title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- es-rule-eql
- es-eql
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
winlog.channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
winlog.channel: 'MSExchange Management'
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
winlog.channel: 'Microsoft-ServiceBus-Client'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
winlog.channel: 'Microsoft-Windows-Bits-Client/Operational'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
EventID: event.code
Channel: winlog.channel
#Keywords: from "Value" is lost with winlogbeat exist in nxlog
Provider_Name: winlog.provider_name
CallingProcessName: winlog.event_data.CallingProcessName
ComputerName: winlog.computer_name
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: file.path
HiveName: winlog.event_data.HiveName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
SecurityID: winlog.event_data.SecurityID
Source: winlog.event_data.Source
# Channel: WLAN-Autoconfig AND EventID: 8001
AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
BSSID: winlog.event_data.BSSID
BSSType: winlog.event_data.BSSType
CipherAlgorithm: winlog.event_data.CipherAlgorithm
ConnectionId: winlog.event_data.ConnectionId
ConnectionMode: winlog.event_data.ConnectionMode
InterfaceDescription: winlog.event_data.InterfaceDescription
InterfaceGuid: winlog.event_data.InterfaceGuid
OnexEnabled: winlog.event_data.OnexEnabled
PHYType: winlog.event_data.PHYType
ProfileName: winlog.event_data.ProfileName
SSID: winlog.event_data.SSID
Accesses: winlog.event_data.Accesses
ClassName: winlog.event_data.ClassName
ClassId: winlog.event_data.ClassId
DeviceDescription: winlog.event_data.DeviceDescription
# ErrorCode => printservice-admin EventID: 4909 or 808
ErrorCode: winlog.event_data.ErrorCode
FilePath: winlog.event_data.FilePath
# Filename => product: antivirus
Filename: winlog.event_data.Filename
LDAPDisplayName: winlog.event_data.LDAPDisplayName
# Level => Source: MSExchange Control Panel EventID: 4
Level: winlog.event_data.Level
TargetProcessAddress: winlog.event_data.TargetProcessAddress
# UserName => smbclient-security eventid:31017
UserName: winlog.event_data.UserName
#
# Sysmon/Operational up to ID 25
#
RuleName: winlog.event_data.RuleName
ProcessGuid: process.entity_id
ProcessId: process.pid
Image: process.executable
FileVersion:
category=process_creation: process.pe.file_version
category=image_load: file.pe.file_version
default: winlog.event_data.FileVersion
Description:
category=process_creation: process.pe.description
category=image_load: file.pe.description
category=sysmon_error: winlog.event_data.Description
default: winlog.event_data.Description
Product:
category=process_creation: process.pe.product
category=image_load: file.pe.product
default: winlog.event_data.Product
Company:
category=process_creation: process.pe.company
category=image_load: file.pe.company
default: winlog.event_data.Company
OriginalFileName:
category=process_creation: process.pe.original_file_name
category=image_load: file.pe.original_file_name
default: winlog.event_data.OriginalFileName
CommandLine:
category=process_creation: process.command_line
service=security: process.command_line
service=powershell-classic: powershell.command.value
default: winlog.event_data.CommandLine
CurrentDirectory: process.working_directory
LogonGuid: winlog.event_data.LogonGuid
LogonId: winlog.event_data.LogonId
TerminalSessionId: winlog.event_data.TerminalSessionId
IntegrityLevel: winlog.event_data.IntegrityLevel
ParentProcessGuid: process.parent.entity_id
ParentProcessId: process.parent.pid
ParentImage: process.parent.executable
