Ruben Groenewoud
d4d794b586
* [Tuning] Win DR Tuning for UEBA
* Need to get used to Windows formatting
* Added additional content
* Updated min stack
* Added additional tuning
* Fixed unit testing for KQL optimization
* Update rules_building_block/discovery_internet_capabilities.toml
* Additional tuning
* Kuery optimization
* Additional tuning
* Additional tuning
* Additional tuning
* Additional tuning
* Unit testing optimization fix
* optimization
* tuning
* Optimization
* Update rules/windows/discovery_privileged_localgroup_membership.toml
* Added feedback
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
* added host.id as additional new_terms field
* Reworked a lot.
* kibana.alert.rule.rule_id to non-ecs-schema.json
* Fixed index by adding a dot
* fixed typo
* Added host.os.type:windows for signals
* Added additional tag
* Added Higher-Order Rule tag
* Stripped down signal rules down to two
* revert
* Update rules/windows/discovery_admin_recon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules_building_block/discovery_generic_registry_query.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules_building_block/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update discovery_generic_registry_query.toml
* Readded exclusions
* Added trailing wildcards for KQL
* Update discovery_privileged_localgroup_membership.toml
* Update rules_building_block/discovery_signal_unusual_user_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
* Formatting fix
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
(cherry picked from commit 4cdf52129a)
141 lines
5.4 KiB
JSON
141 lines
5.4 KiB
JSON
{
|
|
"endgame-*": {
|
|
"endgame": {
|
|
"metadata": {
|
|
"type": "keyword"
|
|
},
|
|
"event_subtype_full": "keyword"
|
|
}
|
|
},
|
|
"winlogbeat-*": {
|
|
"winlog": {
|
|
"event_data": {
|
|
"AccessList": "keyword",
|
|
"AccessMask": "keyword",
|
|
"AccessMaskDescription": "keyword",
|
|
"AllowedToDelegateTo": "keyword",
|
|
"AttributeLDAPDisplayName": "keyword",
|
|
"AttributeValue": "keyword",
|
|
"CallerProcessName": "keyword",
|
|
"CallTrace": "keyword",
|
|
"ClientProcessId": "keyword",
|
|
"Consumer": "keyword",
|
|
"GrantedAccess": "keyword",
|
|
"NewTargetUserName": "keyword",
|
|
"ObjectClass": "keyword",
|
|
"ObjectDN": "keyword",
|
|
"ObjectName": "keyword",
|
|
"OldTargetUserName": "keyword",
|
|
"OriginalFileName": "keyword",
|
|
"ParentProcessId": "keyword",
|
|
"ProcessName": "keyword",
|
|
"Properties": "keyword",
|
|
"RelativeTargetName": "keyword",
|
|
"ShareName": "keyword",
|
|
"SubjectLogonId": "keyword",
|
|
"SubjectUserName": "keyword",
|
|
"SubjectUserSid": "keyword",
|
|
"TargetUserName": "keyword",
|
|
"TargetImage": "keyword",
|
|
"TargetLogonId": "keyword",
|
|
"TargetProcessGUID": "keyword",
|
|
"TargetSid": "keyword",
|
|
"SchemaFriendlyName": "keyword",
|
|
"Resource": "keyword",
|
|
"PrivilegeList": "keyword",
|
|
"AuthenticationPackageName" : "keyword",
|
|
"TargetUserSid" : "keyword",
|
|
"LogonProcessName": "keyword",
|
|
"DnsHostName" : "keyword",
|
|
"ServiceFileName": "keyword",
|
|
"ImagePath": "keyword",
|
|
"TaskName": "keyword",
|
|
"Status": "keyword",
|
|
"EnabledPrivilegeList": "keyword",
|
|
"Operation": "keyword",
|
|
"OperationType": "keyword"
|
|
}
|
|
},
|
|
"winlog.logon.type": "keyword",
|
|
"winlog.logon.id": "keyword",
