Florian Roth
515 lines
12 KiB
YAML
515 lines
12 KiB
YAML
title: HAWK
|
|
order: 20
|
|
backends:
|
|
- hawk
|
|
logsources:
|
|
antivirus:
|
|
product: antivirus
|
|
conditions:
|
|
vendor_type: 'Antivirus'
|
|
apache:
|
|
service: apache
|
|
conditions:
|
|
product_name:
|
|
- 'apache*'
|
|
- 'httpd*'
|
|
webserver:
|
|
category: webserver
|
|
conditions:
|
|
vendor_type: 'Webserver'
|
|
cisco:
|
|
product: cisco
|
|
conditions:
|
|
vendor_name: 'Cisco'
|
|
django:
|
|
product: django
|
|
conditions:
|
|
vendor_name: 'Django'
|
|
okta:
|
|
service: okta
|
|
conditions:
|
|
vendor_name: "Okta"
|
|
product_name: "Identity and Access Management"
|
|
onedrive:
|
|
service: onedrive
|
|
conditions:
|
|
vendor_name: "Microsoft"
|
|
product_name: "Onedrive"
|
|
onelogin-events:
|
|
service: onelogin.events
|
|
conditions:
|
|
vendor_name: "Microsoft"
|
|
product_name: "Onelogin"
|
|
microsoft365:
|
|
service: threat_management
|
|
service: Microsoft365
|
|
conditions:
|
|
vendor_name: "Microsoft"
|
|
product_name: "365"
|
|
m365:
|
|
service: threat_management
|
|
service: m365
|
|
conditions:
|
|
vendor_name: "Microsoft"
|
|
product_name: "365"
|
|
google-workspace:
|
|
service: google_workspace.admin
|
|
conditions:
|
|
vendor_name: "Google"
|
|
product_name: "Workspace"
|
|
guacamole:
|
|
service: guacamole
|
|
product_name: "Guacamole"
|
|
conditions:
|
|
vendor_name: "Guacamole"
|
|
google-cloud:
|
|
service: gcp.audit
|
|
conditions:
|
|
vendor_name: "Google"
|
|
product_name: "Cloud"
|
|
auditd:
|
|
service: auditd
|
|
conditions:
|
|
process_name: "auditd"
|
|
sshd:
|
|
service: sshd
|
|
conditions:
|
|
process_name: "sshd*"
|
|
syslog:
|
|
service: syslog
|
|
conditions:
|
|
process_name: "syslog*"
|
|
spring:
|
|
category: application
|
|
product: spring
|
|
conditions:
|
|
vendor_name: "Spring"
|
|
modsecurity:
|
|
service: modsecurity
|
|
conditions:
|
|
process_name: "modsec*"
|
|
msexchange-management:
|
|
service: msexchange-management
|
|
conditions:
|
|
channel: "MSExchange Management"
|
|
windows:
|
|
product: windows
|
|
index: windows
|
|
conditions:
|
|
vendor_name: "Microsoft"
|
|
windows-stream-hash:
|
|
product: windows
|
|
category: create_stream_hash
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "15"
|
|
windows-create-remote-thread:
|
|
product: windows
|
|
category: create_remote_thread
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "8"
|
|
windows-process-access:
|
|
product: windows
|
|
category: process_access
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "10"
|
|
windows-process-creation:
|
|
product: windows
|
|
category: process_creation
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "1"
|
|
windows-network-connection:
|
|
product: windows
|
|
category: network_connection
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "3"
|
|
windows-sysmon-status:
|
|
product: windows
|
|
category: sysmon_status
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id:
|
|
- 4
|
|
- 5
|
|
windows-sysmon-error:
|
|
product: windows
|
|
category: sysmon_error
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "255"
|
|
windows-raw-access-thread:
|
|
product: windows
|
|
category: raw_access_thread
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: 9
|
|
windows-file-create:
|
|
product: windows
|
|
category: file_create
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "11"
|
|
windows-file-event:
|
|
product: windows
|
|
category: file_event
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "11"
|
|
windows-pipe-created:
|
|
product: windows
|
|
category: pipe_created
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id:
|
|
- 17
|
|
- 18
|
|
windows-dns-query:
|
|
product: windows
|
|
category: dns_query
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "22"
|
|
windows-file-delete:
|
|
product: windows
|
|
category: file_delete
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "23"
|
|
windows-wmi-sysmon:
|
|
product: windows
|
|
category: wmi_event
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id:
|
|
- 19
|
|
- 20
|
|
- 21
|
|
windows-ldap-query:
|
|
product: windows
|
|