ParentCommandLine: process.parent.command_line
ParentUser: winlog.event_data.ParentUser #Sysmon 13.30
SourceUser: winlog.event_data.SourceUser #Sysmon 13.30
TargetUser: winlog.event_data.TargetUser #Sysmon 13.30
TargetFilename: file.path
CreationUtcTime: winlog.event_data.CreationUtcTime
PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime
Protocol:
category=network_connection: network.transport
default: winlog.event_data.Protocol
Initiated:
category=network_connection: network.direction
default: winlog.event_data.Initiated
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
SourceIp: source.ip
SourceHostname: source.domain
SourcePort: source.port
SourcePortName: winlog.event_data.SourcePortName
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
DestinationIp: destination.ip
DestinationHostname: destination.domain
DestinationPort: destination.port
DestinationPortName: network.protocol
State: winlog.event_data.State
Version: winlog.event_data.Version
SchemaVersion: winlog.event_data.SchemaVersion
ImageLoaded: file.path
Signed: file.code_signature.signed
Signature:
category=driver_loaded: file.code_signature.subject_name
category=image_loaded: file.code_signature.subject_name
default: winlog.event_data.Signature
SignatureStatus: file.code_signature.status
SourceProcessGuid: process.entity_id
SourceProcessId: process.pid
SourceImage: process.executable
TargetProcessGuid: winlog.event_data.TargetProcessGuid
TargetProcessId: winlog.event_data.TargetProcessId
TargetImage: winlog.event_data.TargetImage
NewThreadId: winlog.event_data.NewThreadId
StartAddress: winlog.event_data.StartAddress
StartModule: winlog.event_data.StartModule
StartFunction: winlog.event_data.StartFunction
Device: file.path
SourceThreadId: process.thread.id
GrantedAccess: winlog.event_data.GrantedAccess
CallTrace: winlog.event_data.CallTrace
TargetObject: registry.path
Details: winlog.event_data.Details
NewName: winlog.event_data.NewName
Configuration: winlog.event_data.Configuration
ConfigurationFileHash: winlog.event_data.ConfigurationFileHash
PipeName: file.name
User: winlog.event_data.User
EventNamespace: winlog.event_data.EventNamespace
Name: winlog.event_data.Name
Query: winlog.event_data.Query
Operation: winlog.event_data.Operation
Type: winlog.event_data.Type
Destination: process.executable
Consumer: winlog.event_data.Consumer
Filter: winlog.event_data.Filter
QueryName: dns.question.name
QueryStatus: sysmon.dns.status
QueryResults: winlog.event_data.QueryResults
IsExecutable: sysmon.file.is_executable
Archived: sysmon.file.archived
Session: winlog.event_data.Session
ClientInfo: winlog.event_data.ClientInfo
# SYSMON Hashes
Hashes: winlog.event_data.Hashes
# extraction from Hashes NOT a original field but find in some rule
md5:
category=driver_load: hash.md5
category=image_load: file.hash.md5
default: process.hash.md5
sha1:
category=driver_load: hash.sha1
category=image_load: file.hash.sha1
default: process.hash.sha1
sha256:
category=driver_load: hash.sha256
category=image_load: file.hash.sha256
default: process.hash.sha256
Imphash:
category=driver_load: hash.imphash
category=image_load: file.hash.imphash
default: process.pe.imphash
#
# Powershell
#
CommandName: powershell.command.name
CommandPath: powershell.command.path
CommandType: powershell.command.type
EngineVersion:
service=powershell-classic: powershell.engine.version
default: winlog.event_data.EngineVersion
HostApplication: process.command_line
HostId: process.entity_id
HostName: process.title
HostVersion:
service=powershell-classic: powershell.process.executable_version
default: winlog.event_data.HostVersion
NewEngineState: powershell.engine.new_state
