mirror of https://github.com/infosecn1nja/HELK.git
Merge pull request #93 from neu5ron/master
Logstash refactoring and many logstash additionskeyword-vs-text-changes
commit
c7af8e42bc
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -12,7 +12,7 @@ server.host: "helk-kibana"
|
|||
#server.basePath: ""
|
||||
|
||||
# The maximum payload size in bytes for incoming server requests.
|
||||
#server.maxPayloadBytes: 1048576
|
||||
server.maxPayloadBytes: 2048576
|
||||
|
||||
# The Kibana server's name. This is used for display purposes.
|
||||
server.name: "helk-kibana"
|
||||
|
@ -58,11 +58,11 @@ elasticsearch.url: "http://helk-elasticsearch:9200"
|
|||
|
||||
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
|
||||
# the elasticsearch.requestTimeout setting.
|
||||
#elasticsearch.pingTimeout: 1500
|
||||
elasticsearch.pingTimeout: 7500
|
||||
|
||||
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
|
||||
# must be a positive integer.
|
||||
elasticsearch.requestTimeout: 60000
|
||||
elasticsearch.requestTimeout: 300000
|
||||
|
||||
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
|
||||
# headers, set this value to [] (an empty list).
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
"order": 10,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018080201,
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"ignore_malformed": true,
|
||||
"total_fields.limit": "1000",
|
||||
"coerce": true
|
||||
}
|
||||
},
|
||||
"refresh_interval": "30s"
|
||||
},
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"dynamic": "true",
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings": {
|
||||
"match_mapping_type": "string",
|
||||
"mapping": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword",
|
||||
"ignore_above": 1024
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"properties": {
|
||||
"@timestamp": {
|
||||
"type": "date"
|
||||
},
|
||||
"@version": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"log_ingest_timestamp": {
|
||||
"type": "date"
|
||||
},
|
||||
"z_logstash_type": {
|
||||
"enabled": false
|
||||
},
|
||||
"z_original_message": {
|
||||
"enabled": false
|
||||
},
|
||||
"z_logstash_pipeline": {
|
||||
"enabled": false
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,153 @@
|
|||
{
|
||||
"order": 50,
|
||||
"index_patterns": [ "logs-endpoint-winevent-*" ],
|
||||
"version": 2018080101,
|
||||
"settings": {
|
||||
"analysis": {
|
||||
"analyzer": {
|
||||
"cli_n_file_analyzer": {
|
||||
"type": "custom",
|
||||
"filter": [ "case_change_only_delim_filter", "three_or_more_tokenizer_limit_filter", "cli_n_file_word_delim_filter", "two_or_more_tokenizer_limit_filter", "lowercase", "unique" ],
|
||||
"tokenizer": "standard"
|
||||
}
|
||||
},
|
||||
"filter": {
|
||||
"cli_n_file_word_delim_filter": {
|
||||
"type": "word_delimiter",
|
||||
"generate_word_parts": true,
|
||||
"split_on_case_change": true,
|
||||
"split_on_numerics": false,
|
||||
"stem_english_possessive": false,
|
||||
"generate_number_parts": true,
|
||||
"preserve_original": true
|
||||
},
|
||||
"case_change_only_delim_filter": {
|
||||
"type": "word_delimiter",
|
||||
"generate_word_parts": true,
|
||||
"split_on_case_change": true,
|
||||
"split_on_numerics": false,
|
||||
"stem_english_possessive": false,
|
||||
"generate_number_parts": false,
|
||||
"preserve_original": true
|
||||
},
|
||||
"two_or_more_tokenizer_limit_filter": {
|
||||
"type": "length",
|
||||
"min": 2
|
||||
},
|
||||
"three_or_more_tokenizer_limit_filter": {
|
||||
"type": "length",
|
||||
"min": 3
|
||||
}
|
||||
},
|
||||
"normalizer": {
|
||||
"lowercase_normalizer": {
|
||||
"type": "custom",
|
||||
"char_filter": [ ],
|
||||
"filter": [ "lowercase" ]
|
||||
}
|
||||
}
|
||||
},
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields.limit": "3000"
|
||||
}
|
||||
},
|
||||
"refresh_interval": "30s"
|
||||
},
|
||||
"mappings": {
|
||||
"_doc":{
|
||||
"properties":{
|
||||
"process_id":{"type":"integer"},
|
||||
"event_id":{"type":"integer"},
|
||||
"file_name": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "cli_n_file_analyzer",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"ignore_above": 7500,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"logon_process_name": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "cli_n_file_analyzer",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"ignore_above": 7500,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"object_name": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "cli_n_file_analyzer",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"ignore_above": 7500,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"process_command_line": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "cli_n_file_analyzer",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"ignore_above": 7500,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"process_current_directory": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "cli_n_file_analyzer",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"ignore_above": 7500,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"process_parent_path": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "cli_n_file_analyzer",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"ignore_above": 7500,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"process_parent_command_line": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "cli_n_file_analyzer",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"ignore_above": 7500,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"process_path": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "cli_n_file_analyzer",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"ignore_above": 7500,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
"order": 60,
|
||||
"index_patterns" : "logs-endpoint-powershell-direct-*",
|
||||
"version": 2018080101,
|
||||
"mappings":{
|
||||
"_doc":{
|
||||
