCustomString1 + event_data.ProcessCommandLine: deviceCustomString1 + event_data.ProcessName: deviceCustomString1 + event_data.Properties: deviceCustomString1 + event_data.SecurityID: deviceCustomString1 + event_data.ServiceFileName: deviceCustomString1 + event_data.ServiceName: deviceCustomString1 + event_data.ShareName: deviceCustomString1 + event_data.Signature: deviceCustomString1 + event_data.Source: deviceCustomString1 + event_data.SourceImage: deviceCustomString1 + event_data.StartModule: deviceCustomString1 + event_data.Status: deviceCustomString1 + event_data.SubjectUserName: deviceCustomString1 + event_data.SubjectUserSid: deviceCustomString1 + event_data.TargetFilename: deviceCustomString1 + event_data.TargetImage: deviceCustomString1 + event_data.TargetObject: deviceCustomString1 + event_data.TicketEncryptionType: deviceCustomString1 + event_data.TicketOptions: deviceCustomString1 + event_data.User: deviceCustomString1 + event_data.WorkstationName: deviceCustomString1 + FailureCode: deviceCustomString1 + GroupName: deviceCustomString1 + GroupSid: deviceCustomString1 + hashes: deviceCustomString1 + Header.Accept: deviceCustomString1 + HiveName: deviceCustomString1 + host.scan.vuln_name: deviceCustomString1 + HostVersion: deviceCustomString1 + ImagePath: deviceCustomString1 + Imphash: deviceCustomString1 + IpAddress: deviceCustomString1 + IpPort: deviceCustomString1 + KeyLength: deviceCustomString1 + log_name: deviceCustomString1 + LogonType: deviceCustomString1 + NewProcessName: deviceCustomString1 + ObjectClass: deviceCustomString1 + ObjectName: deviceCustomString1 + ObjectType: deviceCustomString1 + ObjectValueName: deviceCustomString1 + ParentProcessName: deviceCustomString1 + Path: deviceCustomString1 + ProcessCommandLine: deviceCustomString1 + ProcessName: deviceCustomString1 + Properties: deviceCustomString1 + resource.URL: deviceCustomString1 + SecurityEvent: deviceCustomString1 + SecurityID: deviceCustomString1 + SelectionURL: deviceCustomString1 + ServiceFileName: deviceCustomString1 + ServiceName: deviceCustomString1 + ShareName: deviceCustomString1 + Source: deviceCustomString1 + source_name: deviceCustomString1 + SourceIP: deviceCustomString1 + Status: deviceCustomString1 + SubjectDomainName: deviceCustomString1 + SubjectUserName: deviceCustomString1 + SubjectUserSid: deviceCustomString1 + SysmonEvent: deviceCustomString1 + TargetDomainName: deviceCustomString1 + TargetUserSid: deviceCustomString1 + TicketEncryptionType: deviceCustomString1 + TicketOptions: deviceCustomString1 + winlog.channel: deviceCustomString1 + WorkstationName: deviceCustomString1 \ No newline at end of file diff --git a/tools/config/ecs-proxy.yml b/tools/config/ecs-proxy.yml index 8dd4c4919..b618fc53f 100644 --- a/tools/config/ecs-proxy.yml +++ b/tools/config/ecs-proxy.yml @@ -1,16 +1,44 @@ -title: Elastic Common Schema mapping for proxy logs +title: Elastic Common Schema mapping for proxy and webserver logs including NSM logs (zeek/suricata) order: 20 backends: - es-qs - es-dsl + - elasticsearch-rule - kibana - xpack-watcher - elastalert - elastalert-dsl -logsources: - proxy: - category: proxy - index: filebeat-* +# logsources: + # proxy: + # category: proxy + # index: + # - "filebeat-*" + # - "*ecs-*" + #zeek-category-proxy: + # category: proxy + # rewrite: + # product: zeek + # service: http + #zeek-category-webserver: + # category: webserver + # conditions: + # event.dataset: http + # rewrite: + # product: zeek + # service: http + # zeek-http: + # product: zeek + # service: http + # conditions: + # event.dataset: http + # zeek-http2: + # product: zeek + # service: http2 + # conditions: + # event.dataset: http2 +defaultindex: + - filebeat-* +# logsourcemerging: or fieldmappings: # All Logs Applied Mapping & Taxonomy dst: @@ -48,6 +76,14 @@ fieldmappings: sc-bytes: http.response.body.bytes sc-status: http.response.status_code # Temporary one off rule name fields + destination.domain: + # destination.ip: + # destination.port: + # http.response.status_code + # http.request.body.content + # source.domain: + # source.ip: + # source.port: agent.version: http.version c-ip: - source.address @@ -65,6 +101,9 @@ fieldmappings: - destination.address - destination.ip dest_port: destination.port + #TODO:WhatShouldThisBe?==dest: + #TODO:WhatShouldThisBe?==destination: + #TODO:WhatShouldThisBe?