diff --git a/tests/logsource.json b/tests/logsource.json index 3adf716ab..9d3897280 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -86,7 +86,8 @@ "dns-server":[], "printservice-admin":[], "msexchange-management":[], - "applocker":[] + "applocker":[], + "vhdmp":[] } }, "linux":{ diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 458f64607..fbc7f26be 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -114,4 +114,9 @@ logsources: service: bitlocker conditions: EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + EventLog: 'Microsoft-Windows-VHDMP-Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 90f764db2..90684e8a8 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -114,6 +114,11 @@ logsources: service: bitlocker conditions: log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP-Operational' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index cb0d4e24a..12c12844b 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -114,6 +114,11 @@ logsources: service: bitlocker conditions: logname: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + logname: 'Microsoft-Windows-VHDMP-Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index ff57115d1..f1bdce047 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -142,6 +142,11 @@ logsources: service: bitlocker conditions: channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + channel: 'Microsoft-Windows-VHDMP-Operational' linux: product: linux index: posix diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 813e34ee4..d8cbb3456 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -192,4 +192,10 @@ logsources: product: windows service: ldap_debug conditions: - Provider_Name: 'Microsoft-Windows-LDAP-Client/Debug' \ No newline at end of file + Provider_Name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + Provider_Name: 'Microsoft-Windows-VHDMP-Operational' + \ No newline at end of file diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 630ef12c7..c32fb1483 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -128,6 +128,11 @@ logsources: service: bits-client conditions: event_channel: "Microsoft-Windows-Bits-Client/Operational" + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_channel: 'Microsoft-Windows-VHDMP-Operational' windows-network-connection: product: windows category: network_connection diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index f7faa953f..ee500508b 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -114,6 +114,11 @@ logsources: service: bitlocker conditions: event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + event_source: 'Microsoft-Windows-VHDMP-Operational' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 48bcf02c0..3ac6dcb3b 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -135,4 +135,9 @@ logsources: service: bitlocker conditions: Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + Channel: 'Microsoft-Windows-VHDMP-Operational' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 556051e6c..43da93080 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -155,4 +155,9 @@ logsources: product: windows service: bitlocker conditions: - LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' \ No newline at end of file + LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + LogName: 'Microsoft-Windows-VHDMP-Operational' diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 1df7507d0..5c0daafeb 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -176,5 +176,10 @@ logsources: service: windefend conditions: source: 'WinEventLog:Microsoft-Windows-Windows Defender/Operational' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + source: 'Microsoft-Windows-VHDMP-Operational' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index d23d40698..a496b4b44 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -145,6 +145,11 @@ logsources: service: bitlocker conditions: source: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + source: 'Microsoft-Windows-VHDMP-Operational' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 5eb6437e4..89df6a371 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -419,6 +419,11 @@ logsources: service: bitlocker sources: - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp: + product: windows + service: vhdmp + sources: + - 'Microsoft-Windows-VHDMP-Operational' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index ce55c210f..7d8189e32 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -159,6 +159,11 @@ logsources: service: bitlocker conditions: winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + winlog_channel: 'Microsoft-Windows-VHDMP-Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 6234fc1ed..f0dc37930 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -122,6 +122,11 @@ logsources: service: bitlocker conditions: log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + log_name: 'Microsoft-Windows-VHDMP-Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 7948fcf8c..b2716b44c 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -148,6 +148,11 @@ logsources: service: bitlocker conditions: winlog.channel: 'bitlocker' + windows-vhdmp-operational: + product: windows + service: vhdmp + conditions: + winlog_channel: 'Microsoft-Windows-VHDMP-Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index 302589b0a..4cc5d945f 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -113,4 +113,9 @@ logsources: product: windows service: bits-client conditions: - Channel: 'Microsoft-Windows-Bits-Client/Operational' \ No newline at end of file + Channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-vhdmp-Operational: + product: windows + service: vhdmp + conditions: + Channel: 'Microsoft-Windows-VHDMP-Operational'