Florian Roth
576 lines
24 KiB
YAML
576 lines
24 KiB
YAML
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- es-dsl
|
|
- es-rule
|
|
- es-rule-eql
|
|
- es-eql
|
|
- kibana
|
|
- kibana-ndjson
|
|
- xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
- ee-outliers
|
|
logsources:
|
|
windows:
|
|
product: windows
|
|
index: winlogbeat-*
|
|
windows-application:
|
|
product: windows
|
|
service: application
|
|
conditions:
|
|
winlog.channel: Application
|
|
windows-security:
|
|
product: windows
|
|
service: security
|
|
conditions:
|
|
winlog.channel: Security
|
|
windows-system:
|
|
product: windows
|
|
service: system
|
|
conditions:
|
|
winlog.channel: System
|
|
windows-sysmon:
|
|
product: windows
|
|
service: sysmon
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
|
|
windows-powershell:
|
|
product: windows
|
|
service: powershell
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
|
|
windows-classicpowershell:
|
|
product: windows
|
|
service: powershell-classic
|
|
conditions:
|
|
winlog.channel: 'Windows PowerShell'
|
|
windows-dns-server:
|
|
product: windows
|
|
service: dns-server
|
|
conditions:
|
|
winlog.channel: 'DNS Server'
|
|
windows-driver-framework:
|
|
product: windows
|
|
service: driver-framework
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
|
|
windows-dhcp:
|
|
product: windows
|
|
service: dhcp
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
|
|
windows-ntlm:
|
|
product: windows
|
|
service: ntlm
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
|
|
windows-defender:
|
|
product: windows
|
|
service: windefend
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
|
|
windows-printservice-admin:
|
|
product: windows
|
|
service: printservice-admin
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-PrintService/Admin'
|
|
windows-printservice-operational:
|
|
product: windows
|
|
service: printservice-operational
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
|
|
windows-codeintegrity-operational:
|
|
product: windows
|
|
service: codeintegrity-operational
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
|
|
windows-smbclient-security:
|
|
product: windows
|
|
service: smbclient-security
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-SmbClient/Security'
|
|
windows-applocker:
|
|
product: windows
|
|
service: applocker
|
|
conditions:
|
|
winlog.channel:
|
|
- 'Microsoft-Windows-AppLocker/MSI and Script'
|
|
- 'Microsoft-Windows-AppLocker/EXE and DLL'
|
|
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
|
|
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
|
|
windows-msexchange-management:
|
|
product: windows
|
|
service: msexchange-management
|
|
conditions:
|
|
winlog.channel: 'MSExchange Management'
|
|
microsoft-servicebus-client:
|
|
product: windows
|
|
service: microsoft-servicebus-client
|
|
conditions:
|
|
winlog.channel: 'Microsoft-ServiceBus-Client'
|
|
windows-firewall-advanced-security:
|
|
product: windows
|
|
service: firewall-as
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
|
|
windows-bits-client:
|
|
product: windows
|
|
service: bits-client
|
|
conditions:
|
|
winlog.channel: 'Microsoft-Windows-Bits-Client/Operational'