"properties":{
|
||||
"process_id":{"type":"integer"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
"order": 60,
|
||||
"index_patterns": [ "logs-endpoint-winevent-application-*" ],
|
||||
"version": 2018080101,
|
||||
"mappings":{
|
||||
"_doc":{
|
||||
"properties":{
|
||||
"spp_restart_scheduled":{"type":"date"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,232 @@
|
|||
{
|
||||
"order": 60,
|
||||
"index_patterns": [ "logs-endpoint-winevent-powershell-*" ],
|
||||
"version": 2018080201,
|
||||
"mappings":{
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"powershell": {
|
||||
"dynamic": "false",
|
||||
"properties": {
|
||||
"command": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"line": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"path": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"type": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"connected_user": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"param": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"value": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"value_nonalphanumeric": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"pipeline_id": {
|
||||
"type": "integer"
|
||||
},
|
||||
"remaining_payload": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runspace_id": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"scriptblock": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"message_number": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"message_total": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"text": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"sequence_number": {
|
||||
"type": "integer"
|
||||
},
|
||||
"shell_id": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"script": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"path": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"host": {
|
||||
"properties": {
|
||||
"application": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"version": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"engine_version": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"newproviderstate": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"providername": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"newengine_state": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"previousengine_state": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"analyzer": "standard",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
{
|
||||
"order": 60,
|
||||
"index_patterns": "logs-endpoint-winevent-security-*",
|
||||
"version": 2018080101,
|
||||
"mappings":{
|
||||
"_doc":{
|
||||
"properties":{
|
||||
"@date_new_time":{"type":"date"},
|
||||
"@date_previous_time":{"type":"date"},
|
||||
"target_process_id":{"type":"integer"},
|
||||
"process_parent_id":{"type":"integer"},
|
||||
"user_session_id":{"type":"integer"},
|
||||
"src_port":{"type":"integer"},
|
||||
"dst_port":{"type":"integer"},
|
||||
"version":{"type":"integer"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
{
|
||||
"order": 60,
|
||||
"index_patterns": [ "logs-endpoint-winevent-sysmon-*" ],
|
||||
"version": 2018080101,
|
||||
"settings": {
|
||||
"index.refresh_interval": "5s"
|
||||
},
|
||||
"mappings":{
|
||||
"_doc":{
|
||||
"properties":{
|
||||
"@date_creation":{"type":"date"},
|
||||
"@date_creation_previous":{"type":"date"},
|
||||
"dst_port":{"type":"integer"},
|
||||
"src_port":{"type":"integer"},
|
||||
"network_initiated":{"type":"boolean"},
|
||||
"thread_new_id":{"type":"integer"},
|
||||
"module_signed":{"type":"boolean"},
|
||||
"process_parent_id":{"type":"integer"},
|
||||
"target_process_id":{"type":"integer"},
|
||||
"user_session_id":{"type":"integer"},
|
||||
"thread_id":{"type":"integer"},
|
||||
"version":{"type":"integer"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
"order": 60,
|
||||
"index_patterns": [ "logs-endpoint-winevent-system-*" ],
|
||||
"version": 2018080101,
|
||||
"mappings":{
|
||||
}
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
"order": 60,
|
||||
"index_patterns": [ "logs-endpoint-winevent-wmiactivity-*" ],
|
||||
"version": 2018080101,
|
||||
"mappings":{
|
||||
}
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
{
|
||||
"order": 82,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018080101,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"not_ip_dst": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"not_ip_dst_nat": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"not_ip_log": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"not_ip_src": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"not_ip_src_nat": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"order": 91,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018052301,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"dst_nat_ip_addr": {
|
||||
"type": "ip",
|
||||
"copy_to": "any_ip_addr"
|
||||
},
|
||||
"dst_nat_ip_public": {
|
||||
"type": "boolean",
|
||||
"doc_values": false
|
||||
},
|
||||
"dst_nat_ip_type": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"meta_dst_nat_ip_geo": {
|
||||
"properties": {
|
||||
"asn": {
|
||||
"type": "integer",
|
||||
"copy_to": "any_ip_geo.asn"
|
||||
},
|
||||
"as_org": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"copy_to": "any_ip_geo.as_org",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword",
|
||||
"eager_global_ordinals": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"country_code2": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_code3": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"continent_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"city_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"postal_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"latitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"longitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"dma_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"area_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"timezone": {