category: ldap_query
|
|
conditions:
|
|
channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
|
|
windows-driver-load:
|
|
product: windows
|
|
category: driver_load
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "6"
|
|
windows-image-load:
|
|
product: windows
|
|
category: image_load
|
|
conditions:
|
|
product_name: "Sysmon"
|
|
vendor_id: "7"
|
|
clamav:
|
|
service: clamav
|
|
conditions:
|
|
process_name: "clamav*"
|
|
aws-cloudtrail:
|
|
service: cloudtrail
|
|
conditions:
|
|
vendor_name: "AWS CloudTrail"
|
|
zeek:
|
|
product: zeek
|
|
conditions:
|
|
vendor_name: "Zeek IDS"
|
|
azure-signin:
|
|
service: signinlogs
|
|
conditions:
|
|
vendor_name: "Microsoft"
|
|
product_name: "Azure"
|
|
azure-auditlogs:
|
|
service: auditlogs
|
|
conditions:
|
|
vendor_name: "Microsoft"
|
|
product_name: "Azure"
|
|
azure-activitylogs:
|
|
service: activitylogs
|
|
conditions:
|
|
vendor_name: "Microsoft"
|
|
product_name: "Azure"
|
|
azure-activity:
|
|
service: azureactivity
|
|
conditions:
|
|
vendor_name: "Microsoft"
|
|
product_name: "Azure"
|
|
windows-application:
|
|
product: windows
|
|
service: application
|
|
conditions:
|
|
product_name: 'Application'
|
|
windows-security:
|
|
product: windows
|
|
service: security
|
|
conditions:
|
|
product_name: 'Security'
|
|
windows-system:
|
|
product: windows
|
|
service: system
|
|
conditions:
|
|
product_name: 'System'
|
|
windows-sysmon:
|
|
product: windows
|
|
service: sysmon
|
|
conditions:
|
|
product_name: 'Sysmon'
|
|
windows-powershell:
|
|
product: windows
|
|
service: powershell
|
|
conditions:
|
|
product_name: 'PowerShell'
|
|
windows-classicpowershell:
|
|
product: windows
|
|
service: powershell-classic
|
|
conditions:
|
|
product_name: 'Windows PowerShell'
|
|
windows-taskscheduler:
|
|
product: windows
|
|
service: taskscheduler
|
|
conditions:
|
|
product_name: 'TaskScheduler'
|
|
windows-wmi:
|
|
product: windows
|
|
service: wmi
|
|
conditions:
|
|
product_name: 'WMI-Activity'
|
|
windows-dns-server:
|
|
product: windows
|
|
service: dns-server
|
|
conditions:
|
|
channel: 'DNS Server'
|
|
windows-dns-server-audit:
|
|
product: windows
|
|
service: dns-server-audit
|
|
conditions:
|
|
channel: 'DNS Server'
|
|
windows-driver-framework:
|
|
product: windows
|
|
service: driver-framework
|
|
conditions:
|
|
product_name: 'DriverFrameworks-UserMode'
|
|
windows-ntlm:
|
|
product: windows
|
|
service: ntlm
|
|
conditions:
|
|
product_name: 'NTLM'
|
|
windows-dhcp:
|
|
product: windows
|
|
service: dhcp
|
|
conditions:
|
|
product_name: 'DHCP-Server'
|
|
windows-defender:
|
|
product: windows
|
|
service: windefend
|
|
conditions:
|
|
product_name: 'Windows Defender'
|
|
windows-applocker:
|
|
product: windows
|
|
service: applocker
|
|
conditions:
|
|
product_name:
|
|
- 'AppLocker'
|
|
windows-firewall-advanced-security:
|
|
product: windows
|
|
service: firewall-as
|
|
conditions:
|
|
product_name: 'Windows Firewall With Advanced Security'
|
|
windows-ps-module:
|
|
product: windows
|
|
category: ps_module
|
|
conditions:
|
|
product_name: 'PowerShell'
|
|
vendor_id: 4103
|
|
windows-ps-script:
|
|
product: windows
|
|
category: ps_script
|
|
conditions:
|
|
product_name: 'PowerShell'
|
|
vendor_id: 4104
|
|
windows-ps-classic-provider:
|
|
product: windows
|
|
category: ps_classic_provider_start
|
|
conditions:
|
|
vendor_id: 600
|
|
product_name: 'Windows PowerShell'
|
|
windows-ps-classic-script:
|
|
product: windows
|
|
category: ps_classic_script
|
|
conditions:
|
|
vendor_id: 800
|
|
product_name: 'Windows PowerShell'
|
|
windows-service-bus:
|
|
service: Microsoft-ServiceBus-Client
|
|
conditions:
|
|
product_name: "Microsoft-ServiceBus-Client"
|
|
windows-msexchange-management:
|
|
product: windows
|
|
service: msexchange-management
|
|
conditions:
|
|
channel: 'MSExchange Management'
|
|
windows-printservice-admin:
|
|
product: windows
|
|
service: printservice-admin
|
|
conditions:
|
|
product_name: 'PrintService'
|
|
windows-printservice-operational:
|
|
product: windows
|
|
service: printservice-operational
|
|
conditions:
|
|
product_name: 'PrintService'
|
|