|
|
defaultindex: winlogbeat-*
|
|
# Extract all field names with yq:
|
|
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
|
|
# Keep EventID! Clean up the list afterwards!
|
|
fieldmappings:
|
|
EventID: event.code
|
|
Channel: winlog.channel
|
|
#Keywords: from "<System><Keywords>Value</Keywords></System><EventData>" is lost with winlogbeat exist in nxlog
|
|
Provider_Name: winlog.provider_name
|
|
CallingProcessName: winlog.event_data.CallingProcessName
|
|
ComputerName: winlog.computer_name
|
|
EventType: winlog.event_data.EventType
|
|
FailureCode: winlog.event_data.FailureCode
|
|
FileName: file.path
|
|
HiveName: winlog.event_data.HiveName
|
|
ProcessCommandLine: winlog.event_data.ProcessCommandLine
|
|
SecurityID: winlog.event_data.SecurityID
|
|
Source: winlog.event_data.Source
|
|
# Channel: WLAN-Autoconfig AND EventID: 8001
|
|
AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
|
|
BSSID: winlog.event_data.BSSID
|
|
BSSType: winlog.event_data.BSSType
|
|
CipherAlgorithm: winlog.event_data.CipherAlgorithm
|
|
ConnectionId: winlog.event_data.ConnectionId
|
|
ConnectionMode: winlog.event_data.ConnectionMode
|
|
InterfaceDescription: winlog.event_data.InterfaceDescription
|
|
InterfaceGuid: winlog.event_data.InterfaceGuid
|
|
OnexEnabled: winlog.event_data.OnexEnabled
|
|
PHYType: winlog.event_data.PHYType
|
|
ProfileName: winlog.event_data.ProfileName
|
|
SSID: winlog.event_data.SSID
|
|
Accesses: winlog.event_data.Accesses
|
|
ClassName: winlog.event_data.ClassName
|
|
ClassId: winlog.event_data.ClassId
|
|
DeviceDescription: winlog.event_data.DeviceDescription
|
|
# ErrorCode => printservice-admin EventID: 4909 or 808
|
|
ErrorCode: winlog.event_data.ErrorCode
|
|
FilePath: winlog.event_data.FilePath
|
|
# Filename => product: antivirus
|
|
Filename: winlog.event_data.Filename
|
|
LDAPDisplayName: winlog.event_data.LDAPDisplayName
|
|
# Level => Source: MSExchange Control Panel EventID: 4
|
|
Level: winlog.event_data.Level
|
|
TargetProcessAddress: winlog.event_data.TargetProcessAddress
|
|
# UserName => smbclient-security eventid:31017
|
|
UserName: winlog.event_data.UserName
|
|
#
|
|
# Sysmon/Operational up to ID 25
|
|
#
|
|
RuleName: winlog.event_data.RuleName
|
|
ProcessGuid: process.entity_id
|
|
ProcessId: process.pid
|
|
Image: process.executable
|
|
FileVersion:
|
|
category=process_creation: process.pe.file_version
|
|
category=image_load: file.pe.file_version
|
|
default: winlog.event_data.FileVersion
|
|
Description:
|
|
category=process_creation: process.pe.description
|
|
category=image_load: file.pe.description
|
|
category=sysmon_error: winlog.event_data.Description
|
|
default: winlog.event_data.Description
|
|
Product:
|
|
category=process_creation: process.pe.product
|
|
category=image_load: file.pe.product
|
|
default: winlog.event_data.Product
|
|
Company:
|
|
category=process_creation: process.pe.company
|
|
category=image_load: file.pe.company
|
|
default: winlog.event_data.Company
|
|
OriginalFileName:
|
|
category=process_creation: process.pe.original_file_name
|
|
category=image_load: file.pe.original_file_name
|
|
default: winlog.event_data.OriginalFileName
|
|
CommandLine:
|
|
category=process_creation: process.command_line
|
|
service=security: process.command_line
|
|
service=powershell-classic: powershell.command.value