PipelineId: powershell.pipeline_id
PreviousEngineState: powershell.engine.previous_state
RunspaceId: powershell.runspace_id
ScriptName: file.path
SequenceNumber: event.sequence
NewProviderState: powershell.provider.new_state
ProviderName: powershell.provider.name
Payload: winlog.event_data.Payload
ContextInfo: winlog.event_data.ContextInfo
MessageNumber: powershell.sequence
MessageTotal: powershell.total
ScriptBlockText: powershell.file.script_block_text
ScriptBlockId: powershell.file.script_block_id
#
# Security
#
AccessGranted: winlog.event_data.AccessGranted
AccessList: winlog.event_data.AccessList
AccessMask: winlog.event_data.AccessMask
AccessReason: winlog.event_data.AccessReason
AccessRemoved: winlog.event_data.AccessRemoved
AccountDomain: user.domain
AccountExpires: winlog.event_data.AccountExpires
AccountName: user.name
AdditionalInfo: winlog.event_data.AdditionalInfo
AdditionalInfo2: winlog.event_data.AdditionalInfo2
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AppCorrelationID: winlog.event_data.AppCorrelationID
Application: process.executable
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AttributeSyntaxOID: winlog.event_data.AttributeSyntaxOID
AttributeValue: winlog.event_data.AttributeValue
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuditSourceName: winlog.event_data.AuditSourceName
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallerProcessId: winlog.event_data.CallerProcessId
CallerProcessName: winlog.event_data.CallerProcessName
CategoryId: winlog.event_data.CategoryId
CertIssuerName: winlog.event_data.CertIssuerName
CertSerialNumber: winlog.event_data.CertSerialNumber
CertThumbprint: winlog.event_data.CertThumbprint
ClientAddress: source.ip
ClientName: source.domain
ClientProcessId: winlog.event_data.ClientProcessId
ClientProcessStartKey: winlog.event_data.ClientProcessStartKey
ComputerAccountChange: winlog.event_data.ComputerAccountChange
CrashOnAuditFailValue: winlog.event_data.CrashOnAuditFailValue
DestAddress: destination.ip
DestPort: destination.port
Direction: winlog.event_data.Direction
DisplayName: winlog.event_data.DisplayName
DnsHostName: winlog.event_data.DnsHostName
DomainBehaviorVersion: winlog.event_data.DomainBehaviorVersion
DomainName: winlog.event_data.DomainName
DomainPolicyChanged: winlog.event_data.DomainPolicyChanged
DomainSid: winlog.event_data.DomainSid
DSName: winlog.event_data.DSName
DSType: winlog.event_data.DSType
Dummy: winlog.event_data.Dummy
ElevatedToken: winlog.event_data.ElevatedToken
EventSourceId: winlog.event_data.EventSourceId
FailureReason: winlog.event_data.FailureReason
FilterRTID: winlog.event_data.FilterRTID
ForceLogoff: winlog.event_data.ForceLogoff
FQDN: winlog.event_data.FQDN
GroupTypeChange: winlog.event_data.GroupTypeChange
HandleId: winlog.event_data.HandleId
HomeDirectory: winlog.event_data.HomeDirectory
HomePath: winlog.event_data.HomePath
ImagePath: winlog.event_data.ImagePath
ImpersonationLevel: winlog.event_data.ImpersonationLevel
IpAddress: source.ip
IpPort: source.port
KeyLength: winlog.event_data.KeyLength
LayerName: winlog.event_data.LayerName
LayerRTID: winlog.event_data.LayerRTID
LmPackageName: winlog.event_data.LmPackageName
LockoutDuration: winlog.event_data.LockoutDuration
LockoutObservationWindow: winlog.event_data.LockoutObservationWindow
LockoutThreshold: winlog.event_data.LockoutThreshold
LogonHours: winlog.event_data.LogonHours
SubjectLogonId:
service=security: winlog.logon.id
default: winlog.event_data.SubjectLogonId
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
MachineAccountQuota: winlog.event_data.MachineAccountQuota
MandatoryLabel: winlog.event_data.MandatoryLabel
