Terrance DeJesus
48128c1c66
* [Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field Fixes #5893 * adding non-admin consented filter * converting to ESQL * additional query adjustments * adjusted query KEEP * updating non-ecs * Apply suggestion from @terrancedejesus
291 lines
13 KiB
JSON
291 lines
13 KiB
JSON
{
|
|
"auditbeat-*": {
|
|
"auditd.data.addr": "keyword",
|
|
"auditd.data.grantors": "keyword",
|
|
"auditd.data.syscall": "keyword",
|
|
"auditd.data.terminal": "keyword",
|
|
"auditd.result": "keyword"
|
|
},
|
|
"endgame-*": {
|
|
"endgame": {
|
|
"metadata": {
|
|
"type": "keyword"
|
|
},
|
|
"event_subtype_full": "keyword"
|
|
}
|
|
},
|
|
"winlogbeat-*": {
|
|
"problemchild.prediction": "long",
|
|
"problemchild.prediction_probability": "long",
|
|
"blocklist_label": "long",
|
|
"winlog": {
|
|
"event_data": {
|
|
"AccessList": "keyword",
|
|
"AccessMask": "keyword",
|
|
"AccessMaskDescription": "keyword",
|
|
"AdditionalInfo": "keyword",
|
|
"AllowedToDelegateTo": "keyword",
|
|
"AttributeLDAPDisplayName": "keyword",
|
|
"AttributeValue": "keyword",
|
|
"AuditPolicyChangesDescription": "keyword",
|
|
"CallerProcessName": "keyword",
|
|
"CallTrace": "keyword",
|
|
"ClientProcessId": "keyword",
|
|
"Consumer": "keyword",
|
|
"GrantedAccess": "keyword",
|
|
"NewTargetUserName": "keyword",
|
|
"ObjectClass": "keyword",
|
|
"ObjectDN": "keyword",
|
|
"ObjectName": "keyword",
|
|
"OldTargetUserName": "keyword",
|
|
"OriginalFileName": "keyword",
|
|
"ParentProcessId": "keyword",
|
|
"ProcessName": "keyword",
|
|
"Properties": "keyword",
|
|
"RelativeTargetName": "keyword",
|
|
"ShareName": "keyword",
|
|
"SubjectLogonId": "keyword",
|
|
"SubjectUserName": "keyword",
|
|
"SubjectUserSid": "keyword",
|
|
"ServiceAccount": "keyword",
|
|
"ElevatedToken": "keyword",
|
|
"TargetUserName": "keyword",
|
|
"TargetImage": "keyword",
|
|
"TargetLogonId": "keyword",
|
|
"TargetProcessGUID": "keyword",
|
|
"TargetSid": "keyword",
|
|
"SchemaFriendlyName": "keyword",
|
|
"Resource": "keyword",
|
|
"RpcCallClientLocality": "keyword",
|
|
"PrivilegeList": "keyword",
|
|
"AuthenticationPackageName" : "keyword",
|
|
"TargetUserSid" : "keyword",
|
|
"LogonProcessName": "keyword",
|
|
"DnsHostName" : "keyword",
|
|
"ServiceFileName": "keyword",
|
|
"ImagePath": "keyword",
|
|
"TaskName": "keyword",
|
|
"Status": "keyword",
|
|
"EnabledPrivilegeList": "keyword",
|
|
"Operation": "keyword",
|
|
"OperationType": "keyword",
|
|
"NewUACList": "keyword",
|
|
"SubCategory": "keyword"
|
|
}
|
|
},
|
|
"winlog.logon.type": "keyword",
|
|
"winlog.logon.id": "keyword",
|
|
"powershell.file.script_block_text": "text"
|
|
},
|
|
"filebeat-*": {
|
|
"o365.audit.NewValue": "keyword",
|
|
"labels.is_ioc_transform_source": "keyword"
|
|
},
|
|
"logs-endpoint.events.*": {
|
|
"process.Ext.token.integrity_level_name": "keyword",
|
|
"process.parent.Ext.real.pid": "long",
|
|
"process.Ext.effective_parent.executable": "keyword",
|
|
"process.Ext.effective_parent.entity_id": "keyword",
|
|
"process.Ext.effective_parent.name": "keyword",
|
|
"file.Ext.header_bytes": "keyword",
|
|
"file.Ext.entropy": "long",
|
|
"file.Ext.windows.zone_identifier": "long",
|
|
"file.size": "long",
|
|
"file.Ext.original.name": "keyword",
|
|
"dll.Ext.device.product_id": "keyword",
|
|
"dll.Ext.relative_file_creation_time": "double",
|
|
"dll.Ext.relative_file_name_modify_time": "double",
|
|
"process.Ext.relative_file_name_modify_time": "double",
|
|
"process.Ext.relative_file_creation_time": "double",
|
|
"Target.process.name": "keyword",
|
|
"process.Ext.api.name": "keyword"
|
|
},
|
|
"logs-endpoint.events.api-*": {
|
|
"process.Ext.api.parameters.consumer_type": "keyword",
|
|
"process.Ext.api.name": "keyword"
|
|
},
|
|
"logs-endpoint.events.file-*": {
|
|
"file.Ext.header_bytes": "keyword",
|
|
"file.Ext.windows.zone_identifier": "long"
|
|
},
|
|
"logs-windows.*": {
|
|
"powershell.file.script_block_text": "text"
|
|
},
|
|
"logs-kubernetes.audit_logs-*": {
|
|
"kubernetes.audit.objectRef.resource": "keyword",
|
|
"kubernetes.audit.objectRef.subresource": "keyword",