|
|
default: winlog.event_data.CommandLine
|
|
CurrentDirectory: process.working_directory
|
|
LogonGuid: winlog.event_data.LogonGuid
|
|
LogonId: winlog.event_data.LogonId
|
|
TerminalSessionId: winlog.event_data.TerminalSessionId
|
|
IntegrityLevel: winlog.event_data.IntegrityLevel
|
|
ParentProcessGuid: process.parent.entity_id
|
|
ParentProcessId: process.parent.pid
|
|
ParentImage: process.parent.executable
|
|
ParentCommandLine: process.parent.command_line
|
|
ParentUser: winlog.event_data.ParentUser #Sysmon 13.30
|
|
SourceUser: winlog.event_data.SourceUser #Sysmon 13.30
|
|
TargetUser: winlog.event_data.TargetUser #Sysmon 13.30
|
|
TargetFilename: file.path
|
|
CreationUtcTime: winlog.event_data.CreationUtcTime
|
|
PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime
|
|
Protocol:
|
|
category=network_connection: network.transport
|
|
default: winlog.event_data.Protocol
|
|
Initiated:
|
|
category=network_connection: network.direction
|
|
default: winlog.event_data.Initiated
|
|
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
|
|
SourceIp: source.ip
|
|
SourceHostname: source.domain
|
|
SourcePort: source.port
|
|
SourcePortName: winlog.event_data.SourcePortName
|
|
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
|
|
DestinationIp: destination.ip
|
|
DestinationHostname: destination.domain
|
|
DestinationPort: destination.port
|
|
DestinationPortName: network.protocol
|
|
State: winlog.event_data.State
|
|
Version: winlog.event_data.Version
|
|
SchemaVersion: winlog.event_data.SchemaVersion
|
|
ImageLoaded: file.path
|
|
Signed: file.code_signature.signed
|
|
Signature:
|
|
category=driver_loaded: file.code_signature.subject_name
|
|
category=image_loaded: file.code_signature.subject_name
|
|
default: winlog.event_data.Signature
|
|
SignatureStatus: file.code_signature.status
|
|
SourceProcessGuid: process.entity_id
|
|
SourceProcessId: process.pid
|
|
SourceImage: process.executable
|
|
TargetProcessGuid: winlog.event_data.TargetProcessGuid
|
|
TargetProcessId: winlog.event_data.TargetProcessId
|
|
TargetImage: winlog.event_data.TargetImage
|
|
NewThreadId: winlog.event_data.NewThreadId
|
|
StartAddress: winlog.event_data.StartAddress
|
|
StartModule: winlog.event_data.StartModule
|
|
StartFunction: winlog.event_data.StartFunction
|
|
Device: file.path
|
|
SourceThreadId: process.thread.id
|
|
GrantedAccess: winlog.event_data.GrantedAccess
|
|
CallTrace: winlog.event_data.CallTrace
|
|
TargetObject: registry.path
|
|
Details: winlog.event_data.Details
|
|
NewName: winlog.event_data.NewName
|
|
Configuration: winlog.event_data.Configuration
|
|
ConfigurationFileHash: winlog.event_data.ConfigurationFileHash
|
|
PipeName: file.name
|
|
User: winlog.event_data.User
|
|
EventNamespace: winlog.event_data.EventNamespace
|
|
Name: winlog.event_data.Name
|
|
Query: winlog.event_data.Query
|
|
Operation: winlog.event_data.Operation
|
|
Type: winlog.event_data.Type
|
|
Destination: process.executable
|
|
Consumer: winlog.event_data.Consumer
|
|
Filter: winlog.event_data.Filter
|
|
QueryName: dns.question.name
|
|
QueryStatus: sysmon.dns.status
|
|
QueryResults: winlog.event_data.QueryResults
|
|
IsExecutable: sysmon.file.is_executable
|
|
Archived: sysmon.file.archived
|
|
Session: winlog.event_data.Session
|
|
ClientInfo: winlog.event_data.ClientInfo
