Thomas Patzke
94 lines
2.9 KiB
YAML
94 lines
2.9 KiB
YAML
logsources:
|
|
windows-application:
|
|
product: windows
|
|
service: application
|
|
index: logs-endpoint-winevent-application-*
|
|
windows-security:
|
|
product: windows
|
|
service: security
|
|
index: logs-endpoint-winevent-security-*
|
|
windows-sysmon:
|
|
product: windows
|
|
service: sysmon
|
|
index: logs-endpoint-winevent-sysmon-*
|
|
windows-system:
|
|
product: windows
|
|
service: system
|
|
index: logs-endpoint-winevent-system-*
|
|
windows-wmi:
|
|
product: windows
|
|
service: wmi
|
|
index: logs-endpoint-winevent-wmiactivity-*
|
|
windows-powershell:
|
|
product: windows
|
|
service: powershell
|
|
index: logs-endpoint-winevent-powershell-*
|
|
windows-powershell-classic:
|
|
product: windows
|
|
service: powershell-classic
|
|
index: logs-endpoint-winevent-powershell-*
|
|
defaultindex: logs-*
|
|
fieldmappings:
|
|
AccessMask: object_access_mask_requested
|
|
AccountName: service_account_name
|
|
AllowedToDelegateTo: user_attribute_allowed_todelegate
|
|
AttributeLDAPDisplayName: dsobject_attribute_name
|
|
AuditPolicyChanges: policy_changes
|
|
AuthenticationPackageName: logon_authentication_package
|
|
CallTrace: process_calltrace
|
|
CommandLine: command_line
|
|
ComputerName: host_name
|
|
CurrentDirectory: process_current_directory
|
|
DestinationHostname: dst_host
|
|
DestinationIp: dst_ip
|
|
DestinationIsIpv6: dst_isipv6
|
|
DestinationPort: dst_port_number
|
|
Details: registry_details
|
|
EngineVersion: powershell.engine.version
|
|
EventID: event_id
|
|
EventType:
|
|
EventID=12: registry_event_type
|
|
EventID=13: registry_event_type
|
|
EventID=14: registry_event_type
|
|
EventID=19: wmi_event_type
|
|
EventID=20: wmi_event_type
|
|
EventID=21: wmi_event_type
|
|
FailureCode: ticket_failure_code
|
|
GrantedAccess: process_granted_access
|
|
GroupName: group_name
|
|
HiveName: hive_name
|
|
HostVersion: powershell.host.version
|
|
Image: process_path
|
|
ImageLoaded: image_loaded
|
|
LogonProcessName: logon_process_name
|
|
LogonType: logon_type
|
|
NewProcessName: process_path
|
|
ObjectClass: dsobject_class
|
|
ObjectName: object_name
|
|
ObjectType: object_type
|
|
ObjectValueName: object_value_name
|
|
OperationType: object_operation_type
|
|
ParentImage: process_parent_path
|
|
PipeName: pipe_name
|
|
ProcessName: process_path
|
|
RelativeTargetName: share_relative_target_name
|
|
ServiceFileName: service_image_path
|
|
ServiceName: service_name
|
|
ShareName: share_name
|
|
Source: source_name
|
|
SourceImage: process_path
|
|
StartModule: thread_startmodule
|
|
Status: logon_failure_status
|
|
SubjectUserName: user_name
|
|
TargetFilename: file_name
|
|
TargetImage: process_target_path
|
|
TargetObject: registry_target_object
|
|
TargetImage: target_process_path
|
|
TaskName: task_name
|
|
TicketEncryptionType: ticket_encryption_type
|
|
TicketOptions: ticket_options
|
|
User: user
|
|
UserName: user_name
|
|
Workstation: src_host
|
|
WorkstationName: src_host
|