windows-codeintegrity-operational:
|
|
product: windows
|
|
service: codeintegrity-operational
|
|
conditions:
|
|
product_name: 'CodeIntegrity'
|
|
windows-smbclient-security:
|
|
product: windows
|
|
service: smbclient-security
|
|
conditions:
|
|
product_name: 'SmbClient'
|
|
windows-registry:
|
|
product: windows
|
|
category: registry_event
|
|
conditions:
|
|
vendor_id:
|
|
- 12
|
|
- 13
|
|
- 14
|
|
qflow:
|
|
product: qflow
|
|
netflow:
|
|
service: netflow
|
|
ipfix:
|
|
product: ipfix
|
|
flow:
|
|
product: flow
|
|
fieldmappings:
|
|
dst:
|
|
- ip_dst_host
|
|
dst_ip:
|
|
- ip_dst
|
|
src:
|
|
- ip_src_host
|
|
src_ip:
|
|
- ip_src
|
|
IPAddress: ip_src
|
|
DNSAddress: dns_address
|
|
DCIPAddress: ip_src
|
|
category: vendor_category
|
|
error: error_code
|
|
key: event_key
|
|
payload: event_payload
|
|
weight: event_weight
|
|
account type: account_type
|
|
PrivilegeList: process_privileges
|
|
pid_user: event_username
|
|
sid: correlation_session_id
|
|
UserSid: correlation_session_id
|
|
TargetSid: target_session_id
|
|
TargetUserName: target_username
|
|
SamAccountName: target_username
|
|
AccountName: target_username
|
|
TargetDomainName: target_domain
|
|
DnsServerIpAddress: dns_address
|
|
QueryName: hostname_dst
|
|
AuthenticationPackageName: package_name
|
|
HostProcess: image
|
|
Application: image
|
|
ProcessName: image
|
|
TargetImage: target_image
|
|
ParentImage: parent_image
|
|
CallerProcessName: parent_image
|
|
ParentProcessName: parent_image
|
|
CommandLine: command
|
|
ProcessCommandLine: command
|
|
ParentCommandLine: parent_command
|
|
IMPHASH: file_hash_imphash
|
|
Imphash: file_hash_imphash
|
|
SHA256: file_hash_sha256
|
|
MD5: file_hash_md5
|
|
SHA1: file_hash_sha1
|
|
SubjectUserSid: correlation_session_id
|
|
SubjectSid: correlation_session_id
|
|
SubjectUserName: correlation_username
|
|
SubjectDomainName: correlation_domain
|
|
SubjectLogonId: correlation_logon_id
|
|
pid: event_pid
|
|
ProccessId: pid
|
|
NewProcessName: image
|
|
ServiceName: service_name
|
|
Service: service_name
|
|
ServiceFileName: filename
|
|
EventID: vendor_id
|
|
SourceImage: parent_image
|
|
ImageLoaded: image_loaded
|
|
Description: image_description
|
|
ScriptBlockText: value
|
|
Product: image_product
|
|
Company: image_company
|
|
CurrentDirectory: path
|
|
ShareName: path
|
|
RelativeTargetName: filename
|
|
TargetName: value
|
|
Initiated: value
|
|
Accesses: access_mask
|
|
LDAPDisplayName: distinguished_name
|
|
AttributeLDAPDisplayName: distinguished_name
|
|
AttributeValue: value
|
|
ParentProcessId: parent_pid
|
|
SourceProcessId: source_pid
|
|
TargetProcessId: target_pid
|
|
Signed: signature
|
|
Status: value
|
|
TargetFilename: filename
|
|
TargetObject: object_target
|
|
ObjectClass: object_type
|
|
ObjectValueName: object_name
|
|
ObjectName: object_name
|
|
DeviceClassName: object_name
|
|
CallTrace: calltrace
|
|
IpAddress: ip_src
|
|
WorkstationName: hostname_src
|
|
Workstation: hostname_src
|
|
DestinationIp: ip_dst
|
|
DestinationHostname: hostname_dst
|
|
DestinationPort: ip_dport
|
|
GrantedAccess: access_mask
|
|
StartModule: target_process_name
|
|
TargetProcessAddress: process_address
|
|
TicketOptions: sys.ticket.options
|
|
TicketEncryptionType: sys.ticket.encryption.type
|
|
DetectionSource: value
|
|
Priority: event_priority
|
|
event_type_id: vendor_id
|
|
eventtype: vendor_type
|
|
destination.port: ip_dport
|
|
user: correlation_username
|
|
User: correlation_username
|
|
Provider_Name: channel
|
|
c-referer: http_referer
|
|
cs-referer: http_referer
|
|
c-uri: http_uri
|
|
cs-uri: http_uri
|
|
c-agent: http_user_agent
|
|
cs-agent: http_user_agent
|
|
c-useragent: http_user_agent
|
|
cs-useragent: http_user_agent
|
|
c-ip: ip_src
|
|
cs-ip: ip_src
|
|
s-ip: ip_dst
|
|
sc-ip: ip_dst
|
|
c-username: correlation_username
|
|
cs-username: correlation_username
|
|
s-computername: ip_dst_host
|
|
cs-uri-query: http_query
|
|
c-uri-query: http_query
|
|
sc-status: http_status_code
|
|
sc-bytes: http_content_length
|
|
user-agent: http_user_agent
|
|
cs-User-Agent: http_user_agent
|
|
r-dns: ip_dst_host
|