security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da07164ce0d651bf72691bac1cfcafbf20249de
blue-team-tools/tools/config/hawk.yml
T
frack113 a1a94a0b66 Update W3C field name
2023-01-02 16:39:55 +01:00

914 lines
20 KiB
YAML
Raw Blame History

title: HAWK
order: 20
backends:
- hawk
logsources:
antivirus:
category: antivirus
conditions:
vendor_type: 'Antivirus'
apache:
service: apache
conditions:
product_name:
- 'apache*'
- 'httpd*'
webserver:
category: webserver
conditions:
vendor_type: 'Webserver'
cisco:
product: cisco
conditions:
vendor_name: 'Cisco'
django:
product: django
conditions:
vendor_name: 'Django'
okta:
service: okta
conditions:
vendor_name: "Okta"
product_name: "Identity and Access Management"
onedrive:
service: onedrive
conditions:
vendor_name: "Microsoft"
product_name: "Onedrive"
onelogin-events:
service: onelogin.events
conditions:
vendor_name: "Microsoft"
product_name: "Onelogin"
microsoft365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
m365:
product: m365
service: threat_management
conditions:
vendor_name: "Microsoft"
product_name: "365"
google-workspace:
service: google_workspace.admin
conditions:
vendor_name: "Google"
product_name: "Workspace"
guacamole:
service: guacamole
product_name: "Guacamole"
conditions:
vendor_name: "Guacamole"
google-cloud:
service: gcp.audit
conditions:
vendor_name: "Google"
product_name: "Cloud"
sshd:
service: sshd
conditions:
process_name: "sshd*"
syslog:
service: syslog
conditions:
process_name: "syslog*"
spring:
category: application
product: spring
conditions:
vendor_name: "Spring"
linux-audit:
product: linux
service: auditd
conditions:
vendor_name: "Linux"
product_name: "Audit"
modsecurity:
service: modsecurity
conditions:
process_name: "modsec*"
msexchange-management:
service: msexchange-management
conditions:
product_name: "MSExchange Management"
windows:
product: windows
index: windows
conditions:
vendor_name: "Microsoft"
windows-stream-hash:
product: windows
category: create_stream_hash
conditions:
product_name: "Sysmon"
vendor_id: "15"
windows-create-remote-thread:
product: windows
category: create_remote_thread
conditions:
product_name: "Sysmon"
vendor_id: "8"
windows-process-access:
product: windows
category: process_access
conditions:
product_name: "Sysmon"
vendor_id: "10"
windows-process-creation:
product: windows
category: process_creation
conditions:
product_name: "Sysmon"
vendor_id: "1"
windows-bits-client:
product: windows
service: bits-client
conditions:
event_channel: "Microsoft-Windows-Bits-Client/Operational"
windows-network-connection:
product: windows
category: network_connection
conditions:
product_name: "Sysmon"
vendor_id: "3"
windows-sysmon-status:
product: windows
category: sysmon_status
conditions:
product_name: "Sysmon"
vendor_id:
- 4
- 5
windows-sysmon-error:
product: windows
category: sysmon_error
conditions:
product_name: "Sysmon"
vendor_id: "255"
windows-raw-access-thread:
product: windows
category: raw_access_thread
conditions:
product_name: "Sysmon"
vendor_id: 9
windows-file-create:
product: windows
category: file_create
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-event:
product: windows
category: file_event
conditions:
product_name: "Sysmon"
vendor_id: "11"
windows-file-change:
product: windows
category: file_change
conditions:
product_name: "Sysmon"
vendor_id: "2"
windows-pipe-created:
product: windows
category: pipe_created
conditions:
product_name: "Sysmon"
vendor_id:
- 17
- 18
windows-dns-query:
product: windows
category: dns_query
conditions:
product_name: "Sysmon"
vendor_id: "22"
windows-file-delete:
product: windows
category: file_delete
conditions:
product_name: "Sysmon"
vendor_id: "23"
windows-kernel-file-rename:
product: windows
category: file_rename
conditions:
product_name: "Kernel-File"
windows-kernel-file-access:
product: windows
category: file_access
conditions:
product_name: "Kernel-File"
windows-wmi-sysmon:
product: windows
category: wmi_event
conditions:
product_name: "Sysmon"
vendor_id:
- 19
- 20
- 21
windows-ldap-debug:
product: windows
category: ldap_debug
conditions:
event_channel: "Microsoft-Windows-LDAP-Client/Debug"
windows-driver-load:
product: windows
category: driver_load
conditions:
product_name: "Sysmon"
vendor_id: "6"
windows-image-load:
product: windows
category: image_load
conditions:
product_name: "Sysmon"
vendor_id: "7"
clamav:
service: clamav
conditions:
process_name: "clamav*"
aws-cloudtrail:
service: cloudtrail
conditions:
vendor_name: "AWS CloudTrail"
zeek:
product: zeek
conditions:
vendor_name: "Zeek"
vendor_type: "IDS"
firewall:
category: firewall
conditions:
vendor_type:
- "Firewall"
- "Router"
- "WAP"
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
hawk_source: "conn.log"
zeek-conn_long:
product: zeek
service: conn_long
conditions:
hawk_source: "conn_long.log"
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
hawk_source: "dce_rpc.log"
zeek-dns:
product: zeek
service: dns
conditions:
hawk_source: "dns.log"
zeek-dnp3:
product: zeek
service: dnp3
conditions:
hawk_source: "dnp3.log"
zeek-dpd:
product: zeek
service: dpd
conditions:
hawk_source: "dpd.log"
zeek-files:
product: zeek
service: files
conditions:
hawk_source: "files.log"
zeek-ftp:
product: zeek
service: ftp
conditions:
hawk_source: "ftp.log"
zeek-gquic:
product: zeek
service: gquic
conditions:
hawk_source: "gquic.log"
zeek-http:
product: zeek
service: http
conditions:
hawk_source: "http.log"
zeek-http2:
product: zeek
service: http2
conditions:
hawk_source: "http2.log"
zeek-intel:
product: zeek
service: intel
conditions:
hawk_source: "intel.log"
zeek-irc:
product: zeek
service: irc
conditions:
hawk_source: "irc.log"
zeek-kerberos:
product: zeek
service: kerberos
conditions:
hawk_source: "kerberos.log"
zeek-known_certs:
product: zeek
service: known_certs
conditions:
hawk_source: "known_certs.log"
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
hawk_source: "known_hosts.log"
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
hawk_source: "known_modbus.log"
zeek-known_services:
product: zeek
service: known_services
conditions:
hawk_source: "known_services.log"
zeek-modbus:
product: zeek
service: modbus
conditions:
hawk_source: "modbus.log"
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
hawk_source: "modbus_register_change.log"
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
hawk_source: "mqtt_connect.log"
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
hawk_source: "mqtt_publish.log"
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
hawk_source: "mqtt_subscribe.log"
zeek-mysql:
product: zeek
service: mysql
conditions:
hawk_source: "mysql.log"
zeek-notice:
product: zeek
service: notice
conditions:
hawk_source: "notice.log"
zeek-ntlm:
product: zeek
service: ntlm
conditions:
hawk_source: "ntlm.log"
zeek-ntp:
product: zeek
service: ntp
conditions:
hawk_source: "ntp.log"
zeek-ocsp:
product: zeek
service: ntp
conditions:
hawk_source: "ocsp.log"
zeek-pe:
product: zeek
service: pe
conditions:
hawk_source: "pe.log"
zeek-pop3:
product: zeek
service: pop3
conditions:
hawk_source: "pop3.log"
zeek-radius:
product: zeek
service: radius
conditions:
hawk_source: "radius.log"
zeek-rdp:
product: zeek
service: rdp
conditions:
hawk_source: "rdp.log"
zeek-rfb:
product: zeek
service: rfb
conditions:
hawk_source: "rfb.log"
zeek-sip:
product: zeek
service: sip
conditions:
hawk_source: "sip.log"
zeek-smb_files:
product: zeek
service: smb_files
conditions:
hawk_source: "smb_files.log"
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
hawk_source: "smb_mapping.log"
zeek-smtp:
product: zeek
service: smtp
conditions:
hawk_source: "smtp.log"
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
hawk_source: "smtp_links.log"
zeek-snmp:
product: zeek
service: snmp
conditions:
hawk_source: "snmp.log"
zeek-socks:
product: zeek
service: socks
conditions:
hawk_source: "socks.log"
zeek-software:
product: zeek
service: software
conditions:
hawk_source: "software.log"
zeek-ssh:
product: zeek
service: ssh
conditions:
hawk_source: "ssh.log"
zeek-ssl:
product: zeek
service: ssl
conditions:
hawk_source: "tls.log"
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
product: zeek
service: tls
conditions:
hawk_source: "tls.log"
zeek-syslog:
product: zeek
service: syslog
conditions:
hawk_source: "syslog.log"
zeek-tunnel:
product: zeek
service: tunnel
conditions:
hawk_source: "tunnel.log"
zeek-traceroute:
product: zeek
service: traceroute