|
||||
"type": "keyword",
|
||||
"index": false
|
||||
},
|
||||
"location": {
|
||||
"type": "geo_point"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"order": 91,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018052301,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"dst_ip_addr": {
|
||||
"type": "ip",
|
||||
"copy_to": "any_ip_addr"
|
||||
},
|
||||
"dst_ip_public": {
|
||||
"type": "boolean",
|
||||
"doc_values": false
|
||||
},
|
||||
"dst_ip_type": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"meta_dst_ip_geo": {
|
||||
"properties": {
|
||||
"asn": {
|
||||
"type": "integer",
|
||||
"copy_to": "any_ip_geo.asn"
|
||||
},
|
||||
"as_org": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"copy_to": "any_ip_geo.as_org",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword",
|
||||
"eager_global_ordinals": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"country_code2": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_code3": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"continent_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"city_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"postal_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"latitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"longitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"dma_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"area_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"timezone": {
|
||||
"type": "keyword",
|
||||
"index": false
|
||||
},
|
||||
"location": {
|
||||
"type": "geo_point"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"order": 91,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018052301,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"src_nat_ip_addr": {
|
||||
"type": "ip",
|
||||
"copy_to": "any_ip_addr"
|
||||
},
|
||||
"src_nat_ip_public": {
|
||||
"type": "boolean",
|
||||
"doc_values": false
|
||||
},
|
||||
"src_nat_ip_type": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"meta_src_nat_ip_geo": {
|
||||
"properties": {
|
||||
"asn": {
|
||||
"type": "integer",
|
||||
"copy_to": "any_ip_geo.asn"
|
||||
},
|
||||
"as_org": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"copy_to": "any_ip_geo.as_org",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword",
|
||||
"eager_global_ordinals": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"country_code2": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_code3": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"continent_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"city_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"postal_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"latitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"longitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"dma_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"area_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"timezone": {
|
||||
"type": "keyword",
|
||||
"index": false
|
||||
},
|
||||
"location": {
|
||||
"type": "geo_point"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"order": 91,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018052301,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"src_ip_addr": {
|
||||
"type": "ip",
|
||||
"copy_to": "any_ip_addr"
|
||||
},
|
||||
"src_ip_public": {
|
||||
"type": "boolean",
|
||||
"doc_values": false
|
||||
},
|
||||
"src_ip_type": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"meta_src_ip_geo": {
|
||||
"properties": {
|
||||
"asn": {
|
||||
"type": "integer",
|
||||
"copy_to": "any_ip_geo.asn"
|
||||
},
|
||||
"as_org": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"copy_to": "any_ip_geo.as_org",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword",
|
||||
"eager_global_ordinals": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"country_code2": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_code3": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"continent_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"city_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"postal_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"latitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"longitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"dma_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"area_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"timezone": {
|
||||
"type": "keyword",
|
||||
"index": false
|
||||
},
|
||||
"location": {
|
||||
"type": "geo_point"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"order": 91,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018080101,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"dst_nat_ipv6_addr": {
|
||||
"type": "ip",
|
||||
"copy_to": "any_ip_addr"
|
||||
},
|
||||
"dst_nat_ipv6_public": {
|
||||
"type": "boolean",
|
||||
"doc_values": false
|
||||
},
|
||||
"dst_nat_ipv6_type": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"meta_dst_nat_ipv6_geo": {
|
||||
"properties": {
|
||||
"asn": {
|
||||
"type": "integer",
|
||||
"copy_to": "any_ip_geo.asn"
|
||||
},
|
||||
"as_org": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"copy_to": "any_ip_geo.as_org",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword",
|
||||
"eager_global_ordinals": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"country_code2": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_code3": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"continent_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"city_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"postal_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"latitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"longitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"dma_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"area_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"timezone": {