|
|
# SYSMON Hashes
|
|
Hashes: winlog.event_data.Hashes
|
|
# extraction from Hashes NOT a original field but find in some rule
|
|
md5:
|
|
category=driver_load: hash.md5
|
|
category=image_load: file.hash.md5
|
|
default: process.hash.md5
|
|
sha1:
|
|
category=driver_load: hash.sha1
|
|
category=image_load: file.hash.sha1
|
|
default: process.hash.sha1
|
|
sha256:
|
|
category=driver_load: hash.sha256
|
|
category=image_load: file.hash.sha256
|
|
default: process.hash.sha256
|
|
Imphash:
|
|
category=driver_load: hash.imphash
|
|
category=image_load: file.hash.imphash
|
|
default: process.pe.imphash
|
|
#
|
|
# Powershell
|
|
#
|
|
CommandName: powershell.command.name
|
|
CommandPath: powershell.command.path
|
|
CommandType: powershell.command.type
|
|
EngineVersion:
|
|
service=powershell-classic: powershell.engine.version
|
|
default: winlog.event_data.EngineVersion
|
|
HostApplication: process.command_line
|
|
HostId: process.entity_id
|
|
HostName: process.title
|
|
HostVersion:
|
|
service=powershell-classic: powershell.process.executable_version
|
|
default: winlog.event_data.HostVersion
|
|
NewEngineState: powershell.engine.new_state
|
|
PipelineId: powershell.pipeline_id
|
|
PreviousEngineState: powershell.engine.previous_state
|
|
RunspaceId: powershell.runspace_id
|
|
ScriptName: file.path
|
|
SequenceNumber: event.sequence
|
|
NewProviderState: powershell.provider.new_state
|
|
ProviderName: powershell.provider.name
|
|
Payload: winlog.event_data.Payload
|
|
ContextInfo: winlog.event_data.ContextInfo
|
|
MessageNumber: powershell.sequence
|
|
MessageTotal: powershell.total
|
|
ScriptBlockText: powershell.file.script_block_text
|
|
ScriptBlockId: powershell.file.script_block_id
|
|
#
|
|
# Security
|
|
#
|
|
AccessGranted: winlog.event_data.AccessGranted
|
|
AccessList: winlog.event_data.AccessList
|
|
AccessMask: winlog.event_data.AccessMask
|
|
AccessReason: winlog.event_data.AccessReason
|
|
AccessRemoved: winlog.event_data.AccessRemoved
|
|
AccountDomain: user.domain
|
|
AccountExpires: winlog.event_data.AccountExpires
|
|
AccountName: user.name
|
|
AdditionalInfo: winlog.event_data.AdditionalInfo
|
|
AdditionalInfo2: winlog.event_data.AdditionalInfo2
|
|
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
|
|
AppCorrelationID: winlog.event_data.AppCorrelationID
|
|
Application: process.executable
|
|
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
|
|
AttributeSyntaxOID: winlog.event_data.AttributeSyntaxOID
|
|
AttributeValue: winlog.event_data.AttributeValue
|
|
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
|
|
AuditSourceName: winlog.event_data.AuditSourceName
|
|
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
|
|
CallerProcessId: winlog.event_data.CallerProcessId
|
|
CallerProcessName: winlog.event_data.CallerProcessName
|
|
CategoryId: winlog.event_data.CategoryId
|
|
CertIssuerName: winlog.event_data.CertIssuerName
|
|
CertSerialNumber: winlog.event_data.CertSerialNumber
|
|
CertThumbprint: winlog.event_data.CertThumbprint
|
|
ClientAddress: source.ip
|
|
ClientName: source.domain
|
|
ClientProcessId: winlog.event_data.ClientProcessId
|
|
ClientProcessStartKey: winlog.event_data.ClientProcessStartKey
|
|
ComputerAccountChange: winlog.event_data.ComputerAccountChange
|
|
CrashOnAuditFailValue: winlog.event_data.CrashOnAuditFailValue
