Samirbous
b15f0de9a4
* [Rules Tuning] 7 diverse Windows rules Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata. * Update initial_access_suspicious_ms_exchange_process.toml * Update privilege_escalation_persistence_phantom_dll.toml * Update execution_psexec_lateral_movement_command.toml * Update persistence_remote_password_reset.toml * Update non-ecs-schema.json * Update persistence_remote_password_reset.toml * Update non-ecs-schema.json * Update discovery_privileged_localgroup_membership.toml
85 lines
3.0 KiB
JSON
85 lines
3.0 KiB
JSON
{
|
|
"endgame-*": {
|
|
"endgame": {
|
|
"metadata": {
|
|
"type": "keyword"
|
|
},
|
|
"event_subtype_full": "keyword"
|
|
}
|
|
},
|
|
"winlogbeat-*": {
|
|
"winlog": {
|
|
"event_data": {
|
|
"AccessList": "keyword",
|
|
"AccessMask": "keyword",
|
|
"AccessMaskDescription": "keyword",
|
|
"AllowedToDelegateTo": "keyword",
|
|
"AttributeLDAPDisplayName": "keyword",
|
|
"AttributeValue": "keyword",
|
|
"CallerProcessName": "keyword",
|
|
"CallTrace": "keyword",
|
|
"ClientProcessId": "keyword",
|
|
"GrantedAccess": "keyword",
|
|
"NewTargetUserName": "keyword",
|
|
"ObjectClass": "keyword",
|
|
"ObjectDN": "keyword",
|
|
"ObjectName": "keyword",
|
|
"OldTargetUserName": "keyword",
|
|
"OriginalFileName": "keyword",
|
|
"ParentProcessId": "keyword",
|
|
"ProcessName": "keyword",
|
|
"Properties": "keyword",
|
|
"RelativeTargetName": "keyword",
|
|
"ShareName": "keyword",
|
|
"SubjectLogonId": "keyword",
|
|
"SubjectUserName": "keyword",
|
|
"TargetUserName": "keyword",
|
|
"TargetImage": "keyword",
|
|
"TargetLogonId": "keyword",
|
|
"TargetProcessGUID": "keyword",
|
|
"TargetSid": "keyword",
|
|
"PrivilegeList": "keyword",
|
|
"AuthenticationPackageName" : "keyword",
|
|
"TargetUserSid" : "keyword",
|
|
"DnsHostName" : "keyword"
|
|
}
|
|
},
|
|
"winlog.logon.type": "keyword",
|
|
"powershell.file.script_block_text": "text"
|
|
},
|
|
"filebeat-*": {
|
|
"o365.audit.NewValue": "keyword"
|
|
},
|
|
"logs-endpoint.events.*": {
|
|
"process.Ext.token.integrity_level_name": "keyword",
|
|
"process.parent.Ext.real.pid": "long",
|
|
"file.Ext.header_bytes": "keyword",
|
|
"file.Ext.entropy": "long",
|
|
"file.size": "long"
|
|
},
|
|
"logs-windows.*": {
|
|
"powershell.file.script_block_text": "text"
|
|
},
|
|
"logs-kubernetes.*": {
|
|
"kubernetes.audit.objectRef.resource": "keyword",
|
|
"kubernetes.audit.objectRef.subresource": "keyword",
|
|
"kubernetes.audit.verb": "keyword",
|
|
"kubernetes.audit.user.username": "keyword",
|
|
"kubernetes.audit.impersonatedUser.username": "keyword",
|
|
"kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
|
|
"kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
|
|
"kubernetes.audit.user.groups": "text",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",
|
|
"kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",
|
|
"kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long",
|
|
"kubernetes.audit.requestObject.spec.hostPID": "boolean",
|
|
"kubernetes.audit.requestObject.spec.hostNetwork": "boolean",
|
|
"kubernetes.audit.requestObject.spec.hostIPC": "boolean",
|
|
"kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
|
|
"kubernetes.audit.requestObject.spec.type": "keyword",
|
|
"kubernetes.audit.requestObject.rules.resources": "keyword",
|
|
"kubernetes.audit.requestObject.rules.verb": "keyword"
|
|
}
|
|
}
|