==Destination: destination.hostname: - destination.domain - url.domain diff --git a/tools/config/ecs-zeek-corelight.yml b/tools/config/ecs-zeek-corelight.yml index 6c3dae8b0..57849671a 100644 --- a/tools/config/ecs-zeek-corelight.yml +++ b/tools/config/ecs-zeek-corelight.yml @@ -26,10 +26,14 @@ logsources: service: syslog zeek-category-firewall: category: firewall - conditions: - event.dataset: conn + rewrite: + product: zeek + service: conn zeek-category-dns: category: dns + rewrite: + product: zeek + service: dns conditions: event.dataset: dns zeek-category-proxy: @@ -39,8 +43,6 @@ logsources: service: http zeek-category-webserver: category: webserver - conditions: - event.dataset: http rewrite: product: zeek service: http @@ -395,151 +397,251 @@ fieldmappings: uid: log.id.uid uids: log.id.uids uuid: log.id.uuid - # Overlapping fields/mappings (aka: shared fields) + # Deep mappings / Overlapping fields/mappings (aka: shared fields) + #_action action: - #- smb.action - - '*.action' - #service=smb_files: smb.action - #service=mqtt: mqtt.action - #service=tunnel: tunnel.action + #- '*.action' + service=mqtt: mqtt.action + service=smb_files: smb.action + service=tunnel: tunnel.action + mqtt_action: smb.action + smb_action: smb.action + tunnel_action: tunnel.action + #_addl addl: - #- weird.addl - - '*.addl' - #service=dns: dns.addl - #service=weird: weird.addl + #- '*.addl' + service=dns: dns.addl + service=weird: weird.addl + dns_addl: dns.addl + weird_addl: weird.addl + #_analyzer analyzer: - #- dpd.analyzer - - '*.analyzer' - #service=dpd: dpd.analyzer - #service=files: files.analyzer + #- '*.analyzer' + service=dpd: dpd.analyzer + service=files: files.analyzer + dpd_analyzer: dpd.analyzer + files_analyzer: file.analyzer + #_arg arg: - #- ftp.arg - - '*.arg' - #service=ftp: ftp.arg - #service=ftp: pop3.arg - #service=msqyl: mysql.arg - #auth: - #service=rfb: rfb.auth #RFB does not exist in newer logs, so skipping to cover dns.auth + #- '*.arg' + service=ftp: ftp.arg + service=msqyl: mysql.arg + service=pop3: pop3.arg + ftp_arg: ftp.arg + mysql_arg: mysql.arg + pop3_arg: pop3.arg + #_auth + auth: + #- dns.auth + service=dns: dns.auth + service=rfb: rfb.auth + dns_auth: dns.auth + rfb_auth: rfb.auth + #_cipher cipher: - #- kerberos.cipher - - '*.client' - #service=kerberos: kerberos.cipher - #service=ssl: tls.cipher + #- '*.client' + service=kerberos: kerberos.cipher + service=ssl: tls.cipher + kerberos_cipher: kerberos.cipher + ssl_cipher: tls.cipher + tls_cipher: tls.cipher + #_client client: - #- ssh.client - - '*.client' - #service=kerberos: kerberos.client - #service=ssh: ssh.client + #- '*.client' + service=kerberos: kerberos.client + service=ssh: ssh.client + kerberos_client: kerberos.client + ssh_client: ssh.client + #_command command: - #- ftp.command - - '*.command' - #service=pop3: pop3.command - #service=ftp: ftp.command - #service=irc: irc.command + #- '*.command' + service=irc: irc.command + service=ftp: ftp.command + service=pop3: pop3.command + ftp_command: ftp.command + irc_command: irc.command + pop3_command: pop3.command + #_date date: - #- smtp.date - - '*.date' - #service=sip: sip.date - #service=smtp: smtp.date + #- '*.date' + service=sip: sip.date + service=smtp: smtp.date + sip_date: sip.date + smtp_date: smtp.date + #_duration duration: - - event.duration - #- '*.duration' - #service=conn: event.duration - #service=files: files.duration - #service=snmp: event.duration + #- event.duration + service=conn: event.duration + service=files: files.duration + service=snmp: event.duration + conn_duration: event.duration + files_duration: files.duration + snmp_duration: event.duration + #_from from: - #- smtp.from - - '*.from' - #service=kerberos: kerberos.from - #service=smtp: smtp.from + #- '*.from' + service=kerberos: kerberos.from + service=smtp: smtp.from + kerberos_from: kerberos.from + smtp_from: smtp.from + #_is_orig is_orig: - - '*.is_orig' - #service=file: file.is_orig - #service=pop3: pop3.is_orig + #- '*.is_orig' + service=file: file.is_orig + service=pop3: pop3.is_orig + files_is_orig: file.is_orig + pop3_is_orig: pop3.is_orig + #_local_orig local_orig: - - '*.local_orig' - #service=conn conn.local_orig - #service=files file.local_orig + #- '*.local_orig' + service=conn: conn.local_orig + service=files: file.local_orig + conn_local_orig: conn.local_orig + files_local_orig: file.local_orig + #_method method: - - http.request.method - #service=http: http.request.method - #service=sip: sip.method + #- http.request.method + service=http: http.request.method + service=sip: sip.method + http_method: http.request.method + sip_method: sip.method + #_msg msg: - - notice.msg - #service=notice: notice.msg - #service=pop3: pop3.msg + #- notice.msg + service=notice: notice.msg + service=pop3: pop3.msg + notice_msg: notice.msg + pop3_msg: pop3.msg + #_name name: - - file.name - #- '*.name' - #service=smb_files: file.name - #service=software: software.name - #service=weird: weird.name + #- file.name + service=smb_files: file.name + service=software: software.name + service=weird: weird.name + smb_files_name: file.name + software_name: software.name + weird_name: weird.name + #_path path: - - file.path - #- '*.path' - #service=smb_files: file.path - #service=smb_mapping: file.path - #service=smtp: smtp.path + #- file.path + service=smb_files: file.path + service=smb_mapping: file.path + service=smtp: smtp.path + smb_files_path: file.path + smb_mapping_path: file.path + smtp_path: smtp.path + #_reply_msg reply_msg: - #- ftp.reply_msg - - '*.reply_msg' - #service=ftp: ftp.reply_msg - #service=radius: radius.reply_msg + #- '*.reply_msg' + service=ftp: ftp.reply_msg + service=radius: radius.reply_msg + ftp_reply_msg: ftp.reply_msg + radius_reply_msg: radius.reply_msg + #_reply_to reply_to: - #- smtp.reply_to - - '*.reply_to' - #service=sip: sip.reply_to - #service=smtp: smtp.reply_to + #- '*.reply_to' + service=sip: sip.reply_to + service=smtp: smtp.reply_to + sip_reply_to: sip.reply_to + smtp_reply_to: smtp.reply_to + #_response_body_len response_body_len: - - http.response.body.bytes - #service=http: http.response.body.bytes - #service=sip: sip.response_body_len + #- http.response.body.bytes + service=http: http.response.body.bytes + service=sip: sip.response_body_len + http_response_body_len: http.response.body.bytes + sip_response_body_len: sip.response_body_len + #_request_body_len request_body_len: - - http.request.body.bytes - #service=http: http.response.body.bytes - #service=sip: sip.request_body_len + #- http.request.body.bytes + service=http: http.response.body.bytes + service=sip: sip.request_body_len + http_request_body_len: http.response.body.bytes + sip_request_body_len: sip.response_body_len + #_rtt + #rtt: + #- event.duration + #- 'zeek.*.rtt' + #service=dns: event.duration + #service=dce_rpc: event.duration + dns_rtt: event.duration + dce_rpc_rtt: event.duration + #_service service: - #- kerberos.service - - '*.service' - #service=kerberos: kerberos.service - #service=smb_mapping: smb.service + #- '*.service' + service=kerberos: kerberos.service + service=smb_mapping: smb.service + kerberos_service: kerberos.service + smb_mapping_kerberos: smb.service + #_status status: - #- socks.status - - '*.status' - #service=pop3: pop3.status - #service=mqtt: mqtt.status - #service=socks: socks.status + #- '*.status' + service=mqtt: mqtt.status + service=pop3: pop3.status + service=socks: socks.status + mqtt_status: mqtt.status + pop3_status: pop3.status + socks_status: socks.status + #_status_code status_code: - - 'http.response.status_code' - #service=http: http.response.status_code - #service=sip: sip.status_code + #- 'http.response.status_code' + service=http: http.response.status_code + service=sip: sip.status_code + http_status_code: http.response.status_code + sip_status_code: sip.status_code + #_status_msg status_msg: - - http.status_msg #- '*.status_msg' - #service=http: http.status_msg - #service=sip: sip.status_msg + service=http: http.status_msg + service=sip: sip.status_msg + http_status_msg: http.status_msg + sip_status_msg: sip.status_msg + #_subject subject: - #- smtp.subject - - '*.subject' - #service=known_certs: known_certs.subject - #service=sip: sip.subject - #service=smtp: smtp.subject - #service=ssl: tls.subject + #- '*.subject' + service=known_certs: known_certs.subject + service=sip: sip.subject + service=smtp: smtp.subject + service=ssl: tls.subject + known_certs_subject: known_certs.subject + sip_subject: sip.subject + smtp_subject: smtp.subject + ssl_subject: tls.subject + #_service + + #_trans_depth trans_depth: - #- http.trans_depth - - '*.trans_depth' - #service=http: http.trans_depth - #service=sip: sip.trans_depth - #service=smtp: smtp.trans_depth + #- '*.trans_depth' + service=http: http.trans_depth + service=sip: sip.trans_depth + service=smtp: smtp.trans_depth + http_trans_depth: http.trans_depth + sip_trans_depth: sip.trans_depth + smtp_trans_depth: smtp.trans_depth + #_user_agent + #user_agent: #already normalized + http_user_agent: user_agent.original + gquic_user_agent: user_agent.original + sip_user_agent: user_agent.original + smtp_user_agent: user_agent.original + #_version version: - #- tls.version - - '*.version' - #service=gquic: gquic.version - #service=ntp: ntp.version - #service=socks: socks.version - #service=snmp: snmp.version - #service=ssh: ssh.version - #service=tls: tls.version + #- '*.version' + service=gquic: gquic.version + service=http: http.version + service=ntp: ntp.version + service=socks: socks.version + service=snmp: snmp.version + service=ssh: ssh.version + service=tls: tls.version + gquic_version: gquic.version + http_version: http.version + ntp_version: ntp.version + socks_version: socks.version + snmp_version: snmp.version + ssh_version: ssh.version + ssl_version: tls.version + tls_version: tls.version # Conn and Conn Long cache_add_rx_ev: conn.cache_add_rx_ev cache_add_rx_mpg: conn.cache_add_rx_mpg @@ -594,7 +696,7 @@ fieldmappings: # DNS AA: dns.AA #addl: dns.addl - auth: dns.auth + #auth: dns.auth answers: dns.answers.name TTLs: dns.answers.ttl RA: dns.RA @@ -689,6 +791,7 @@ fieldmappings: uri_vars: http.uri_vars #user_agent: user_agent.original #username: source.user.name + #version: http.version # Intel file_mime_type: file.mime_type file_desc: intel.file_desc @@ -1062,6 +1165,11 @@ fieldmappings: san.email: x509.san.email san.ip: x509.san.ip san.uri: x509.san.url + # Few other variations of names from zeek source itself + id_orig_h: source.ip + id_orig_p: source.port + id_resp_h: destination.ip + id_resp_p: destination.port # Temporary one off rule name fields cs-uri: url.original # destination.domain: @@ -1087,7 +1195,7 @@ fieldmappings: destination.hostname: - destination.domain - url.domain - DestinationAddress: + DestinationAddress: destination.ip DestinationHostname: - destination.domain - url.domain @@ -1109,7 +1217,7 @@ fieldmappings: - url.domain http_uri: url.original http_url: url.original - http_user_agent: user_agent.original + #http_user_agent: user_agent.original http.request.url-query-params: url.original HttpMethod: http.request.method in_url: url.original diff --git a/tools/config/humio.yml b/tools/config/humio.yml index a25df0158..dce843f86 100644 --- a/tools/config/humio.yml +++ b/tools/config/humio.yml @@ -2,8 +2,368 @@ title: Humio log source conditions order: 20 backends: - humio - +logsources: + zeek: + product: zeek + zeek-category-accounting: + category: accounting + rewrite: + product: zeek + service: syslog + zeek-category-firewall: + category: firewall + rewrite: + product: zeek + service: conn + zeek-category-dns: + category: dns + rewrite: + product: zeek + service: dns + zeek-category-proxy: + category: proxy + rewrite: + product: zeek + service: http + zeek-category-webserver: + category: webserver + rewrite: + product: zeek + service: http + zeek-conn: + product: zeek + service: conn + conditions: + '@stream': conn + zeek-conn_long: + product: zeek + service: conn_long + conditions: + '@stream': conn_long + zeek-dce_rpc: + product: zeek + service: dce_rpc + conditions: + '@stream': dce_rpc + zeek-dns: + product: zeek + service: dns + conditions: + '@stream': dns + zeek-dnp3: + product: zeek + service: dnp3 + conditions: + '@stream': dnp3 + zeek-dpd: + product: zeek + service: dpd + conditions: + '@stream': dpd + zeek-files: + product: zeek + service: files + conditions: + '@stream': files + zeek-ftp: + product: zeek + service: ftp + conditions: + '@stream': ftp + zeek-gquic: + product: zeek + service: gquic + conditions: + '@stream': gquic + zeek-http: + product: zeek + service: http + conditions: + '@stream': http + zeek-http2: + product: zeek + service: http2 + conditions: + '@stream': http2 + zeek-intel: + product: zeek + service: intel + conditions: + '@stream': intel + zeek-irc: + product: zeek + service: irc + conditions: + '@stream': irc + zeek-kerberos: + product: zeek + service: kerberos + conditions: + '@stream': kerberos + zeek-known_certs: + product: zeek + service: known_certs + conditions: + '@stream': known_certs + zeek-known_hosts: + product: zeek + service: known_hosts + conditions: + '@stream': known_hosts + zeek-known_modbus: + product: zeek + service: known_modbus + conditions: + '@stream': known_modbus + zeek-known_services: + product: zeek + service: known_services + conditions: + '@stream': known_services + zeek-modbus: + product: zeek + service: modbus + conditions: + '@stream': modbus + zeek-modbus_register_change: + product: zeek + service: modbus_register_change + conditions: + '@stream': modbus_register_change + zeek-mqtt_connect: + product: zeek + service: mqtt_connect + conditions: + '@stream': mqtt_connect + zeek-mqtt_publish: + product: zeek + service: mqtt_publish + conditions: + '@stream': mqtt_publish + zeek-mqtt_subscribe: + product: zeek + service: mqtt_subscribe + conditions: + '@stream': mqtt_subscribe + zeek-mysql: + product: zeek + service: mysql + conditions: + '@stream': mysql + zeek-notice: + product: zeek + service: notice + conditions: + '@stream': notice + zeek-ntlm: + product: zeek + service: ntlm + conditions: + '@stream': ntlm + zeek-ntp: + product: zeek + service: ntp + conditions: + '@stream': ntp + zeek-ocsp: + product: zeek + service: ntp + conditions: + '@stream': ocsp + zeek-pe: + product: zeek + service: pe + conditions: + '@stream': pe + zeek-pop3: + product: zeek + service: pop3 + conditions: + '@stream': pop3 + zeek-radius: + product: zeek + service: radius + conditions: + '@stream': radius + zeek-rdp: + product: zeek + service: rdp + conditions: + '@stream': rdp + zeek-rfb: + product: zeek + service: rfb + conditions: + '@stream': rfb + zeek-sip: + product: zeek + service: sip + conditions: + '@stream': sip + zeek-smb_files: + product: zeek + service: smb_files + conditions: + '@stream': smb_files + zeek-smb_mapping: + product: zeek + service: smb_mapping + conditions: + '@stream': smb_mapping + zeek-smtp: + product: zeek + service: smtp + conditions: + '@stream': smtp + zeek-smtp_links: + product: zeek + service: smtp_links + conditions: + '@stream': smtp_links + zeek-snmp: + product: zeek + service: snmp + conditions: + '@stream': snmp + zeek-socks: + product: zeek + service: socks + conditions: + '@stream': socks + zeek-software: + product: zeek + service: software + conditions: + '@stream': software + zeek-ssh: + product: zeek + service: ssh + conditions: + '@stream': ssh + zeek-ssl: + product: zeek + service: ssl + conditions: + '@stream': ssl + zeek-tls: # In case people call it TLS even though orig log is called ssl + product: zeek + service: tls + conditions: + '@stream': ssl + zeek-syslog: + product: zeek + service: syslog + conditions: + '@stream': syslog + zeek-tunnel: + product: zeek + service: tunnel + conditions: + '@stream': tunnel + zeek-traceroute: + product: zeek + service: traceroute + conditions: + '@stream': traceroute + zeek-weird: + product: zeek + service: weird + conditions: + '@stream': weird + zeek-x509: + product: zeek + service: x509 + conditions: + '@stream': x509 + zeek-ip_search: + product: zeek + service: network + conditions: + '@stream': + - conn + - conn_long + - dce_rpc + - dhcp + - dnp3 + - dns + - ftp + - gquic + - http + - irc + - kerberos + - modbus + - mqtt_connect + - mqtt_publish + - mqtt_subscribe + - mysql + - ntlm + - ntp + - radius + - rfb + - sip + - smb_files + - smb_mapping + - smtp + - smtp_links + - snmp + - socks + - ssh + - tls #SSL + - tunnel + - weird fieldmappings: + # Deep mappings Taxonomy for overall/general fields + dst_ip: + product=windows: winlog.event_data.DestinationIp + product=zeek: id.resp_h + src_ip: + product=windows: winlog.event_data.SourceIp + product=zeek: id.orig_h + dst_port: + product=windows: winlog.event_data.DestinationPort + product=zeek: id.resp_p + src_port: + product=windows: winlog.event_data.SourcePort + product=zeek: id.orig_p + network_protocol: + product=zeek: proto + # Deep mappings Taxonomy for DNS Category and DNS service + answer: + product=zeek: answers + #question_length: # product=zeek: # Does not exist in open source version + record_type: + product=zeek: qtype_name + #parent_domain: #product=zeek: # Does not exist in open source version + # Deep mappings Taxonomy for HTTP, Webserver category, and Proxy category + cs-bytes: + product=zeek: request_body_len + cs-cookie: + product=zeek: cookie + r-dns: + product=zeek: host + sc-bytes: + product=zeek: response_body_len + sc-status: + product=zeek: status_code + c-uri: + product=zeek: uri + c-uri-extension: + product=zeek: uri + c-uri-query: + product=zeek: uri + c-uri-stem: + product=zeek: uri + c-useragent: + product=zeek: user_agent + cs-host: + product=zeek: host + cs-method: + product=zeek: method + cs-referrer: + product=zeek: referrer + cs-version: + product=zeek: version + # Windows / WEF / Winlogbeat EventID: winlog.event_id Event_ID: winlog.event_id eventId: winlog.event_id @@ -25,10 +385,8 @@ fieldmappings: Description: winlog.event_data.Description DestinationHostname: winlog.event_data.DestinationHostname DestinationIp: winlog.event_data.DestinationIp - dst_ip: winlog.event_data.DestinationIp DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 DestinationPort: winlog.event_data.DestinationPort - dst_port: winlog.event_data.DestinationPort Details: winlog.event_data.Details EngineVersion: winlog.event_data.EngineVersion EventType: winlog.event_data.EventType @@ -69,7 +427,6 @@ fieldmappings: Source: winlog.event_data.Source SourceImage: winlog.event_data.SourceImage SourceIp: winlog.event_data.SourceIp - src_ip: winlog.event_data.SourceIp StartModule: winlog.event_data.StartModule Status: winlog.event_data.Status SubjectUserName: winlog.event_data.SubjectUserName @@ -95,3 +452,174 @@ fieldmappings: PHYType: winlog.event_data.PHYType ProfileName: winlog.event_data.ProfileName SSID: winlog.event_data.SSID + # Zeek Deep Mappings + # Temporary one off rule name fields + agent.version: + product=zeek: version + c-cookie: + product=zeek: cookie + c-ip: + product=zeek: id.orig_h + cs-uri: + product=zeek: uri + clientip: + product=zeek: id.orig_h + clientIP: + product=zeek: id.orig_h + dest_domain: + product=zeek: host + #- query + #- server_name + dest_ip: + product=zeek: id.resp_h + dest_port: + product=zeek: id.resp_p + #TODO:WhatShouldThisBe?==dest: + #TODO:WhatShouldThisBe?==destination: + #TODO:WhatShouldThisBe?