security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/tools/config/logrhythm_winevent.yml
T
Gábor Lipták d2592ee0b6 Add yamllint to GHA 
Signed-off-by: Gábor Lipták <gliptak@gmail.com>
2021-07-26 21:26:16 -04:00

71 lines
1.6 KiB
YAML
Raw Blame History

---
title: LogRhythm Windows EventID Field Mapping
order: 20
backends:
- es-qs-lr
logsources:
eventlogs:
product: windows
conditions:
logSourceTypeName: 'MS Windows Event Logging XML - Security'
fieldmappings:
EventID: vendorMessageID
TicketOptions: object
TicketEncryptionType: sessionType
ServiceName: processName
TargetUserName:
- originUser
- impactedUser
Workstation: originHostname
SubjectUserName: originUser
LogonType: command
LogonProcessName: processName
WorkstationName:
- originHostname
- impactedHostname
SubjectLogonId: session
SubStatus: status
IpPort: originPort
IpAddress:
- originIp
- impactedIp
ErrorCode: responseCode
Task: vendorInfo
PrivilegeList: subject
SamAccountName: impactedUser
PrimaryGroupId: group
StatusCode: responseCode
Level: severity
SubjectDomainName: domainOrigin
DSName: domainImpacted
ObjectDN: objectName
ObjectGUID: object
ObjectClass: objectType
OperationType: action
Computer: impactedHostname
CategoryId: policy
SubcategoryId: objectName
SubCategoryGuid: object
AuditPolicyChanges: action
ObjectCollectionName: objectType
CountOfCredentialsReturned: quantity
AlgorithmName: policy
KeyName: objectName
KeyType: objectType
KeyFilePath: object
Operation: action
ReturnCode: responseCode
ChannelType: objectType
DomainName: domainImpacted
ExecutionProcessId: processId
processName: process
ProviderName: vendorInfo
SChannelName: objectName
SecureChannelName: objectName
ThreadId: session
UserName:
- originUser
- impactedUser
Reference in New Issue View Git Blame Copy Permalink