|
||||
"type": "keyword",
|
||||
"index": false
|
||||
},
|
||||
"location": {
|
||||
"type": "geo_point"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"order": 91,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018080101,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"dst_ipv6_addr": {
|
||||
"type": "ip",
|
||||
"copy_to": "any_ip_addr"
|
||||
},
|
||||
"dst_ipv6_public": {
|
||||
"type": "boolean",
|
||||
"doc_values": false
|
||||
},
|
||||
"dst_ipv6_type": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"meta_dst_ipv6_geo": {
|
||||
"properties": {
|
||||
"asn": {
|
||||
"type": "integer",
|
||||
"copy_to": "any_ip_geo.asn"
|
||||
},
|
||||
"as_org": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"copy_to": "any_ip_geo.as_org",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword",
|
||||
"eager_global_ordinals": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"country_code2": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_code3": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"continent_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"city_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"postal_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"latitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"longitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"dma_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"area_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"timezone": {
|
||||
"type": "keyword",
|
||||
"index": false
|
||||
},
|
||||
"location": {
|
||||
"type": "geo_point"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"order": 91,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018080101,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"ipv6_src_nat_addr": {
|
||||
"type": "ip",
|
||||
"copy_to": "any_ip_addr"
|
||||
},
|
||||
"ipv6_src_nat_public": {
|
||||
"type": "boolean",
|
||||
"doc_values": false
|
||||
},
|
||||
"ipv6_src_nat_type": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"meta_src_nat_ipv6_geo": {
|
||||
"properties": {
|
||||
"asn": {
|
||||
"type": "integer",
|
||||
"copy_to": "any_ip_geo.asn"
|
||||
},
|
||||
"as_org": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"copy_to": "any_ip_geo.as_org",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword",
|
||||
"eager_global_ordinals": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"country_code2": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_code3": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"continent_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"city_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"postal_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"latitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"longitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"dma_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"area_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"timezone": {
|
||||
"type": "keyword",
|
||||
"index": false
|
||||
},
|
||||
"location": {
|
||||
"type": "geo_point"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"order": 91,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018080101,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"src_ipv6_addr": {
|
||||
"type": "ip",
|
||||
"copy_to": "any_ip_addr"
|
||||
},
|
||||
"src_ipv6_public": {
|
||||
"type": "boolean",
|
||||
"doc_values": false
|
||||
},
|
||||
"src_ipv6_type": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"meta_src_ipv6_geo": {
|
||||
"properties": {
|
||||
"asn": {
|
||||
"type": "integer",
|
||||
"copy_to": "any_ip_geo.asn"
|
||||
},
|
||||
"as_org": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"copy_to": "any_ip_geo.as_org",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword",
|
||||
"eager_global_ordinals": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"country_code2": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_code3": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"country_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"continent_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"region_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"city_name": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"postal_code": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"latitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"longitude": {
|
||||
"type": "keyword",
|
||||
"index": false,
|
||||
"doc_values": false
|
||||
},
|
||||
"dma_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"area_code": {
|
||||
"type": "integer"
|
||||
},
|
||||
"timezone": {
|
||||
"type": "keyword",
|
||||
"index": false
|
||||
},
|
||||
"location": {
|
||||
"type": "geo_point"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
{
|
||||
"order": 99,
|
||||
"index_patterns": [ "logs-*" ],
|
||||
"version": 2018080101,
|
||||
"mappings": {
|
||||
"_doc": {
|
||||
"properties": {
|
||||
"any_ip_addr": {
|
||||
"type": "ip"
|
||||
},
|
||||
"any_ip_geo": {
|
||||
"properties": {
|
||||
"asn": {
|
||||
"type": "integer",
|
||||
"doc_values": false
|
||||
},
|
||||
"as_org": {
|
||||
"type": "text",
|
||||
"norms": false
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,29 +0,0 @@
|
|||
{
|
||||
"index_patterns" : "logs-endpoint-powershell-direct-*",
|
||||
"settings" : {
|
||||
"index.refresh_interval": "5s"
|
||||
},
|
||||
"mappings":{
|
||||
"doc":{
|
||||
"dynamic_templates": [{
|
||||
"strings":{
|
||||
"match_mapping_type": "string",
|
||||
"mapping": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"fields": {
|
||||
"raw": {
|
||||
"type": "keyword",
|
||||
"ignore_above": 256
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}],
|
||||
"properties":{
|
||||
"@timestamp":{"type":"date"},
|
||||
"process_id":{"type":"integer"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,29 +0,0 @@
|
|||
{
|
||||
"index_patterns" : "logs-endpoint-winevent-application-*",
|