MasterKeyId: winlog.event_data.MasterKeyId
MaxPasswordAge: winlog.event_data.MaxPasswordAge
MemberName: winlog.event_data.MemberName
MemberSid: winlog.event_data.MemberSid
MinPasswordAge: winlog.event_data.MinPasswordAge
MinPasswordLength: winlog.event_data.MinPasswordLength
MixedDomainMode: winlog.event_data.MixedDomainMode
NewProcessId: process.pid
NewProcessName: process.executable
NewSd: winlog.event_data.NewSd
NewTargetUserName: winlog.event_data.NewTargetUserName
NewTime: winlog.event_data.NewTime
NewUacValue: winlog.event_data.NewUacValue
NewValue: winlog.event_data.NewValue
NewValueType: winlog.event_data.NewValueType
ObjectClass: winlog.event_data.ObjectClass
ObjectDN: winlog.event_data.ObjectDN
ObjectGUID: winlog.event_data.ObjectGUID
ObjectName: winlog.event_data.ObjectName
ObjectServer: winlog.event_data.ObjectServer
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
OemInformation: winlog.event_data.OemInformation
OldSd: winlog.event_data.OldSd
OldTargetUserName: winlog.event_data.OldTargetUserName
OldUacValue: winlog.event_data.OldUacValue
OldValue: winlog.event_data.OldValue
OldValueType: winlog.event_data.OldValueType
OpCorrelationID: winlog.event_data.OpCorrelationID
OperationType: winlog.event_data.OperationType
PackageName: winlog.event_data.PackageName
ParentProcessName: process.parent.name
PasswordHistoryLength: winlog.event_data.PasswordHistoryLength
PasswordLastSet: winlog.event_data.PasswordLastSet
PasswordProperties: winlog.event_data.PasswordProperties
PreAuthType: winlog.event_data.PreAuthType
PreviousTime: winlog.event_data.PreviousTime
PrimaryGroupId: winlog.event_data.PrimaryGroupId
PrivilegeList: winlog.event_data.PrivilegeList
ProcessName: process.executable
ProfilePath: winlog.event_data.ProfilePath
Properties: winlog.event_data.Properties
PuaCount: winlog.event_data.PuaCount
PuaPolicyId: winlog.event_data.PuaPolicyId
RecoveryKeyId: winlog.event_data.RecoveryKeyId
RecoveryServer: winlog.event_data.RecoveryServer
RelativeTargetName: winlog.event_data.RelativeTargetName
RemoteMachineID: winlog.event_data.RemoteMachineID
RemoteUserID: winlog.event_data.RemoteUserID
ResourceAttributes: winlog.event_data.ResourceAttributes
RestrictedAdminMode: winlog.event_data.RestrictedAdminMode
RestrictedSidCount: winlog.event_data.RestrictedSidCount
RpcCallClientLocality: winlog.event_data.RpcCallClientLocality
SamAccountName: winlog.event_data.SamAccountName
ScriptPath: winlog.event_data.ScriptPath
Service: winlog.event_data.Service
ServiceAccount: winlog.event_data.ServiceAccount
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName:
service=security: service.name
default: winlog.event_data.ServiceName
ServicePrincipalNames: winlog.event_data.ServicePrincipalNames
ServiceSid: winlog.event_data.ServiceSid
ServiceStartType: winlog.event_data.ServiceStartType
ServiceType: winlog.event_data.ServiceType
SessionId: winlog.event_data.SessionId
SessionName: winlog.event_data.SessionName
ShareLocalPath: winlog.event_data.ShareLocalPath
ShareName: winlog.event_data.ShareName
SidHistory: winlog.event_data.SidHistory
SidList: winlog.event_data.SidList
SourceAddress: source.ip
Status: winlog.event_data.Status
StartType: winlog.event_data.StartType
SubcategoryGuid: winlog.event_data.SubcategoryGuid
SubcategoryId: winlog.event_data.SubcategoryId
SubjectDomainName:
service=security: user.domain
default: winlog.event_data.SubjectDomainName
SubjectUserName:
service=security: user.name
default: winlog.event_data.SubjectUserName
SubjectUserSid:
service=security: user.id
default: winlog.event_data.SubjectUserSid
SubStatus: winlog.event_data.SubStatus
TargetDomainName: user.domain
