security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/tools/config/logpoint-windows.yml
T
Nasreddine Bencherchali e5fe4d5f46 feat: update config files 
- Update indentation of config files to 4
- Add new event logs
2023-01-17 01:00:24 +01:00

265 lines
7.6 KiB
YAML
Raw Blame History

title: Logpoint
order: 20
backends:
- logpoint
logsources:
windows-security:
product: windows
service: security
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-system:
product: windows
service: system
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-dns-server:
product: windows
service: dns-server
conditions:
event_source: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
event_source: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
event_source: 'Microsoft-Windows-NTLM/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
event_source:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
windows-msexchange-management:
product: windows
service: msexchange-management
conditions:
event_source: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
event_source: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
event_source: 'Microsoft-Windows-PrintService/Operational'
windows-terminalservices-localsessionmanager-operational:
product: windows
service: terminalservices-localsessionmanager
conditions:
event_source: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
event_source: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
event_source: 'Microsoft-Windows-SmbClient/Security'
windows-firewall-advanced-security:
product: windows
service: firewall-as
conditions:
event_source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
windows-bits-client:
product: windows
service: bits-client
conditions:
event_source: 'Microsoft-Windows-Bits-Client/Operational'
windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
event_source:
- 'Microsoft-Windows-Security-Mitigations/Kernel Mode'
- 'Microsoft-Windows-Security-Mitigations/User Mode'
windows-diagnosis:
product: windows
service: diagnosis-scripted
conditions:
event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational'
windows-shell-core:
product: windows
service: shell-core
conditions:
event_source: 'Microsoft-Windows-Shell-Core/Operational'
windows-openssh:
product: windows
service: openssh
conditions:
event_source: 'OpenSSH/Operational'
windows-ldap-debug:
product: windows
service: ldap_debug
conditions:
event_source: 'Microsoft-Windows-LDAP-Client/Debug'
windows-bitlocker:
product: windows
service: bitlocker
conditions:
event_source: 'Microsoft-Windows-BitLocker/BitLocker Management'
windows-vhdmp-operational:
product: windows
service: vhdmp
conditions:
event_source: 'Microsoft-Windows-VHDMP/Operational'
windows-appxdeployment-server:
product: windows
service: appxdeployment-server
conditions:
event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational'
windows-lsa-server:
product: windows
service: lsa-server
conditions:
event_source: 'Microsoft-Windows-LSA/Operational'
windows-appxpackaging-om:
product: windows
service: appxpackaging-om
conditions:
event_source: 'Microsoft-Windows-AppxPackaging/Operational'
windows-dns-client:
product: windows
service: dns-client
conditions:
event_source: 'Microsoft-Windows-DNS Client Events/Operational'
windows-appmodel-runtime:
product: windows
service: appmodel-runtime
conditions:
event_source: 'Microsoft-Windows-AppModel-Runtime/Admin'
fieldmappings:
EventID: event_id
FailureCode: result_code
GroupName: group_name
GroupSid: group_sid
KeyLength: key_length
LogonProcessName: logon_process
LogonType: logon_type
ServiceName: service
SubjectAccountName:
EventID=4611:
- user
EventID=4624:
- target_user
- caller_user
EventID=4625:
- target_user
- caller_user
EventID=4634:
- user
EventID=4648:
- target_user
- caller_user
EventID=4662:
- user
EventID=4672:
- user
EventID=4688:
- user
EventID=4719:
- user
EventID=4720:
- target_user
- caller_user
EventID=4722:
- target_user
- caller_user
EventID=4723:
- target_user
- caller_user
EventID=4724:
- target_user
- caller_user
EventID=4728:
- user
- member
EventID=4729:
- user
- member
EventID=4731:
- user
EventID=4732:
- user
- member
EventID=4735:
- user
EventID=4737:
- user
EventID=4738:
- target_user
- caller_user
EventID=4740:
- target_user
- caller_user
EventID=4742:
- target_user
- caller_user
EventID=4755:
- user
EventID=4756:
- user
- member
EventID=4757:
- user
- member
EventID=4767:
- target_user
- caller_user
EventID=4768:
- user
EventID=4769:
- user
EventID=4770:
- user
EventID=4771:
- user
EventID=4774:
- user
EventID=4776:
- user
EventID=4781:
- target_user
- caller_user
EventID=4904:
- user
EventID=4905:
- user
EventID=5061:
- user
EventID=5136:
- user
EventID=5137:
- user
default:
- caller_user
- target_user
- user
- member
TicketOptions: ticket_options
TicketEnctyption: ticket_encryption
Type: event_type
UserName:
default:
- caller_user
- target_user
- user
- member
SourceWorkstation: workstation
Reference in New Issue View Git Blame Copy Permalink