blue-team-tools/tools/config/generic/windows-audit.yml

title: Conversion for Windows Native Auditing Events
order: 10
logsources:
    process_creation:
        category: process_creation
        product: windows
        conditions:
            EventID: 4688
        rewrite:
            product: windows
            service: security
    registry_event:
        category: registry_event
        product: windows
        conditions:
            EventID: 4657
            OperationType:
                - 'New registry value created'
                - 'Existing registry value modified'
        rewrite:
            product: windows
            service: security
    registry_event_set:
        category: registry_set
        product: windows
        conditions:
            EventID: 4657
            OperationType:
                - 'Existing registry value modified'
        rewrite:
            product: windows
            service: security
    registry_event_add:
        category: registry_add
        product: windows
        conditions:
            EventID: 4657
            OperationType:
                - 'New registry value created'
        rewrite:
            product: windows
            service: security
fieldmappings:
    Image: NewProcessName
    ParentImage: ParentProcessName
    Details: NewValue
    #CommandLine: ProcessCommandLine  # No need to map, as real name of ProcessCommandLine is already CommandLine
    LogonId: SubjectLogonId