Tim Shelton
213 lines
5.0 KiB
YAML
213 lines
5.0 KiB
YAML
title: HAWK
|
|
order: 20
|
|
backends:
|
|
- hawk
|
|
logsources:
|
|
apache:
|
|
product: apache
|
|
conditions:
|
|
product_name: '*apache*'
|
|
windows:
|
|
product: windows
|
|
index: windows
|
|
conditions:
|
|
vendor_name: 'Microsoft'
|
|
windows-application:
|
|
product: windows
|
|
service: application
|
|
conditions:
|
|
product_name: 'Application'
|
|
windows-security:
|
|
product: windows
|
|
service: security
|
|
conditions:
|
|
product_name: 'Security'
|
|
windows-system:
|
|
product: windows
|
|
service: system
|
|
conditions:
|
|
product_name: 'System'
|
|
windows-sysmon:
|
|
product: windows
|
|
service: sysmon
|
|
conditions:
|
|
product_name: 'Sysmon'
|
|
windows-powershell:
|
|
product: windows
|
|
service: powershell
|
|
conditions:
|
|
product_name: 'PowerShell'
|
|
windows-classicpowershell:
|
|
product: windows
|
|
service: powershell-classic
|
|
conditions:
|
|
product_name: 'Windows PowerShell'
|
|
windows-taskscheduler:
|
|
product: windows
|
|
service: taskscheduler
|
|
conditions:
|
|
product_name: 'TaskScheduler'
|
|
windows-wmi:
|
|
product: windows
|
|
service: wmi
|
|
conditions:
|
|
product_name: 'WMI-Activity'
|
|
windows-dns-server:
|
|
product: windows
|
|
service: dns-server
|
|
category: dns
|
|
conditions:
|
|
product_name: 'DNS Server'
|
|
windows-dns-server-audit:
|
|
product: windows
|
|
service: dns-server-audit
|
|
conditions:
|
|
product_name: 'DNS-Server'
|
|
windows-driver-framework:
|
|
product: windows
|
|
service: driver-framework
|
|
conditions:
|
|
product_name: 'DriverFrameworks-UserMode'
|
|
windows-ntlm:
|
|
product: windows
|
|
service: ntlm
|
|
conditions:
|
|
product_name: 'NTLM'
|
|
windows-dhcp:
|
|
product: windows
|
|
service: dhcp
|
|
conditions:
|
|
product_name: 'DHCP-Server'
|
|
windows-defender:
|
|
product: windows
|
|
service: windefend
|
|
conditions:
|
|
product_name: 'Windows Defender'
|
|
windows-applocker:
|
|
product: windows
|
|
service: applocker
|
|
conditions:
|
|
product_name:
|
|
- 'AppLocker'
|
|
windows-msexchange-management:
|
|
product: windows
|
|
service: msexchange-management
|
|
conditions:
|
|
product_name: 'MSExchange Management'
|
|
windows-printservice-admin:
|
|
product: windows
|
|
service: printservice-admin
|
|
conditions:
|
|
product_name: 'PrintService'
|
|
windows-printservice-operational:
|
|
product: windows
|
|
service: printservice-operational
|
|
conditions:
|
|
product_name: 'PrintService'
|
|
windows-smbclient-security:
|
|
product: windows
|
|
service: smbclient-security
|
|
conditions:
|
|
product_name: 'SmbClient'
|
|
qflow:
|
|
product: qflow
|
|
netflow:
|
|
product: netflow
|
|
ipfix:
|
|
product: ipfix
|
|
flow:
|
|
category: flow
|
|
fieldmappings:
|
|
dst:
|
|
- ip_dst_host
|
|
dst_ip:
|
|
- ip_dst
|
|
src:
|
|
- ip_src_host
|
|
src_ip:
|
|
- ip_src
|
|
category: vendor_category
|
|
error: error_code
|
|
key: event_key
|
|
payload: event_payload
|
|
weight: event_weight
|
|
account type: account_type
|
|
PrivilegeList: process_privileges
|
|
pid_user: event_username
|
|
sid: correlation_session_id
|
|
UserSid: correlation_session_id
|
|
TargetSid: target_session_id
|
|
TargetUserName: target_username
|
|
SamAccountName: target_username
|
|
AccountName: target_username
|
|
TargetDomainName: target_domain
|
|
DnsServerIpAddress: dns_address
|
|
QueryName: hostname_dst
|
|
AuthenticationPackageName: package_name
|
|
HostProcess: image
|
|
Application: image
|
|
ProcessName: image
|
|
TargetImage: target_image
|
|
ParentImage: parent_image
|
|
CallerProcessName: parent_image
|
|
ParentProcessName: parent_image
|
|
CommandLine: command
|
|
ProcessCommandLine: command
|
|
ParentCommandLine: parent_command
|
|
IMPHASH: file_hash_imphash
|
|
SHA256: file_hash_sha256
|
|
MD5: file_hash_md5
|
|
SHA1: file_hash_sha1
|
|
SubjectUserSid: correlation_session_id
|
|
SubjectSid: correlation_session_id
|
|
SubjectUserName: correlation_username
|
|
SubjectDomainName: correlation_domain
|
|
SubjectLogonId: correlation_logon_id
|
|
pid: event_pid
|
|
ProccessId: pid
|
|
NewProcessName: image
|
|
ServiceName: service_name
|
|
Service: service_name
|
|
ServiceFileName: filename
|
|
EventID: vendor_id
|
|
SourceImage: parent_image
|
|
Description: image_description
|
|
Product: image_product
|
|
Company: image_company
|
|
CurrentDirectory: path
|
|
ShareName: path
|
|
RelativeTargetName: filename
|
|
TargetName: value
|
|
Initiated: value
|
|
Accesses: access_mask
|
|
LDAPDisplayName: distinguished_name
|
|
AttributeLDAPDisplayName: distinguished_name
|
|
AttributeValue: value
|
|
ParentProcessId: parent_pid
|
|
SourceProcessId: source_pid
|
|
TargetProcessId: target_pid
|
|
Signed: signature
|
|
Status: value
|
|
TargetFilename: filename
|
|
TargetObject: object_target
|
|
ObjectClass: object_type
|
|
ObjectValueName: object_name
|
|
ObjectName: object_name
|
|
DeviceClassName: object_name
|
|
Details: object_target
|
|
CallTrace: calltrace
|
|
IpAddress: ip_src
|
|
DCIPAddress: ip_src
|
|
WorkstationName: hostname_src
|
|
Workstation: hostname_src
|
|
DestinationIp: ip_dst
|
|
DestinationHostname: hostname_dst
|
|
DestinationPort: ip_dport
|
|
GrantedAccess: access_mask
|
|
StartModule: target_process_name
|
|
TargetProcessAddress: process_address
|
|
TicketOptions: sys.ticket.options
|
|
TicketEncryptionType: sys.ticket.encryption.type
|
|
DetectionSource: value
|
|
Priority: event_priority
|