|
|
DestAddress: destination.ip
|
|
DestPort: destination.port
|
|
Direction: winlog.event_data.Direction
|
|
DisplayName: winlog.event_data.DisplayName
|
|
DnsHostName: winlog.event_data.DnsHostName
|
|
DomainBehaviorVersion: winlog.event_data.DomainBehaviorVersion
|
|
DomainName: winlog.event_data.DomainName
|
|
DomainPolicyChanged: winlog.event_data.DomainPolicyChanged
|
|
DomainSid: winlog.event_data.DomainSid
|
|
DSName: winlog.event_data.DSName
|
|
DSType: winlog.event_data.DSType
|
|
Dummy: winlog.event_data.Dummy
|
|
ElevatedToken: winlog.event_data.ElevatedToken
|
|
EventSourceId: winlog.event_data.EventSourceId
|
|
FailureReason: winlog.event_data.FailureReason
|
|
FilterRTID: winlog.event_data.FilterRTID
|
|
ForceLogoff: winlog.event_data.ForceLogoff
|
|
FQDN: winlog.event_data.FQDN
|
|
GroupTypeChange: winlog.event_data.GroupTypeChange
|
|
HandleId: winlog.event_data.HandleId
|
|
HomeDirectory: winlog.event_data.HomeDirectory
|
|
HomePath: winlog.event_data.HomePath
|
|
ImagePath: winlog.event_data.ImagePath
|
|
ImpersonationLevel: winlog.event_data.ImpersonationLevel
|
|
IpAddress: source.ip
|
|
IpPort: source.port
|
|
KeyLength: winlog.event_data.KeyLength
|
|
LayerName: winlog.event_data.LayerName
|
|
LayerRTID: winlog.event_data.LayerRTID
|
|
LmPackageName: winlog.event_data.LmPackageName
|
|
LockoutDuration: winlog.event_data.LockoutDuration
|
|
LockoutObservationWindow: winlog.event_data.LockoutObservationWindow
|
|
LockoutThreshold: winlog.event_data.LockoutThreshold
|
|
LogonHours: winlog.event_data.LogonHours
|
|
SubjectLogonId:
|
|
service=security: winlog.logon.id
|
|
default: winlog.event_data.SubjectLogonId
|
|
LogonProcessName: winlog.event_data.LogonProcessName
|
|
LogonType: winlog.event_data.LogonType
|
|
MachineAccountQuota: winlog.event_data.MachineAccountQuota
|
|
MandatoryLabel: winlog.event_data.MandatoryLabel
|
|
MasterKeyId: winlog.event_data.MasterKeyId
|
|
MaxPasswordAge: winlog.event_data.MaxPasswordAge
|
|
MemberName: winlog.event_data.MemberName
|
|
MemberSid: winlog.event_data.MemberSid
|
|
MinPasswordAge: winlog.event_data.MinPasswordAge
|
|
MinPasswordLength: winlog.event_data.MinPasswordLength
|
|
MixedDomainMode: winlog.event_data.MixedDomainMode
|
|
NewProcessId: process.pid
|
|
NewProcessName: process.executable
|
|
NewSd: winlog.event_data.NewSd
|
|
NewTargetUserName: winlog.event_data.NewTargetUserName
|
|
NewTime: winlog.event_data.NewTime
|
|
NewUacValue: winlog.event_data.NewUacValue
|
|
NewValue: winlog.event_data.NewValue
|
|
NewValueType: winlog.event_data.NewValueType
|
|
ObjectClass: winlog.event_data.ObjectClass
|
|
ObjectDN: winlog.event_data.ObjectDN
|
|
ObjectGUID: winlog.event_data.ObjectGUID
|
|
ObjectName: winlog.event_data.ObjectName
|
|
ObjectServer: winlog.event_data.ObjectServer
|
|
ObjectType: winlog.event_data.ObjectType
|
|
ObjectValueName: winlog.event_data.ObjectValueName
|
|
OemInformation: winlog.event_data.OemInformation
|
|
OldSd: winlog.event_data.OldSd
|
|
OldTargetUserName: winlog.event_data.OldTargetUserName
|
|
OldUacValue: winlog.event_data.OldUacValue
|
|
OldValue: winlog.event_data.OldValue
|
|
OldValueType: winlog.event_data.OldValueType
|
|
OpCorrelationID: winlog.event_data.OpCorrelationID
|
|
OperationType: winlog.event_data.OperationType
|
|