conditions:
hawk_source: "traceroute.log"
zeek-weird:
product: zeek
service: weird
conditions:
hawk_source: "weird.log"
zeek-x509:
product: zeek
service: x509
conditions:
hawk_source: "x509.log"
zeek-ip_search:
product: zeek
service: network
conditions:
hawk_source:
- "conn.log"
- "conn_long.log"
- "dce_rpc.log"
- "dhcp.log"
- "dnp3.log"
- "dns.log"
- "ftp.log"
- "gquic.log"
- "http.log"
- "irc.log"
- "kerberos.log"
- "modbus.log"
- "mqtt_connect.log"
- "mqtt_publish.log"
- "mqtt_subscribe.log"
- "mysql.log"
- "ntlm.log"
- "ntp.log"
- "radius.log"
- "rfb.log"
- "sip.log"
- "smb_files.log"
- "smb_mapping.log"
- "smtp.log"
- "smtp_links.log"
- "snmp.log"
- "socks.log"
- "ssh.log"
- "tls.log" #SSL
- "tunnel.log"
- "weird.log"
azure-signin:
product: azure
service: signinlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "signInAudits"
azure-auditlogs:
product: azure
service: auditlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "directoryAudits"
azure-activitylogs:
product: azure
service: activitylogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
azure-activity:
product: azure
service: azureactivity
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
microsoft-servicebus-client:
product: windows
service: microsoft-servicebus-client
conditions:
event_channel: 'Microsoft-ServiceBus-Client'
windows-application:
product: windows
service: application
conditions:
event_channel: 'Application'
windows-security:
product: windows
service: security
conditions:
event_channel: 'Security'
windows-system:
product: windows
service: system
conditions:
event_channel: 'System'
windows-sysmon:
product: windows
service: sysmon
conditions:
product_name: 'Sysmon'
windows-powershell:
product: windows
service: powershell
conditions:
product_name: 'PowerShell'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
product_name: 'Windows PowerShell'
windows-taskscheduler:
product: windows
service: taskscheduler
conditions:
product_name: 'TaskScheduler'
windows-wmi:
product: windows
service: wmi
conditions:
product_name: 'WMI-Activity'
windows-dns-server:
product: windows
service: dns-server
conditions:
product_name: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
product_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
product_name: 'DriverFrameworks-UserMode'
windows-ntlm:
product: windows
service: ntlm
conditions:
product_name: 'NTLM'
windows-dhcp:
product: windows
service: dhcp
conditions:
product_name: 'DHCP-Server'
windows-defender:
product: windows
service: windefend
conditions:
product_name: 'Windows Defender'
windows-applocker:
product: windows
service: applocker
conditions:
product_name:
- 'AppLocker'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
product_name: 'Windows Firewall With Advanced Security'
windows-ps-module:
product: windows
category: ps_module
conditions:
product_name: 'PowerShell'
vendor_id: 4103
windows-ps-script:
product: windows
category: ps_script
conditions:
product_name: 'PowerShell'
vendor_id: 4104
windows-ps-classic-start:
product: windows
category: ps_classic_start
conditions:
EventID: 400
product_name: 'Windows PowerShell'
windows-ps-classic-provider:
product: windows
category: ps_classic_provider_start
conditions:
vendor_id: 600
product_name: 'Windows PowerShell'
windows-ps-classic-script:
product: windows
category: ps_classic_script
conditions:
vendor_id: 800
product_name: 'Windows PowerShell'
windows-service-bus:
service: Microsoft-ServiceBus-Client
conditions:
product_name: "Microsoft-ServiceBus-Client"
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
product_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
product_name: 'PrintService'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
product_name: 'PrintService'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
product_name: 'TerminalServices-LocalSessionManager'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
product_name: 'CodeIntegrity'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
product_name: 'SmbClient'
windows-registry:
product: windows
category: registry_event
conditions:
product_name: "Sysmon"
vendor_id:
- 12
- 13
- 14
windows-registry-add:
product: windows
category: registry_add