||||
"settings" : {
|
||||
"index.refresh_interval": "5s"
|
||||
},
|
||||
"mappings":{
|
||||
"doc":{
|
||||
"dynamic_templates": [{
|
||||
"strings":{
|
||||
"match_mapping_type": "string",
|
||||
"mapping": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"fields": {
|
||||
"raw": {
|
||||
"type": "keyword",
|
||||
"ignore_above": 256
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}],
|
||||
"properties":{
|
||||
"@timestamp":{"type":"date"},
|
||||
"spp_restart_scheduled":{"type":"date"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,37 +0,0 @@
|
|||
{
|
||||
"index_patterns" : "logs-endpoint-winevent-security-*",
|
||||
"settings" : {
|
||||
"index.refresh_interval": "5s"
|
||||
},
|
||||
"mappings":{
|
||||
"doc":{
|
||||
"dynamic_templates": [{
|
||||
"strings":{
|
||||
"match_mapping_type": "string",
|
||||
"mapping": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"fields": {
|
||||
"raw": {
|
||||
"type": "keyword",
|
||||
"ignore_above": 256
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}],
|
||||
"properties":{
|
||||
"@timestamp":{"type":"date"},
|
||||
"@date_new_time":{"type":"date"},
|
||||
"@date_previous_time":{"type":"date"},
|
||||
"process_id":{"type":"integer"},
|
||||
"target_process_id":{"type":"integer"},
|
||||
"process_parent_id":{"type":"integer"},
|
||||
"user_session_id":{"type":"integer"},
|
||||
"src_port":{"type":"integer"},
|
||||
"dst_port":{"type":"integer"},
|
||||
"version":{"type":"integer"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,50 +0,0 @@
|
|||
{
|
||||
"index_patterns" : "logs-endpoint-winevent-sysmon-*",
|
||||
"settings" : {
|
||||
"index.refresh_interval": "5s"
|
||||
},
|
||||
"mappings":{
|
||||
"doc":{
|
||||
"dynamic_templates": [{
|
||||
"strings":{
|
||||
"match_mapping_type": "string",
|
||||
"mapping": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"fields": {
|
||||
"raw": {
|
||||
"type": "keyword",
|
||||
"ignore_above": 256
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}],
|
||||
"properties":{
|
||||
"@timestamp":{"type":"date"},
|
||||
"@date_creation":{"type":"date"},
|
||||
"@date_creation_previous":{"type":"date"},
|
||||
"dst_port":{"type":"integer"},
|
||||
"src_port":{"type":"integer"},
|
||||
"event_id":{"type":"integer"},
|
||||
"geoip":{
|
||||
"properties":{
|
||||
"dma_code":{"type":"integer"},
|
||||
"latitude":{"type":"float"},
|
||||
"location":{"type": "geo_point"},
|
||||
"longitude":{"type":"float"}
|
||||
}
|
||||
},
|
||||
"network_initiated":{"type":"boolean"},
|
||||
"process_id":{"type":"integer"},
|
||||
"thread_new_id":{"type":"integer"},
|
||||
"module_signed":{"type":"boolean"},
|
||||
"process_parent_id":{"type":"integer"},
|
||||
"target_process_id":{"type":"integer"},
|
||||
"user_session_id":{"type":"integer"},
|
||||
"thread_id":{"type":"integer"},
|
||||
"version":{"type":"integer"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
{
|
||||
"index_patterns" : "logs-endpoint-winevent-system-*",
|
||||
"settings" : {
|
||||
"index.refresh_interval": "5s"
|
||||
},
|
||||
"mappings":{
|
||||
"doc":{
|
||||
"dynamic_templates": [{
|
||||
"strings":{
|
||||
"match_mapping_type": "string",
|
||||
"mapping": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"fields": {
|
||||
"raw": {
|
||||
"type": "keyword",
|
||||
"ignore_above": 256
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}],
|
||||
"properties":{
|
||||
"@timestamp":{"type":"date"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,29 +0,0 @@
|
|||
{
|
||||
"index_patterns" : "logs-endpoint-winevent-wmiactivity-*",
|
||||
"settings" : {
|
||||
"index.refresh_interval": "5s"
|
||||
},
|
||||
"mappings":{
|
||||
"doc":{
|
||||
"dynamic_templates": [{
|
||||
"strings":{
|
||||
"match_mapping_type": "string",
|
||||
"mapping": {
|
||||
"type": "text",
|
||||
"norms": false,
|
||||
"fields": {
|
||||
"raw": {
|
||||
"type": "keyword",
|
||||
"ignore_above": 256
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}],
|
||||
"properties":{
|
||||
"@timestamp":{"type":"date"},
|
||||
"process_id":{"type":"integer"}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -4,8 +4,7 @@
|
|||
# License: GPL-3.0
|
||||
|
||||
input {
|
||||
kafka
|
||||
{
|
||||
kafka {
|
||||
bootstrap_servers => "helk-kafka-broker:9092,helk-kafka-broker2:9093"
|
||||
topics => ["winlogbeat"]
|
||||
decorate_events => true
|
|
@ -5,8 +5,7 @@
|
|||
# License: GPL-3.0
|
||||
|
||||
input {
|
||||
file
|
||||
{
|
||||
file {
|
||||
path => "/usr/share/logstash/cti/mitre_attack.csv"
|
||||
start_position => "beginning"
|
||||
sincedb_path => "/dev/null"
|
|
@ -0,0 +1,11 @@
|
|||
# HELK Kafka input conf file
|
||||
# HELK build Stage: Alpha
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: GPL-3.0
|
||||
|
||||
input {
|
||||
beats {
|
||||
port => 5044
|
||||
include_codec_tag => false
|
||||
}
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
# HELK All filter conf file
|
||||
# HELK build Stage: Alpha
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: GPL-3.0
|
||||
|
||||
filter {
|
||||
if [message] {
|
||||
mutate {
|
||||
add_field => {
|
||||
"z_logstash_pipeline" => "0098"
|
||||
"log_ingest_timestamp" => "%{@timestamp}"
|
||||
}
|
||||
copy => {
|
||||
"message" => "z_original_message"
|
||||
"type" => "z_logstash_type"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
filter {
|
||||
if [message] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "0099" } }
|
||||
fingerprint {
|
||||
source => "message"
|
||||
target => "[@metadata][log_hash]"
|
|
@ -1,136 +0,0 @@
|
|||
# HELK powershell filter conf file
|
||||
# HELK build Stage: Alpha
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: GPL-3.0
|
||||
|
||||
# Reference:
|
||||
# Nate Guagenti (@neu5ron) https://gist.github.com/neu5ron/450289373db61d5c8d7378e79455ef07#file-511-windows-event-powershell-operational-conf
|
||||
|
||||
filter {
|
||||
if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell"{