TargetLinkedLogonId: winlog.event_data.TargetLinkedLogonId
TargetLogonId:
service=security: winlog.logon.id
default: winlog.event_data.TargetLogonId
TargetOutboundDomainName: winlog.event_data.TargetOutboundDomainName
TargetOutboundUserName: winlog.event_data.TargetOutboundUserName
TargetServerName: winlog.event_data.TargetServerName
TargetSid: winlog.event_data.TargetSid
TargetUserName: winlog.event_data.TargetUserName
TargetUserSid: winlog.event_data.TargetUserSid
TaskContent: winlog.event_data.TaskContent
TaskName: winlog.event_data.TaskName
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
TokenElevationType: winlog.event_data.TokenElevationType
TransactionId: winlog.event_data.TransactionId
TransmittedServices: winlog.event_data.TransmittedServices
UserAccountControl: winlog.event_data.UserAccountControl
UserParameters: winlog.event_data.UserParameters
UserPrincipalName: winlog.event_data.UserPrincipalName
UserWorkstations: winlog.event_data.UserWorkstations
VirtualAccount: winlog.event_data.VirtualAccount
Workstation: winlog.event_data.Workstation
WorkstationName: source.domain
#
# System
#
DriveName: winlog.event_data.DriveName
DeviceName: winlog.event_data.DeviceName
HeaderFlags: winlog.event_data.HeaderFlags
Severity: winlog.event_data.Severity
Origin: winlog.event_data.Origin
Verb: winlog.event_data.Verb
Outcome: winlog.event_data.Outcome
SampleLength: winlog.event_data.SampleLength
SampleData: winlog.event_data.SampleData
SourceFile: winlog.event_data.SourceFile
SourceLine: winlog.event_data.SourceLine
SourceTag: winlog.event_data.SourceTag
CallStack: winlog.event_data.CallStack
#
# Microsoft-Windows-Windows Defender/Operational
#
Action_ID: winlog.event_data.Action\ ID
Action_Name: winlog.event_data.Action\ Name
Additional_Actions_ID: winlog.event_data.Additional\ Actions\ ID
Additional_Actions_String: winlog.event_data.Additional\ Actions\ String
Category_ID: winlog.event_data.Category\ ID
Category_Name: winlog.event_data.Category\ Name
Detection_ID: winlog.event_data.Detection\ ID
Detection_Time: winlog.event_data.Detection\ Time
Detection_User: winlog.event_data.Detection\ User
Engine_Version: winlog.event_data.Engine\ Version
Error_Code: winlog.event_data.Error\ Code
Error_Description: winlog.event_data.Error\ Description
Execution_ID: winlog.event_data.Execution\ ID
Execution_Name: winlog.event_data.Execution\ Name
FWLink: winlog.event_data.FWLink
New_Value: winlog.event_data.New\ Value
Old_Value: winlog.event_data.Old\ Value
Origin_ID: winlog.event_data.Origin\ ID
Origin_Name: winlog.event_data.Origin\ Name
Path: winlog.event_data.Path
Post_Clean_Status: winlog.event_data.Post\ Clean\ Status
Pre_Execution_Status: winlog.event_data.Pre\ Execution\ Status
Process_Name: winlog.event_data.Process\ Name
Product_Name: winlog.event_data.Product\ Name
Product_Version: winlog.event_data.Product\ Version
Remediation_User: winlog.event_data.Remediation\ User
Security_intelligence_Version: winlog.event_data.Security\ intelligence\ Version
Severity_ID: winlog.event_data.Severity\ ID
Severity_Name: winlog.event_data.Severity\ Name
Source_ID: winlog.event_data.Source\ ID
Source_Name: winlog.event_data.Source\ Name
Status_Code: winlog.event_data.Status\ Code
Status_Description: winlog.event_data.Status\ Description
Threat_ID: winlog.event_data.Threat\ ID
Threat_Name: winlog.event_data.Threat\ Name
Type_ID: winlog.event_data.Type\ ID
Type_Name: winlog.event_data.Type\ Name
#
# Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
#
ApplicationPath: winlog.event_data.ApplicationPath
ModifyingApplication: winlog.event_data.ModifyingApplication
Action: winlog.event_data.Action