|
|
"kubernetes.audit.verb": "keyword",
|
|
"kubernetes.audit.user.username": "keyword",
|
|
"kubernetes.audit.impersonatedUser.username": "keyword",
|
|
"kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
|
|
"kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
|
|
"kubernetes.audit.userAgent": "keyword",
|
|
"kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name": "keyword",
|
|
"kubernetes.audit.user.groups": "keyword",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",
|
|
"kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long",
|
|
"kubernetes.audit.requestObject.spec.hostPID": "boolean",
|
|
"kubernetes.audit.requestObject.spec.hostNetwork": "boolean",
|
|
"kubernetes.audit.requestObject.spec.hostIPC": "boolean",
|
|
"kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
|
|
"kubernetes.audit.requestObject.spec.type": "keyword",
|
|
"kubernetes.audit.requestObject.rules.resources": "keyword",
|
|
"kubernetes.audit.requestObject.rules.verb": "keyword",
|
|
"kubernetes.audit.objectRef.namespace": "keyword",
|
|
"kubernetes.audit.objectRef.serviceAccountName": "keyword",
|
|
"kubernetes.audit.requestObject.spec.serviceAccountName": "keyword",
|
|
"kubernetes.audit.responseStatus.reason": "keyword",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword",
|
|
"kubernetes.audit.requestObject.spec.containers.image": "keyword"
|
|
},
|
|
".alerts-security.*": {
|
|
"signal.rule.name": "keyword",
|
|
"signal.rule.tags": "keyword",
|
|
"signal.rule.threat.tactic.name": "keyword",
|
|
"kibana.alert.rule.threat.tactic.id": "keyword",
|
|
"kibana.alert.workflow_status": "keyword",
|
|
"kibana.alert.rule.rule_id": "keyword",
|
|
"kibana.alert.rule.name": "keyword",
|
|
"kibana.alert.risk_score": "long",
|
|
"kibana.alert.rule.type": "keyword",
|
|
"kibana.alert.rule.threat.tactic.name": "keyword",
|
|
"kibana.alert.rule.threat.technique.name": "keyword",
|
|
"kibana.alert.rule.threat.technique.id": "keyword",
|
|
"kibana.alert.severity": "keyword",
|
|
"job_id": "keyword",
|
|
"influencers.influencer_field_name": "keyword",
|
|
"influencers.influencer_field_values": "keyword"
|
|
},
|
|
"logs-github.audit-*": {
|
|
"github.branch": "keyword",
|
|
"github.overridden_codes": "keyword",
|
|
"github.reasons.code": "keyword",
|
|
"github.reasons.message": "text",
|
|
"github.repository_public": "boolean",
|
|
"github.previous_visibility": "keyword"
|
|
},
|
|
"logs-google_workspace*": {
|
|
"gsuite.admin": "keyword",
|
|
"gsuite.admin.new_value": "keyword",
|
|
"gsuite.admin.setting.name": "keyword",
|
|
"google_workspace.drive.owner_is_team_drive": "keyword",
|
|
"google_workspace.drive.copy_type": "keyword",
|
|
"google_workspace.drive.file.type": "keyword",
|
|
"google_workspace.drive.visibility": "keyword",
|
|
"google_workspace.token.client.id": "keyword",
|
|
"google_workspace.token.scope.data": "keyword",
|
|
"google_workspace.token.scope.data.scope_name": "keyword"
|
|
},
|
|
"logs-ti_*": {
|
|
"labels.is_ioc_transform_source": "keyword"
|
|
},
|
|
"logs-auditd_manager.auditd-*": {
|
|
"auditd.data.a0": "keyword",
|
|
"auditd.data.a1": "keyword",
|
|
"auditd.data.a2": "keyword",
|
|
"auditd.data.a3": "keyword"
|
|
},
|
|
"logs-aws.cloudtrail-*": {
|
|
"aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items.cidrIp": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.ipPermissions.items.fromPort": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.withDecryption": "boolean",
|
|
"aws.cloudtrail.flattened.request_parameters.instanceId": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.attribute": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.reason": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.omitted": "keyword",
|
|
"aws.cloudtrail.flattened.response_elements.documentDescription.documentType": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.groupSet.items.groupId": "keyword",
|
|
"aws.cloudtrail.flattened.request_parameters.protocol": "keyword"
|
|
},
|
|
"logs-azure.signinlogs-*": {
|
|
"azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword",