|
||||
if [event_id] == 4103 {
|
||||
mutate {
|
||||
add_field => [ "PayloadInvocation", "%{[event_data][Payload]}" ]
|
||||
add_field => [ "PayloadParams", "%{[event_data][Payload]}" ]
|
||||
gsub => [
|
||||
"[event_data][ContextInfo]", " ", "",
|
||||
"[event_data][ContextInfo]", " = ", "="
|
||||
]
|
||||
}
|
||||
mutate {
|
||||
gsub => [
|
||||
"PayloadInvocation", "CommandInvocation\(.*\)", "commandinvocation",
|
||||
"PayloadInvocation", "ParameterBinding.*\r\n", "",
|
||||
"PayloadParams", "parameterbinding\(.*\)", "parameterbinding",
|
||||
"PayloadParams", "CommandInvocation.*\r\n", "",
|
||||
"[event_data][Payload]", "CommandInvocation.*\r\n", "",
|
||||
"[event_data][Payload]", "ParameterBinding.*\r\n", ""
|
||||
]
|
||||
rename => { "[event_load][Payload]" => "[powershell][payload]" }
|
||||
}
|
||||
kv {
|
||||
source => "PayloadInvocation"
|
||||
field_split => "\n"
|
||||
value_split => ":"
|
||||
allow_duplicate_values => false
|
||||
target => "[powershell]"
|
||||
include_keys => [ "commandinvocation" ]
|
||||
}
|
||||
kv {
|
||||
source => "PayloadParams"
|
||||
value_split => "="
|
||||
allow_duplicate_values => false
|
||||
target => "[powershell][param]"
|
||||
include_keys => [ "name", "value" ]
|
||||
}
|
||||
kv {
|
||||
source => "[event_data][ContextInfo]"
|
||||
field_split => "\r\n"
|
||||
value_split => "="
|
||||
remove_char_key => " "
|
||||
allow_duplicate_values => false
|
||||
include_keys => [ "Severity", "HostName", "HostVersion", "HostID", "HostApplication", "EngineVersion", "RunspaceID", "PipelineID", "CommandName", "CommandType", "ScriptName", "CommandPath", "SequenceNumber", "ConnectedUser", "ShellID" ]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"CommandName" => "[powershell][command][name]"
|
||||
"CommandPath" => "[powershell][command][path]"
|
||||
"CommandType" => "[powershell][command][type]"
|
||||
"ConnectedUser" => "[powershell][connected][user]"
|
||||
"EngineVersion" => "[powershell][engine][version]"
|
||||
"HostApplication" => "[powershell][host][application]"
|
||||
"HostID" => "[powershell][host][id]"
|
||||
"HostName" => "[powershell][host][name]"
|
||||
"HostVersion" => "[powershell][host][version]"
|
||||
"PipelineID" => "[powershell][pipeline][id]"
|
||||
"RunspaceID" => "[powershell][runspace][id]"
|
||||
"Scriptname" => "[powershell][script][name]"
|
||||
"SequenceNumber" => "[powershell][sequence][number]"
|
||||
"ShellID" => "[powershell][shell][id]"
|
||||
}
|
||||
remove_field => [
|
||||
"Severity",
|
||||
"EventType",
|
||||
"Keywords",
|
||||
"message",
|
||||
"Opcode",
|
||||
"PayloadInvocation",
|
||||
"PayloadParams",
|
||||
"[event_data][Payload]",
|
||||
"[event_data][ContextInfo]"
|
||||
]
|
||||
convert => { "[powershell][pipeline][id]" => "integer" }
|
||||
convert => { "[powershell][sequence][number]" => "integer" }
|
||||
}
|
||||
}
|
||||
if [event_id] == 4104 {
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][MessageNumber]" => "[powershell][message][number]"
|
||||
"[event_data][MessageTotal]" => "[powershell][message][total]"
|
||||
"[event_data][ScriptBlockId]" => "[powershell][scriptblock][id]"
|
||||
"[event_data][ScriptBlockText]" => "[powershell][scriptblock][text]"
|
||||
"[event_data][Path]" => "[powershell][script][path]"
|
||||
}
|
||||
remove_field => [ "message" ]
|
||||
convert => { "[powershell][message][number]" => "integer" }
|
||||
convert => { "[powershell][message][total]" => "integer" }
|
||||
convert => { "[powershell][scriptblock][id]" => "integer" }
|
||||
}
|
||||
}
|
||||
if [event_id] == 400 or [event_id] == 600 {
|
||||
kv {
|
||||
source => "[event_data][param3]"
|
||||
field_split => "\n"
|
||||
value_split => "="
|
||||
trim_key => "\t"
|
||||
allow_duplicate_values => false
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"ProviderName" => "[powershell][providername]"
|
||||
"NewProviderState" => "[powershell][newproviderstate]"
|
||||
"SequenceNumber" => "[powershell][sequencenumber"
|
||||
"HostName" => "[powershell][host][name]"
|
||||
"HostVersion" => "[powershell][host][version]"
|
||||
"HostId" => "[powershell][host][id]"
|
||||
"HostApplication" => "[powershell][host][application]"
|
||||
"EngineVersion" => "[powershell][engine][version]"
|
||||
"RunspaceId" => "[powershell][runspace][id]"
|
||||
"PipelineId" => "[powershell][pipeline][id]"
|
||||
"CommandName" => "[powershell][command][name]"
|
||||
"CommandType" => "[powershell][command][type]"
|
||||
"ScriptName" => "[powershell][script][name]"
|
||||
"CommandPath" => "[powershell][command][path]"
|
||||
"CommandLine" => "[powershell][command][line]"
|
||||
"NewEngineState" => "[powershell][newengine][state]"
|
||||
"PreviousEngineState" => "[powershell][previousengine][state]"
|
||||
}
|
||||
remove_field => [ "message" ]
|
||||
remove_field => "[event_data][param1]"
|
||||
remove_field => "[event_data][param2]"
|
||||
remove_field => "[event_data][param3]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
filter {
|
||||
# Use the following to get rid of the prepended "event_data" nest that (elastic) winlogbeats adds to windows logs
|
||||
if [type] == "wineventlog" and [beat] {
|
||||
ruby {
|
||||
code => "
|
||||
eventdata = event.get('event_data')
|
||||
# Sometimes does not exist, so check that first -- then move the nests
|
||||
if !eventdata.nil?
|
||||
eventdata.each {|k, v|
|
||||
if eventdata.to_s != '(NULL)'
|
||||
event.set(k, v)
|
||||
end
|
||||
}
|
||||
end
|
||||
# Finally remove the nest completely
|
||||
event.remove('event_data')
|
||||
"
|
||||
tag_on_exception => "_rubyexception_1010"
|
||||
#code => "
|
||||
# event.get('event_data').each {|k, v|
|
||||
# event.set(k, v)
|
||||
# }
|
||||
# event.remove('event_data')
|
||||
#"
|
||||
#tag_on_exception => "_rubyexception_1010"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,315 +0,0 @@
|
|||
# HELK sysmon filter conf file
|
||||
# HELK build Stage: Alpha
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: GPL-3.0