PackageName: winlog.event_data.PackageName
|
|
ParentProcessName: process.parent.name
|
|
PasswordHistoryLength: winlog.event_data.PasswordHistoryLength
|
|
PasswordLastSet: winlog.event_data.PasswordLastSet
|
|
PasswordProperties: winlog.event_data.PasswordProperties
|
|
PreAuthType: winlog.event_data.PreAuthType
|
|
PreviousTime: winlog.event_data.PreviousTime
|
|
PrimaryGroupId: winlog.event_data.PrimaryGroupId
|
|
PrivilegeList: winlog.event_data.PrivilegeList
|
|
ProcessName: process.executable
|
|
ProfilePath: winlog.event_data.ProfilePath
|
|
Properties: winlog.event_data.Properties
|
|
PuaCount: winlog.event_data.PuaCount
|
|
PuaPolicyId: winlog.event_data.PuaPolicyId
|
|
RecoveryKeyId: winlog.event_data.RecoveryKeyId
|
|
RecoveryServer: winlog.event_data.RecoveryServer
|
|
RelativeTargetName: winlog.event_data.RelativeTargetName
|
|
RemoteMachineID: winlog.event_data.RemoteMachineID
|
|
RemoteUserID: winlog.event_data.RemoteUserID
|
|
ResourceAttributes: winlog.event_data.ResourceAttributes
|
|
RestrictedAdminMode: winlog.event_data.RestrictedAdminMode
|
|
RestrictedSidCount: winlog.event_data.RestrictedSidCount
|
|
RpcCallClientLocality: winlog.event_data.RpcCallClientLocality
|
|
SamAccountName: winlog.event_data.SamAccountName
|
|
ScriptPath: winlog.event_data.ScriptPath
|
|
Service: winlog.event_data.Service
|
|
ServiceAccount: winlog.event_data.ServiceAccount
|
|
ServiceFileName: winlog.event_data.ServiceFileName
|
|
ServiceName:
|
|
service=security: service.name
|
|
default: winlog.event_data.ServiceName
|
|
ServicePrincipalNames: winlog.event_data.ServicePrincipalNames
|
|
ServiceSid: winlog.event_data.ServiceSid
|
|
ServiceStartType: winlog.event_data.ServiceStartType
|
|
ServiceType: winlog.event_data.ServiceType
|
|
SessionId: winlog.event_data.SessionId
|
|
SessionName: winlog.event_data.SessionName
|
|
ShareLocalPath: winlog.event_data.ShareLocalPath
|
|
ShareName: winlog.event_data.ShareName
|
|
SidHistory: winlog.event_data.SidHistory
|
|
SidList: winlog.event_data.SidList
|
|
SourceAddress: source.ip
|
|
Status: winlog.event_data.Status
|
|
StartType: winlog.event_data.StartType
|
|
SubcategoryGuid: winlog.event_data.SubcategoryGuid
|
|
SubcategoryId: winlog.event_data.SubcategoryId
|
|
SubjectDomainName:
|
|
service=security: user.domain
|
|
default: winlog.event_data.SubjectDomainName
|
|
SubjectUserName:
|
|
service=security: user.name
|
|
default: winlog.event_data.SubjectUserName
|
|
SubjectUserSid:
|
|
service=security: user.id
|
|
default: winlog.event_data.SubjectUserSid
|
|
SubStatus: winlog.event_data.SubStatus
|
|
TargetDomainName: user.domain
|
|
TargetLinkedLogonId: winlog.event_data.TargetLinkedLogonId
|
|
TargetLogonId:
|
|
service=security: winlog.logon.id
|
|
default: winlog.event_data.TargetLogonId
|
|
TargetOutboundDomainName: winlog.event_data.TargetOutboundDomainName
|
|
TargetOutboundUserName: winlog.event_data.TargetOutboundUserName
|
|
TargetServerName: winlog.event_data.TargetServerName
|
|
TargetSid: winlog.event_data.TargetSid
|
|
TargetUserName: winlog.event_data.TargetUserName
|
|
TargetUserSid: winlog.event_data.TargetUserSid
|
|
TaskContent: winlog.event_data.TaskContent
|
|
TaskName: winlog.event_data.TaskName
|
|
TicketEncryptionType: winlog.event_data.TicketEncryptionType
|
|
TicketOptions: winlog.event_data.TicketOptions
|
|