|
|
"azure.signinlogs.properties.original_transfer_method": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.display_name": "keyword",
|
|
"azure.signinlogs.properties.authentication_details.authentication_method": "keyword",
|
|
"azure.signinlogs.properties.authentication_processing_details": "keyword",
|
|
"azure.signinlogs.properties.token_protection_status_details.sign_in_session_status": "keyword",
|
|
"azure.signinlogs.properties.session_id": "keyword",
|
|
"azure.signinlogs.properties.mfa_detail.auth_method": "keyword",
|
|
"azure.signinlogs.properties.client_credential_type": "keyword",
|
|
"azure.signinlogs.properties.app_owner_tenant_id": "keyword",
|
|
"azure.signinlogs.properties.resource_owner_tenant_id": "keyword",
|
|
"azure.signinlogs.properties.tenant_id": "keyword"
|
|
},
|
|
"logs-azure.activitylogs-*": {
|
|
"azure.activitylogs.properties.authentication_protocol": "keyword",
|
|
"azure.activitylogs.properties.appId": "keyword",
|
|
"azure.activitylogs.properties.resourceDisplayName": "keyword",
|
|
"azure.activitylogs.properties.appDisplayName": "keyword",
|
|
"azure.activitylogs.properties.requestbody.properties.roleDefinitionId": "keyword",
|
|
"azure.activitylogs.properties.responseBody": "keyword",
|
|
"azure.activitylogs.properties.status_code": "keyword",
|
|
"azure.activitylogs.identity.claims.appid": "keyword"
|
|
},
|
|
"logs-azure.graphactivitylogs-*": {
|
|
"azure.graphactivitylogs.properties.c_idtyp": "keyword",
|
|
"azure.graphactivitylogs.properties.user_principal_object_id": "keyword",
|
|
"azure.graphactivitylogs.properties.requestUri": "keyword",
|
|
"azure.graphactivitylogs.properties.c_sid": "keyword"
|
|
},
|
|
"logs-azure.auditlogs-*": {
|
|
"azure.auditlogs.properties.target_resources.0.display_name": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.id": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.modified_properties.1.display_name": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.modified_properties.2.new_value": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.modified_properties.5.new_value": "keyword",
|
|
"azure.auditlogs.properties.additional_details.value": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value": "keyword",
|
|
"azure.auditlogs.properties.target_resources.0.modified_properties.0.display_name": "keyword"
|
|
},
|
|
"logs-azure.platformlogs-*": {
|
|
"azure.platformlogs.identity.claim.upn": "keyword",
|
|
"azure.platformlogs.properties.id": "keyword",
|
|
"azure.platformlogs.identity.claim.appid": "keyword",
|
|
"azure.platformlogs.identity.type": "keyword",
|
|
"azure.platformlogs.properties.userAgentHeader": "keyword",
|
|
"azure.platformlogs.statusCode": "keyword",
|
|
"azure.platformlogs.properties.accountName": "keyword"
|
|
},
|
|
"logs-o365.audit-*": {
|
|
"o365.audit.ExtendedProperties.RequestType": "keyword",
|
|
"o365.audit.ExtendedProperties.ResultStatusDetail": "keyword",
|
|
"o365.audit.OperationProperties.Name": "keyword",
|
|
"o365.audit.OperationProperties.Value": "keyword",
|
|
"o365.audit.OperationCount": "long",
|
|
"o365.audit.AppAccessContext.AADSessionId": "keyword",
|
|
"o365.audit.SearchQueryText": "keyword",
|
|
"o365.audit.AffectedItems.Subject": "keyword",
|
|
"o365.audit.IsManagedDevice": "boolean"
|
|
},
|
|
"logs-okta*": {
|
|
"okta.debug_context.debug_data.flattened.requestedScopes": "keyword",
|
|
"okta.debug_context.debug_data.flattened.grantType": "keyword",
|
|
"okta.debug_context.debug_data.flattened.privilegeGranted": "keyword"
|
|
},
|
|
"logs-network_traffic.http*": {
|
|
"data_stream.dataset": "keyword",
|
|
"url.path": "keyword",
|
|
"http.request.referrer": "keyword",
|
|
"http.request.headers.content-type": "keyword",
|
|
"network.direction": "keyword",
|
|
"http.request.method": "keyword",
|
|
"request": "keyword",
|
|
"http.request.body.bytes": "long",
|
|
"http.request.body.content": "keyword",
|
|
"http.response.headers.server": "keyword"
|
|
},
|
|
"metrics-*": {
|
|
"system.process.cpu.total.norm.pct": "double",
|
|
"system.cpu.total.norm.pct": "double"
|
|
}
|
|
}
|