|
||||
|
||||
filter {
|
||||
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
|
||||
mutate {
|
||||
rename => {
|
||||
"[user][domain]" => "user_reporter_domain"
|
||||
"[user][identifier]" => "user_reporter_sid"
|
||||
"[user][name]" => "user_reporter_name"
|
||||
"[user][type]" => "user_reporter_type"
|
||||
"computer_name" => "host_name"
|
||||
}
|
||||
}
|
||||
if [provider_guid] {
|
||||
mutate {
|
||||
gsub => ["provider_guid","[{}]",""]
|
||||
}
|
||||
}
|
||||
if [event_data][RuleName] {
|
||||
kv {
|
||||
source => "[event_data][RuleName]"
|
||||
field_split => ","
|
||||
value_split => "="
|
||||
prefix => "mitre_"
|
||||
transform_key => "lowercase"
|
||||
}
|
||||
}
|
||||
if [event_data][Image] {
|
||||
if [event_data][Image] =~ /^(\w*$)|^(\w*\..*$)/ {
|
||||
mutate {
|
||||
copy => {"[event_data][Image]" => "process_name"}
|
||||
}
|
||||
}
|
||||
else {
|
||||
grok {
|
||||
match => { "[event_data][Image]" => ".*\\%{GREEDYDATA:process_name}" }
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][Image]" => "process_path"
|
||||
"[event_data][ProcessGuid]" => "process_guid"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
}
|
||||
gsub => ["process_guid","[{}]",""]
|
||||
}
|
||||
}
|
||||
if [event_data][ParentImage] {
|
||||
grok {
|
||||
match => { "[event_data][ParentImage]" => ".*\\%{GREEDYDATA:process_parent_name}" }
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
if [event_data][Hashes] {
|
||||
kv {
|
||||
source => "[event_data][Hashes]"
|
||||
field_split => ","
|
||||
value_split => "="
|
||||
prefix => "hash_"
|
||||
transform_key => "lowercase"
|
||||
}
|
||||
}
|
||||
if [event_data][TargetImage] {
|
||||
grok {
|
||||
match => { "[event_data][SourceImage]" => ".*\\%{GREEDYDATA:process_name}" }
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
grok {
|
||||
match => { "[event_data][TargetImage]" => ".*\\%{GREEDYDATA:target_process_name}" }
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SourceImage]" => "process_path"
|
||||
"[event_data][SourceProcessGUID]" => "process_guid"
|
||||
"[event_data][SourceProcessId]" => "process_id"
|
||||
"[event_data][TargetImage]" => "target_process_path"
|
||||
"[event_data][TargetProcessGUID]" => "target_process_guid"
|
||||
"[event_data][TargetProcessId]" => "target_process_id"
|
||||
}
|
||||
gsub => ["process_guid","[{}]",""]
|
||||
gsub => ["target_process_guid","[{}]",""]
|
||||
}
|
||||
}
|
||||
if [event_data][User] {
|
||||
grok {
|
||||
match => { "[event_data][User]" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" }
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
if [event_data][LogonId] {
|
||||
mutate { rename => { "[event_data][LogonId]" => "user_logon_id" }}
|
||||
mutate { gsub => [ "user_logon_id", "0x", "" ]}
|
||||
ruby {
|
||||
code => "
|
||||
userlogonid = event.get('user_logon_id')
|
||||
userlogonid = userlogonid.hex
|
||||
event.set('user_logon_id', userlogonid)
|
||||
"
|
||||
tag_on_exception => "_0591_rubyexception"
|
||||
}
|
||||
}
|
||||
if [event_id] == 1 {
|
||||
mutate {
|
||||
add_field => { "action" => "processcreate" }
|
||||
rename => {
|
||||
"[event_data][CommandLine]" => "process_command_line"
|
||||
"[event_data][CurrentDirectory]" => "process_current_directory"
|
||||
"[event_data][ParentImage]" => "process_parent_path"
|
||||
"[event_data][ParentCommandLine]" => "process_parent_command_line"
|
||||
"[event_data][IntegrityLevel]" => "process_integrity_level"
|
||||
"[event_data][LogonGuid]" => "user_logon_guid"
|
||||
"[event_data][ParentProcessGuid]" => "process_parent_guid"
|
||||
"[event_data][ParentProcessId]" => "process_parent_id"
|
||||
"[event_data][TerminalSessionId]" => "user_session_id"
|
||||
"[event_data][FileVersion]" => "file_version"
|
||||
"[event_data][Description]" => "file_description"
|
||||
"[event_data][Product]" => "file_product"
|
||||
"[event_data][Company]" => "file_company"
|
||||
}
|
||||
gsub => ["process_parent_guid","[{}]",""]
|
||||
gsub => ["user_logon_guid","[{}]",""]
|
||||
}
|
||||
}
|
||||
if [event_id] == 2 {
|
||||
mutate {
|
||||
add_field => { "action" => "filecreatetime" }
|
||||
rename => {
|
||||
"[event_data][TargetFileName]" => "file_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 3 {
|
||||
mutate {
|
||||
add_field => { "action" => "networkconnect" }
|
||||
rename => {
|
||||
"[event_data][DestinationHostname]" => "dst_host_name"
|
||||
"[event_data][DestinationIp]" => "dst_ip"
|
||||
"[event_data][DestinationIsIpv6]" => "dst_is_ipv6"
|
||||
"[event_data][DestinationPort]" => "dst_port"
|
||||
"[event_data][DestinationPortName]" => "dst_port_name"
|
||||
"[event_data][Initiated]" => "network_initiated"
|
||||
"[event_data][Protocol]" => "network_protocol"
|
||||
"[event_data][SourceHostname]" => "src_host_name"
|
||||
"[event_data][SourceIp]" => "src_ip"
|
||||
"[event_data][SourceIsIpv6]" => "src_is_ipv6"
|
||||
"[event_data][SourcePort]" => "src_port"
|
||||
"[event_data][SourcePortName]" => "src_port_name"
|
||||
}
|
||||
}
|
||||
geoip {
|
||||
source => "dst_ip"
|
||||
remove_field => "[geoip][ip]"
|
||||
}
|
||||
}
|
||||
if [event_id] == 4 {
|
||||
mutate {
|
||||
add_field => { "action" => "sysmonservicestatechanged" }
|
||||
rename => {
|
||||
"[event_data][State]" => "service_state"
|
||||
"[event_data][Version]" => "sysmon_version"
|
||||
"[event_data][SchemaVersion]" => "sysmon_schema_version"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 6 {
|
||||
mutate {
|
||||
add_field => { "action" => "driverload" }
|
||||
rename => {
|
||||
"[event_data][ImageLoaded]" => "driver_loaded"
|
||||
"[event_data][Signature]" => "driver_signature"
|
||||
"[event_data][SignatureStatus]" => "driver_signature_status"
|
||||
"[event_data][Signed]" => "driver_signed"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 7 {
|
||||
mutate {
|
||||
add_field => { "action" => "imageload" }
|
||||
rename => {
|
||||