TokenElevationType: winlog.event_data.TokenElevationType
|
|
TransactionId: winlog.event_data.TransactionId
|
|
TransmittedServices: winlog.event_data.TransmittedServices
|
|
UserAccountControl: winlog.event_data.UserAccountControl
|
|
UserParameters: winlog.event_data.UserParameters
|
|
UserPrincipalName: winlog.event_data.UserPrincipalName
|
|
UserWorkstations: winlog.event_data.UserWorkstations
|
|
VirtualAccount: winlog.event_data.VirtualAccount
|
|
Workstation: winlog.event_data.Workstation
|
|
WorkstationName: source.domain
|
|
#
|
|
# System
|
|
#
|
|
DriveName: winlog.event_data.DriveName
|
|
DeviceName: winlog.event_data.DeviceName
|
|
HeaderFlags: winlog.event_data.HeaderFlags
|
|
Severity: winlog.event_data.Severity
|
|
Origin: winlog.event_data.Origin
|
|
Verb: winlog.event_data.Verb
|
|
Outcome: winlog.event_data.Outcome
|
|
SampleLength: winlog.event_data.SampleLength
|
|
SampleData: winlog.event_data.SampleData
|
|
SourceFile: winlog.event_data.SourceFile
|
|
SourceLine: winlog.event_data.SourceLine
|
|
SourceTag: winlog.event_data.SourceTag
|
|
CallStack: winlog.event_data.CallStack
|
|
#
|
|
# Microsoft-Windows-Windows Defender/Operational
|
|
#
|
|
Action_ID: winlog.event_data.Action\ ID
|
|
Action_Name: winlog.event_data.Action\ Name
|
|
Additional_Actions_ID: winlog.event_data.Additional\ Actions\ ID
|
|
Additional_Actions_String: winlog.event_data.Additional\ Actions\ String
|
|
Category_ID: winlog.event_data.Category\ ID
|
|
Category_Name: winlog.event_data.Category\ Name
|
|
Detection_ID: winlog.event_data.Detection\ ID
|
|
Detection_Time: winlog.event_data.Detection\ Time
|
|
Detection_User: winlog.event_data.Detection\ User
|
|
Engine_Version: winlog.event_data.Engine\ Version
|
|
Error_Code: winlog.event_data.Error\ Code
|
|
Error_Description: winlog.event_data.Error\ Description
|
|
Execution_ID: winlog.event_data.Execution\ ID
|
|
Execution_Name: winlog.event_data.Execution\ Name
|
|
FWLink: winlog.event_data.FWLink
|
|
New_Value: winlog.event_data.New\ Value
|
|
Old_Value: winlog.event_data.Old\ Value
|
|
Origin_ID: winlog.event_data.Origin\ ID
|
|
Origin_Name: winlog.event_data.Origin\ Name
|
|
Path: winlog.event_data.Path
|
|
Post_Clean_Status: winlog.event_data.Post\ Clean\ Status
|
|
Pre_Execution_Status: winlog.event_data.Pre\ Execution\ Status
|
|
Process_Name: winlog.event_data.Process\ Name
|
|
Product_Name: winlog.event_data.Product\ Name
|
|
Product_Version: winlog.event_data.Product\ Version
|
|
Remediation_User: winlog.event_data.Remediation\ User
|
|
Security_intelligence_Version: winlog.event_data.Security\ intelligence\ Version
|
|
Severity_ID: winlog.event_data.Severity\ ID
|
|
Severity_Name: winlog.event_data.Severity\ Name
|
|
Source_ID: winlog.event_data.Source\ ID
|
|
Source_Name: winlog.event_data.Source\ Name
|
|
Status_Code: winlog.event_data.Status\ Code
|
|
Status_Description: winlog.event_data.Status\ Description
|
|
Threat_ID: winlog.event_data.Threat\ ID
|
|
Threat_Name: winlog.event_data.Threat\ Name
|
|
Type_ID: winlog.event_data.Type\ ID
|
|
Type_Name: winlog.event_data.Type\ Name
|
|
#
|
|
# Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
|
|
#
|
|
ApplicationPath: winlog.event_data.ApplicationPath
|
|
ModifyingApplication: winlog.event_data.ModifyingApplication
|
|
Action: winlog.event_data.Action
|
|
|