==Destination: + destination.hostname: + product=zeek: host + #- query + #- server_name + DestinationAddress: + product=zeek: id.resp_h + dst-ip: + product=zeek: id.resp_h + dstip: + product=zeek: id.resp_h + dstport: + product=zeek: id.resp_p + Host: + product=zeek: host + #- query + #- server_name + http_host: + product=zeek: host + #- query + #- server_name + http_uri: + product=zeek: uri + http_url: + product=zeek: uri + http_user_agent: + product=zeek: user_agent + http.request.url-query-params: + product=zeek: uri + HttpMethod: + product=zeek: method + in_url: + product=zeek: uri + post_url_parameter: + product=zeek: uri + Request Url: + product=zeek: uri + request_url: + product=zeek: uri + request_URL: + product=zeek: uri + RequestUrl: + product=zeek: uri + response: + product=zeek: status_code + resource.url: + product=zeek: uri + resource.URL: + product=zeek: uri + sc_status: + product=zeek: status_code + service.response_code: + product=zeek: status_code + source: + product=zeek: id.orig_h + SourceAddr: + product=zeek: id.orig_h + SourceAddress: + product=zeek: id.orig_h + SourceIP: + product=zeek: id.orig_h + SourceNetworkAddress: + product=zeek: id.orig_h + SourcePort: + product=zeek: id.orig_p + srcip: + product=zeek: id.orig_h + status: + product=zeek: status_code + url: + product=zeek: uri + URL: + product=zeek: uri + url_query: + product=zeek: uri + url.query: + product=zeek: uri + uri_path: + product=zeek: uri + user_agent: + product=zeek: user_agent + user_agent.name: + product=zeek: user_agent + user-agent: + product=zeek: user_agent + User-Agent: + product=zeek: user_agent + useragent: + product=zeek: user_agent + UserAgent: + product=zeek: user_agent + User Agent: + product=zeek: user_agent + web_dest: + product=zeek: host + #- query + #- server_name + web.dest: + product=zeek: host + #- query + #- server_name + Web.dest: + product=zeek: host + #- query + #- server_name + web.host: + product=zeek: host + #- query + #- server_name + Web.host: + product=zeek: host + #- query + #- server_name + web_method: + product=zeek: method + Web_method: + product=zeek: method + web.method: + product=zeek: method + Web.method: + product=zeek: method + web_src: + product=zeek: id.orig_h + web_status: + product=zeek: status_code + Web_status: + product=zeek: status_code + web.status: + product=zeek: status_code + Web.status: + product=zeek: status_code + web_uri: + product=zeek: uri + web_url: + product=zeek: uri + # Already + destination.ip: + product=zeek: id.resp_h + destination.port: + product=zeek: id.resp_p + http.request.body.content: + product=zeek: post_body + #source.domain: + source.ip: + product=zeek: id.orig_h + source.port: + product=zeek: id.orig_p diff --git a/tools/config/logstash-zeek-default-json.yml b/tools/config/logstash-zeek-default-json.yml index 8c24f4837..df219c60a 100644 --- a/tools/config/logstash-zeek-default-json.yml +++ b/tools/config/logstash-zeek-default-json.yml @@ -19,12 +19,14 @@ logsources: service: syslog zeek-category-firewall: category: firewall - conditions: - '@stream': conn + rewrite: + product: zeek + service: conn zeek-category-dns: category: dns - conditions: - '@stream': dns + rewrite: + product: zeek + service: dns zeek-category-proxy: category: proxy rewrite: @@ -32,8 +34,6 @@ logsources: service: http zeek-category-webserver: category: webserver - conditions: - '@stream': http rewrite: product: zeek service: http @@ -321,7 +321,6 @@ logsources: defaultindex: 'logstash-*' fieldmappings: # All Logs Applied Mapping & Taxonomy - clientip: id.resp_h dst_ip: id.resp_h dst_port: id.resp_p network_protocol: proto @@ -346,4 +345,129 @@ fieldmappings: cs-host: host cs-method: method cs-referrer: referrer - cs-version: version \ No newline at end of file + cs-version: version + # Few other variations of names from zeek source itself + id_orig_h: id.orig_h + id_orig_p: id.orig_p + id_resp_h: id.resp_h + id_resp_p: id.resp_p + # Temporary one off rule name fields + agent.version: version + c-cookie: cookie + c-ip: id.orig_h + cs-uri: uri + clientip: id.orig_h + clientIP: id.orig_h + dest_domain: + - query + - host + - server_name + dest_ip: id.resp_h + dest_port: id.resp_p + #TODO:WhatShouldThisBe?==dest: + #TODO:WhatShouldThisBe?==destination: + #TODO:WhatShouldThisBe?==Destination: + destination.hostname: + - query + - host + - server_name + DestinationAddress: id.resp_h + DestinationHostname: + - host + - query + - server_name + DestinationIp: id.resp_h + DestinationIP: id.resp_h + DestinationPort: id.resp_p + dst-ip: id.resp_h + dstip: id.resp_h + dstport: id.resp_p + Host: + - host + - query + - server_name + HostVersion: http.version + http_host: + - host + - query + - server_name + http_uri: uri + http_url: uri + http_user_agent: user_agent + http.request.url-query-params: uri + HttpMethod: method + in_url: uri + # parent_domain: # Not in open source zeek + post_url_parameter: uri + Request Url: uri + request_url: uri + request_URL: uri + RequestUrl: uri + #response: status_code + resource.url: uri + resource.URL: uri + sc_status: status_code + sender_domain: + - query + - server_name + service.response_code: status_code + source: id.orig_h + SourceAddr: id.orig_h + SourceAddress: id.orig_h + SourceIP: id.orig_h + SourceIp: id.orig_h + SourceNetworkAddress: id.orig_h + SourcePort: id.orig_p + srcip: id.orig_h + Status: status_code + status: status_code + url: uri + URL: uri + url_query: uri + url.query: uri + uri_path: uri + user_agent: user_agent + user_agent.name: user_agent + user-agent: user_agent + User-Agent: user_agent + useragent: user_agent + UserAgent: user_agent + User Agent: user_agent + web_dest: + - host + - query + - server_name + web.dest: + - host + - query + - server_name + Web.dest: + - host + - query + - server_name + web.host: + - host + - query + - server_name + Web.host: + - host + - query + - server_name + web_method: method + Web_method: method + web.method: method + Web.method: method + web_src: id.orig_h + web_status: status_code + Web_status: status_code + web.status: status_code + Web.status: status_code + web_uri: uri + web_url: uri + # Most are in ECS, but for things not using Elastic - these need renamed + destination.ip: id.resp_h + destination.port: id.resp_p + http.request.body.content: post_body + #source.domain: + source.ip: id.orig_h + source.port: id.orig_p \ No newline at end of file diff --git a/tools/config/qradar.yml b/tools/config/qradar.yml index 1768f96bb..428a73cf7 100644 --- a/tools/config/qradar.yml +++ b/tools/config/qradar.yml @@ -1,52 +1,98 @@ title: QRadar backends: - - qradar + - qradar order: 20 logsources: - apache: - product: apache - conditions: - LOGSOURCETYPENAME(devicetype): ilike '%apache%' - - windows: - product: windows - conditions: - LOGSOURCETYPENAME(devicetype): 'Microsoft Windows Security Event Log' - - qflow: - product: qflow - index: flows - - netflow: - product: netflow - index: flows - - ipfix: - product: ipfix - index: flows - - flow: - category: flow - index: flows - + apache: + product: apache + index: apache + conditions: + LOGSOURCETYPENAME(devicetype): '*apache*' + windows: + product: windows + index: windows + conditions: + LOGSOURCETYPENAME(devicetype): '*Microsoft Windows Security Event Log*' + qflow: + product: qflow + index: flows + netflow: + product: netflow + index: flows + ipfix: + product: ipfix + index: flows + flow: + category: flow + index: flows fieldmappings: - EventID: - - Event ID Code - dst: - - destinationIP - dst_ip: - - destinationIP - src: - - sourceIP - src_ip: - - sourceIP - c-ip: sourceIP - cs-ip: sourceIP - c-uri: url - c-uri-extension: file_extension - c-useragent: user_agent - c-uri-query: uri_query - cs-method: Method - r-dns: FQDN - ClientIP: sourceIP - ServiceFileName: Service Name + event_id: EventID + EventID: EventID + dst: destinationip + dst_ip: destinationip + src: sourceip + src_ip: sourceip + c-ip: sourceip + cs-ip: sourceip + c-uri: URL + c-uri-extension: URL + c-useragent: user_agent + c-uri-query: uri_query + cs-method: Method + r-dns: FQDN + ClientIP: sourceip + ServiceFileName: ServiceFileName + event_data.CommandLine: Process CommandLine + CommandLine: Process CommandLine + file_hash: File Hash + hash: File Hash + #Message: search_payload + Event-ID: EventID + Event_ID: EventID + eventId: EventID + event-id: EventID + eventid: EventID + hashes: File Hash + url.query: URL + resource.URL: URL + event_data.CallingProcessName: CallingProcessName + event_data.ComputerName: Hostname/HOSTNAME + ComputerName: Hostname/HOSTNAME + event_data.DestinationHostname: Hostname/HOSTNAME + DestinationHostname: Hostname/HOSTNAME + event_data.DestinationIp: destinationip + event_data.DestinationPort: destinationip + event_data.Details: Target Details + Details: Target Details + event_data.FileName: Filename + event_data.Hashes: File Hash + Hashes: File Hash + event_data.Image: Image + event_data.ImageLoaded: LoadedImage + event_data.ImagePath: SourceImage + ImagePath: Image + event_data.Imphash: IMP Hash + Imphash: IMP Hash + event_data.ParentCommandLine: ParentCommandLine + event_data.ParentImage: ParentImage + event_data.ParentProcessName: ParentImageName + event_data.Path: File Path + Path: File Path + event_data.PipeName: PipeName + event_data.ProcessCommandLine: Process CommandLine + ProcessCommandLine: Process CommandLine + event_data.ServiceFileName: ServiceFileName + event_data.ShareName: ShareName + event_data.Signature: Signature + event_data.SourceImage: SourceImage + event_data.StartModule: StartModule + event_data.SubjectUserName: username + event_data.SubjectUserSid: SubjectUserSid + event_data.TargetFilename: Filename + TargetFilename: Filename + event_data.TargetImage: TargetImage + TargetImage: TargetImage + event_data.TicketOptions: TicketOptions + event_data.User: username + User: username + user: username \ No newline at end of file diff --git a/tools/config/splunk-zeek.yml b/tools/config/splunk-zeek.yml index b48626715..fbb6e6790 100644 --- a/tools/config/splunk-zeek.yml +++ b/tools/config/splunk-zeek.yml @@ -12,12 +12,14 @@ logsources: service: syslog zeek-category-firewall: category: firewall - conditions: - sourcetype: 'bro:conn:json' + rewrite: + product: zeek + service: conn zeek-category-dns: category: dns - conditions: - sourcetype: 'bro:dns:json' + rewrite: + product: zeek + service: dns zeek-category-proxy: category: proxy rewrite: @@ -25,16 +27,15 @@ logsources: service: http zeek-category-webserver: category: webserver - conditions: - sourcetype: 'bro:http:json' rewrite: product: zeek service: http zeek-conn: product: zeek service: conn - conditions: - sourcetype: 'bro:conn:json' + rewrite: + product: zeek + service: conn zeek-conn_long: product: zeek service: conn_long @@ -338,6 +339,11 @@ fieldmappings: cs-method: method cs-referrer: referrer cs-version: version + # Few other variations of names from zeek source itself + id_orig_h: id.orig_h + id_orig_p: id.orig_p + id_resp_h: id.resp_h + id_resp_p: id.resp_p # Temporary one off rule name fields agent.version: version c-cookie: cookie @@ -358,7 +364,7 @@ fieldmappings: - query - host - server_name - DestinationAddress: + DestinationAddress: id.resp_h DestinationHostname: - host - query diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 9f54bbe44..01a63a59e 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -93,7 +93,6 @@ fieldmappings: KeyLength: winlog.event_data.KeyLength LogonProcessName: winlog.event_data.LogonProcessName LogonType: winlog.event_data.LogonType - Message: winlog.event_data.Message NewProcessName: winlog.event_data.NewProcessName ObjectClass: winlog.event_data.ObjectClass ObjectName: winlog.event_data.ObjectName diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index d9d17a6b0..3cfe76bbe 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -55,9 +55,9 @@ fieldmappings: AuthenticationPackageName: event_data.AuthenticationPackageName CallingProcessName: event_data.CallingProcessName CallTrace: event_data.CallTrace + Channel: winlog.channel CommandLine: event_data.CommandLine - ComputerName: computer_name - ContextInfo: event_data.ContextInfo + ComputerName: event_data.ComputerName CurrentDirectory: event_data.CurrentDirectory Description: event_data.Description DestinationHostname: event_data.DestinationHostname @@ -83,7 +83,6 @@ fieldmappings: KeyLength: event_data.KeyLength LogonProcessName: event_data.LogonProcessName LogonType: event_data.LogonType - Message: event_data.Message NewProcessName: event_data.NewProcessName ObjectClass: event_data.ObjectClass ObjectName: event_data.ObjectName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index a5707d2a6..ff5a0d6d4 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -55,15 +55,17 @@ fieldmappings: AuthenticationPackageName: winlog.event_data.AuthenticationPackageName CallingProcessName: winlog.event_data.CallingProcessName CallTrace: winlog.event_data.CallTrace + Channel: winlog.channel CommandLine: winlog.event_data.CommandLine - ComputerName: winlog.computer_name - ContextInfo: winlog.event_data.ContextInfo + ComputerName: winlog.ComputerName CurrentDirectory: winlog.event_data.CurrentDirectory Description: winlog.event_data.Description DestinationHostname: winlog.event_data.DestinationHostname DestinationIp: winlog.event_data.DestinationIp + dst_ip: winlog.event_data.DestinationIp DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 DestinationPort: winlog.event_data.DestinationPort + dst_port: winlog.event_data.DestinationPort Details: winlog.event_data.Details EngineVersion: winlog.event_data.EngineVersion EventType: winlog.event_data.EventType @@ -83,7 +85,6 @@ fieldmappings: KeyLength: winlog.event_data.KeyLength LogonProcessName: winlog.event_data.LogonProcessName LogonType: winlog.event_data.LogonType - Message: winlog.event_data.Message NewProcessName: winlog.event_data.NewProcessName ObjectClass: winlog.event_data.ObjectClass ObjectName: winlog.event_data.ObjectName @@ -104,6 +105,8 @@ fieldmappings: Signature: winlog.event_data.Signature Source: winlog.event_data.Source SourceImage: winlog.event_data.SourceImage + SourceIp: winlog.event_data.SourceIp + src_ip: winlog.event_data.SourceIp StartModule: winlog.event_data.StartModule Status: winlog.event_data.Status SubjectUserName: winlog.event_data.SubjectUserName @@ -115,3 +118,16 @@ fieldmappings: TicketOptions: winlog.event_data.TicketOptions User: winlog.event_data.User WorkstationName: winlog.event_data.WorkstationName + # Channel: WLAN-Autoconfig AND EventID: 8001 + AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm + BSSID: winlog.event_data.BSSID + BSSType: winlog.event_data.BSSType + CipherAlgorithm: winlog.event_data.CipherAlgorithm + ConnectionId: winlog.event_data.ConnectionId + ConnectionMode: winlog.event_data.ConnectionMode + InterfaceDescription: winlog.event_data.InterfaceDescription + InterfaceGuid: winlog.event_data.InterfaceGuid + OnexEnabled: winlog.event_data.OnexEnabled + PHYType: winlog.event_data.PHYType + ProfileName: winlog.event_data.ProfileName + SSID: winlog.event_data.SSID