|
|
"powershell.file.script_block_text": "text"
|
|
},
|
|
"filebeat-*": {
|
|
"o365.audit.NewValue": "keyword",
|
|
"labels.is_ioc_transform_source": "keyword"
|
|
},
|
|
"logs-endpoint.events.*": {
|
|
"process.Ext.token.integrity_level_name": "keyword",
|
|
"process.parent.Ext.real.pid": "long",
|
|
"process.Ext.effective_parent.executable": "keyword",
|
|
"process.Ext.effective_parent.name": "keyword",
|
|
"file.Ext.header_bytes": "keyword",
|
|
"file.Ext.entropy": "long",
|
|
"file.Ext.windows.zone_identifier": "long",
|
|
"file.size": "long",
|
|
"file.Ext.original.name": "keyword",
|
|
"dll.Ext.device.product_id": "keyword",
|
|
"dll.Ext.relative_file_creation_time": "double",
|
|
"dll.Ext.relative_file_name_modify_time": "double",
|
|
"process.Ext.relative_file_name_modify_time": "double",
|
|
"process.Ext.relative_file_creation_time": "double",
|
|
"Target.process.name": "keyword",
|
|
"process.Ext.api.name": "keyword"
|
|
},
|
|
"logs-windows.*": {
|
|
"powershell.file.script_block_text": "text"
|
|
},
|
|
"logs-kubernetes.*": {
|
|
"kubernetes.audit.objectRef.resource": "keyword",
|
|
"kubernetes.audit.objectRef.subresource": "keyword",
|
|
"kubernetes.audit.verb": "keyword",
|
|
"kubernetes.audit.user.username": "keyword",
|
|
"kubernetes.audit.impersonatedUser.username": "keyword",
|
|
"kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
|
|
"kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
|
|
"kubernetes.audit.user.groups": "text",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",
|
|
"kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long",
|
|
"kubernetes.audit.requestObject.spec.hostPID": "boolean",
|
|
"kubernetes.audit.requestObject.spec.hostNetwork": "boolean",
|
|
"kubernetes.audit.requestObject.spec.hostIPC": "boolean",
|
|
"kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
|
|
"kubernetes.audit.requestObject.spec.type": "keyword",
|
|
"kubernetes.audit.requestObject.rules.resources": "keyword",
|
|
"kubernetes.audit.requestObject.rules.verb": "keyword",
|
|
"kubernetes.audit.objectRef.namespace": "keyword",
|
|
"kubernetes.audit.objectRef.serviceAccountName": "keyword",
|
|
"kubernetes.audit.requestObject.spec.serviceAccountName": "keyword",
|
|
"kubernetes.audit.responseStatus.reason": "keyword",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword",
|
|
"kubernetes.audit.requestObject.spec.containers.image": "text"
|
|
},
|
|
".alerts-security.*": {
|
|
"signal.rule.name": "keyword",
|
|
"kibana.alert.rule.threat.tactic.id": "keyword",
|
|
"kibana.alert.rule.rule_id": "keyword"
|
|
},
|
|
"logs-google_workspace*": {
|
|
"gsuite.admin": "keyword",
|
|
"gsuite.admin.new_value": "keyword",
|
|
"gsuite.admin.setting.name": "keyword",
|
|
"google_workspace.drive.owner_is_team_drive": "keyword",
|
|
"google_workspace.drive.copy_type": "keyword",
|
|
"google_workspace.drive.file.type": "keyword",
|
|
"google_workspace.drive.visibility": "keyword",
|
|
"google_workspace.token.client.id": "keyword",
|
|
"google_workspace.token.scope.data.scope_name": "keyword"
|
|
},
|
|
"logs-ti_*": {
|
|
"labels.is_ioc_transform_source": "keyword"
|
|
},
|
|
"logs-auditd_manager.auditd-*": {
|
|
"auditd.data.a0": "keyword",
|
|
"auditd.data.a1": "keyword",
|
|
"auditd.data.a2": "keyword",
|
|
"auditd.data.a3": "keyword"
|
|
}
|
|
}
|