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-delete:
product: windows
category: registry_delete
conditions:
product_name: "Sysmon"
vendor_id: 12
windows-registry-set:
product: windows
category: registry_set
conditions:
product_name: "Sysmon"
vendor_id: 13
windows-registry-rename:
product: windows
category: registry_rename
conditions:
product_name: "Sysmon"
vendor_id: 14
windows-file-block-executable:
product: windows
category: file_block
conditions:
product_name: "Sysmon"
vendor_id: 27
#dns:
# category: dns
# conditions:
qflow:
product: qflow
netflow:
service: netflow
ipfix:
product: ipfix
flow:
product: flow
fieldmappings:
dst:
- ip_dst_host
dst_ip:
- ip_dst
src:
- ip_src_host
src_ip:
- ip_src
IPAddress: ip_src
DNSAddress: dns_address
DCIPAddress: ip_src
category: vendor_category
error: error_code
key: event_key
payload: event_payload
weight: event_weight
account type: account_type
PrivilegeList: process_privileges
pid_user: event_username
sid: correlation_session_id
UserSid: correlation_session_id
TargetSid: target_session_id
TargetUserName: target_username
SamAccountName: target_username
AccountName: target_username
TargetDomainName: target_domain
DnsServerIpAddress: dns_address
QueryName: dns_query
AuthenticationPackageName: package_name
HostProcess: image
Application: image
ProcessName: image
TargetImage: target_image
ParentImage: parent_image
CallerProcessName: parent_image
ParentProcessName: parent_image
CommandLine: command
ProcessCommandLine: command
ParentCommandLine: parent_command
Imphash: file_hash_imphash
sha256: file_hash_sha256
md5: file_hash_md5
sha1: file_hash_sha1
SubjectUserSid: correlation_session_id
SubjectSid: correlation_session_id
SubjectUserName: correlation_username
SubjectDomainName: correlation_domain
SubjectLogonId: correlation_logon_id
pid: event_pid
ProccessId: pid
NewProcessName: image
ServiceName: service_name
Service: service_name
ServiceFileName: filename
EventID: vendor_id
SourceImage: parent_image
ImageLoaded: image_loaded
Description: image_description
ScriptBlockText: value
Product: image_product
Company: image_company
CurrentDirectory: path
ShareName: path
RelativeTargetName: filename
TargetName: value
Initiated: value
Accesses: access_mask
LDAPDisplayName: distinguished_name
AttributeLDAPDisplayName: distinguished_name
AttributeValue: value
ParentProcessId: parent_pid
SourceProcessId: source_pid
TargetProcessId: target_pid
Signed: signature
Status: value
TargetFilename: filename
FileName: filename
TargetObject: object_target
ObjectClass: object_type
ObjectValueName: object_name
ObjectName: object_name
DeviceClassName: object_name
CallTrace: calltrace
IpAddress: ip_src
WorkstationName: ip_src_host
Workstation: ip_src_host
DestinationIp: ip_dst
DestinationHostname: ip_dst_host
DestinationPort: ip_dport
DestAddress: ip_dst
DestPort: ip_dport
SourceAddress: ip_src
SourcePort: ip_sport
GrantedAccess: access_mask
StartModule: target_process_name
TargetProcessAddress: process_address
TicketOptions: sys.ticket.options
TicketEncryptionType: sys.ticket.encryption.type
DetectionSource: value
Priority: event_priority
event_type_id: vendor_id
destination.port: ip_dport
user: correlation_username
User: correlation_username
# Provider_Name: channel
c-referer: http_referer
cs-referer: http_referer
cs-host: http_host
cs-method: http_method
c-uri: http_path
c-uri-stem: http_path
cs-uri: http_path
cs-uri-stem: http_path
c-agent: http_user_agent
cs-agent: http_user_agent
c-useragent: http_user_agent
cs-useragent: http_user_agent
cs-user-agent: http_user_agent
c-ip: ip_src
cs-ip: ip_src
s-ip: ip_dst
sc-ip: ip_dst
c-username: correlation_username
cs-username: correlation_username
s-computername: ip_dst_host
cs-uri-query: http_query
c-uri-query: http_query
sc-status: http_status_code
sc-bytes: http_content_length
user-agent: http_user_agent
cs-User-Agent: http_user_agent
r-dns: http_host
id.orig_h: ip_src
id.orig_p: ip_sport
id.resp_h: ip_dst
id.resp_p: ip_dport
host: ip_src
hostname: ip_src_host
port_num: ip_dport
dst_port: ip_dport
query: dns_query
orig_ip_bytes: net_if_out_bytes
resp_ip_bytes: net_if_in_bytes
QNAME: qname
Channel: event_channel
Reference in New Issue View Git Blame Copy Permalink