title: Elastic Winlogbeat (from 7.x) index pattern and field mapping order: 20 backends: - es-qs - es-dsl - es-rule - kibana - kibana-ndjson - xpack-watcher - elastalert - elastalert-dsl - ee-outliers logsources: windows: product: windows index: winlogbeat-* windows-application: product: windows service: application conditions: winlog.channel: Application windows-security: product: windows service: security conditions: winlog.channel: Security windows-system: product: windows service: system conditions: winlog.channel: System windows-sysmon: product: windows service: sysmon conditions: winlog.channel: 'Microsoft-Windows-Sysmon/Operational' windows-powershell: product: windows service: powershell conditions: winlog.channel: 'Microsoft-Windows-PowerShell/Operational' windows-classicpowershell: product: windows service: powershell-classic conditions: winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server conditions: winlog.channel: 'DNS Server' windows-driver-framework: product: windows service: driver-framework conditions: winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' windows-dhcp: product: windows service: dhcp conditions: winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational' windows-ntlm: product: windows service: ntlm conditions: winlog.channel: 'Microsoft-Windows-NTLM/Operational' windows-defender: product: windows service: windefend conditions: winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' windows-printservice-admin: product: windows service: printservice-admin conditions: winlog.channel: 'Microsoft-Windows-PrintService/Admin' windows-printservice-operational: product: windows service: printservice-operational conditions: winlog.channel: 'Microsoft-Windows-PrintService/Operational' windows-smbclient-security: product: windows service: smbclient-security conditions: winlog.channel: 'Microsoft-Windows-SmbClient/Security' windows-applocker: product: windows service: applocker conditions: winlog.channel: - 'Microsoft-Windows-AppLocker/MSI and Script' - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: EventID: winlog.event_id AccessMask: winlog.event_data.AccessMask AccessList: winlog.event_data.AccessList AccountName: winlog.event_data.AccountName AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName AuditPolicyChanges: winlog.event_data.AuditPolicyChanges AuthenticationPackageName: winlog.event_data.AuthenticationPackageName CallingProcessName: winlog.event_data.CallingProcessName CallTrace: winlog.event_data.CallTrace Channel: winlog.channel CommandLine: winlog.event_data.CommandLine ComputerName: winlog.ComputerName CurrentDirectory: winlog.event_data.CurrentDirectory Description: winlog.event_data.Description DestinationHostname: winlog.event_data.DestinationHostname DestinationIp: winlog.event_data.DestinationIp dst_ip: winlog.event_data.DestinationIp DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 DestinationPort: winlog.event_data.DestinationPort dst_port: winlog.event_data.DestinationPort Details: winlog.event_data.Details EngineVersion: winlog.event_data.EngineVersion EventType: winlog.event_data.EventType FailureCode: winlog.event_data.FailureCode FileName: winlog.event_data.FileName GrantedAccess: winlog.event_data.GrantedAccess GroupName: winlog.event_data.GroupName GroupSid: winlog.event_data.GroupSid Hashes: winlog.event_data.Hashes HiveName: winlog.event_data.HiveName HostVersion: winlog.event_data.HostVersion Image: winlog.event_data.Image ImageLoaded: winlog.event_data.ImageLoaded ImagePath: winlog.event_data.ImagePath Imphash: winlog.event_data.Hashes IpAddress: winlog.event_data.IpAddress KeyLength: winlog.event_data.KeyLength LogonProcessName: winlog.event_data.LogonProcessName LogonType: winlog.event_data.LogonType NewProcessName: winlog.event_data.NewProcessName ObjectClass: winlog.event_data.ObjectClass ObjectName: winlog.event_data.ObjectName ObjectType: winlog.event_data.ObjectType ObjectValueName: winlog.event_data.ObjectValueName OriginalFileName: winlog.event_data.OriginalFileName ParentCommandLine: winlog.event_data.ParentCommandLine ParentProcessName: winlog.event_data.ParentProcessName ParentImage: winlog.event_data.ParentImage Path: winlog.event_data.Path PipeName: winlog.event_data.PipeName ProcessCommandLine: winlog.event_data.ProcessCommandLine ProcessName: winlog.event_data.ProcessName Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName ShareName: winlog.event_data.ShareName Signature: winlog.event_data.Signature Source: winlog.event_data.Source SourceImage: winlog.event_data.SourceImage SourceIp: winlog.event_data.SourceIp src_ip: winlog.event_data.SourceIp SourcePort: winlog.event_data.SourcePort src_port: winlog.event_data.SourcePort StartModule: winlog.event_data.StartModule Status: winlog.event_data.Status SubjectUserName: winlog.event_data.SubjectUserName SubjectUserSid: winlog.event_data.SubjectUserSid TargetFilename: winlog.event_data.TargetFilename TargetImage: winlog.event_data.TargetImage TargetObject: winlog.event_data.TargetObject TicketEncryptionType: winlog.event_data.TicketEncryptionType TicketOptions: winlog.event_data.TicketOptions User: winlog.event_data.User WorkstationName: winlog.event_data.WorkstationName # Channel: WLAN-Autoconfig AND EventID: 8001 AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm BSSID: winlog.event_data.BSSID BSSType: winlog.event_data.BSSType CipherAlgorithm: winlog.event_data.CipherAlgorithm ConnectionId: winlog.event_data.ConnectionId ConnectionMode: winlog.event_data.ConnectionMode InterfaceDescription: winlog.event_data.InterfaceDescription InterfaceGuid: winlog.event_data.InterfaceGuid OnexEnabled: winlog.event_data.OnexEnabled PHYType: winlog.event_data.PHYType ProfileName: winlog.event_data.ProfileName SSID: winlog.event_data.SSID # powershell SequenceNumber: winlog.event_data.SequenceNumber NewEngineState: winlog.event_data.NewEngineState PreviousEngineState: winlog.event_data.PreviousEngineState NewProviderState: winlog.event_data.NewProviderState ProviderName: winlog.event_data.ProviderName HostId: winlog.event_data.HostId HostApplication: winlog.event_data.HostApplication HostName: winlog.event_data.HostName Payload: winlog.event_data.Payload ContextInfo: winlog.event_data.ContextInfo # from here missing field at 20210706 Accesses: winlog.event_data.Accesses AttributeValue: winlog.event_data.AttributeValue AuditSourceName: winlog.event_data.AuditSourceName AuthenticationPackage: winlog.event_data.AuthenticationPackageName CallerProcessName: winlog.event_data.CallerProcessName ClassName: winlog.event_data.ClassName ClassId: winlog.event_data.ClassId Company: winlog.event_data.Company DestAddress: winlog.event_data.DestAddress Destination: winlog.event_data.Destination DestPort: winlog.event_data.DestPort Device: winlog.event_data.Device DeviceDescription: winlog.event_data.DeviceDescription # DeviceName => Microsoft-Windows-Ntfs EventID: 98 DeviceName: winlog.event_data.DeviceName # ErrorCode => printservice-admin EventID: 4909 or 808 ErrorCode: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath FileVersion: winlog.event_data.FileVersion # Filename => product: antivirus Filename: winlog.event_data.Filename Initiated: winlog.event_data.Initiated IntegrityLevel: winlog.event_data.IntegrityLevel LayerRTID: winlog.event_data.LayerRTID LDAPDisplayName: winlog.event_data.LDAPDisplayName # Level => Source: MSExchange Control Panel EventID: 4 Level: winlog.event_data.Level LogonId: winlog.event_data.LogonId NewName: winlog.event_data.NewName NewValue: winlog.event_data.NewValue ObjectServer: winlog.event_data.ObjectServer PasswordLastSet: winlog.event_data.PasswordLastSet PrivilegeList: winlog.event_data.PrivilegeList QueryName: winlog.event_data.QueryName QueryResults: winlog.event_data.QueryResults QueryStatus: winlog.event_data.QueryStatus RelativeTargetName: winlog.event_data.RelativeTargetName SamAccountName: winlog.event_data.SamAccountName Service: winlog.event_data.Service ServicePrincipalNames: winlog.event_data.ServicePrincipalNames sha1: winlog.event_data.Hashes SidHistory: winlog.event_data.SidHistory Signed: winlog.event_data.Signed SourceAddress: winlog.event_data.SourceAddress StartFunction: winlog.event_data.StartFunction SubjectLogonId: winlog.event_data.SubjectLogonId TargetFileName: winlog.event_data.TargetFilename TargetProcessAddress: winlog.event_data.TargetProcessAddress TargetServerName: winglog.event_data.TargetServerName TargetLogonId: winlog.event_data.TargetLogonId TaskName: winlog.event_data.TaskName # UserName => smbclient-security eventid:31017 UserName: winlog.event_data.UserName Workstation: winlog.event_data.Workstation