"[event_data][ImageLoaded]" => "module_loaded"
|
||||
"[event_data][Signature]" => "module_signature"
|
||||
"[event_data][SignatureStatus]" => "module_signature_status"
|
||||
"[event_data][Signed]" => "module_signed"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 8 {
|
||||
mutate {
|
||||
add_field => { "action" => "createremotethread" }
|
||||
rename => {
|
||||
"[event_data][NewThreadId]" => "thread_new_id"
|
||||
"[event_data][StartAddress]" => "thread_start_address"
|
||||
"[event_data][StartFunction]" => "thread_start_function"
|
||||
"[event_data][StartModule]" => "thread_start_module"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 9 {
|
||||
mutate {
|
||||
add_field => { "action" => "rawaccessread" }
|
||||
rename => {
|
||||
"[event_data][Device]" => "device_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 10 {
|
||||
mutate {
|
||||
add_field => { "action" => "processaccess" }
|
||||
rename => {
|
||||
"[event_data][CallTrace]" => "process_call_trace"
|
||||
"[event_data][GrantedAccess]" => "process_granted_access"
|
||||
"[event_data][SourceThreadId]" => "thread_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 11 {
|
||||
mutate {
|
||||
add_field => { "action" => "filecreate" }
|
||||
rename => {
|
||||
"[event_data][TargetFilename]" => "file_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 12 or [event_id] == 13 or [event_id] == 14 {
|
||||
mutate {
|
||||
add_field => { "action" => "registryevent" }
|
||||
rename => {
|
||||
"[event_data][EventType]" => "event_type"
|
||||
"[event_data][TargetObject]" => "registry_key_path"
|
||||
"[event_data][Details]" => "registry_key_value"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 15 {
|
||||
mutate {
|
||||
add_field => { "action" => "filecreatestreamhash" }
|
||||
rename => {
|
||||
"[event_data][TargetFilename]" => "file_name"
|
||||
"[event_data][Hash]" => "hash"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 16 {
|
||||
kv {
|
||||
source => "[event_data][ConfigurationFileHash]"
|
||||
value_split => "="
|
||||
prefix => "sysmon_config_hash_"
|
||||
transform_key => "lowercase"
|
||||
}
|
||||
mutate {
|
||||
add_field => { "action" => "sysmonconfigstatechanged" }
|
||||
rename => {
|
||||
"[event_data][State]" => "sysmon_configuration_state"
|
||||
"[event_data][Configuration]" => "sysmon_configuration"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 18 or [event_id] == 17 {
|
||||
mutate {
|
||||
add_field => { "action" => "pipeevent" }
|
||||
rename => {
|
||||
"[event_data][PipeName]" => "pipe_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 19 or [event_id] == 20 or [event_id] == 21 {
|
||||
mutate {
|
||||
add_field => { "action" => "wmievent" }
|
||||
rename => {
|
||||
"[event_data][EventType]" => "wmi_event_type"
|
||||
"[event_data][Operation]" => "wmi_operation"
|
||||
"[event_data][EventNamespace]" => "wmi_namespace"
|
||||
"[event_data][Name]" => "wmi_name"
|
||||
"[event_data][Query]" => "wmi_query"
|
||||
"[event_data][Type]" => "wmi_type"
|
||||
"[event_data][Destination]" => "wmi_destination"
|
||||
}
|
||||
}
|
||||
}
|
||||
date {
|
||||
timezone => "UTC"
|
||||
match => [ "[event_data][UtcTime]", "YYYY-MM-dd HH:mm:ss.SSS" ]
|
||||
tag_on_failure => [ "_sysmon_datefailure", "_dateparsefailure" ]
|
||||
}
|
||||
date {
|
||||
timezone => "UTC"
|
||||
match => [ "[event_data][CreationUtcTime]", "YYYY-MM-dd HH:mm:ss.SSS" ]
|
||||
target => "@date_creation"
|
||||
tag_on_failure => [ "_sysmon_datefailure", "_dateparsefailure" ]
|
||||
}
|
||||
date {
|
||||
timezone => "UTC"
|
||||
match => [ "[event_data][PreviousCreationUtcTime]", "YYYY-MM-dd HH:mm:ss.SSS" ]
|
||||
target => "@date_creation_previous"
|
||||
tag_on_failure => [ "_sysmon_datefailure", "_dateparsefailure" ]
|
||||
}
|
||||
mutate {
|
||||
remove_field => "[event_data]"
|
||||
remove_field => "message"
|
||||
remove_field => "[event_data][Hashes]"
|
||||
remove_field => "[event_data][ConfigurationFileHash]"
|
||||
remove_field => "[event_data][UtcTime]"
|
||||
remove_field => "[event_data][CreationUtcTime]"
|
||||
remove_field => "[event_data][PreviousCreationUtcTime]"
|
||||
remove_field => "[user]"
|
||||
rename => { "[event_data][User]" => "user_account"}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,854 +0,0 @@
|
|||
# HELK winevent-security filter conf file
|
||||
# HELK build Stage: Alpha
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: GPL-3.0
|
||||
|
||||
filter {
|
||||
if [log_name] == "Security"{
|
||||
if [event_data][ProcessName] {
|
||||
grok {
|
||||
match => {
|
||||
"[event_data][ProcessName]" => ".*\\%{GREEDYDATA:process_name}"
|
||||
}
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
if [event_id] == 4611 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4611.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][LogonProcessName]" => "logon_process_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4616 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4616.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][NewTime]" => "@date_new_time"
|
||||
"[event_data][PreviousTime]" => "@date_previous_time"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4624 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4624.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectUserSid]" => "user_reporter_sid"
|
||||
"[event_data][SubjectUserName]" => "user_reporter_name"
|
||||
"[event_data][SubjectDomainName]" => "user_reporter_domain"
|
||||
"[event_data][SubjectLogonId]" => "reporter_logon_id"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][TargetLogonId]" => "user_logon_id"
|
||||
"[event_data][LogonType]" => "logon_type"
|
||||
"[event_data][RestrictedAdminMode]" => "logon_restricted_adminmode"
|
||||
"[event_data][VirtualAccount]" => "logon_virtual_account"
|
||||
"[event_data][ElevatedToken]" => "logon_elevated_token"
|
||||
"[event_data][TargetUserName]" => "user_name"
|
||||
"[event_data][TargetDomainName]" => "user_domain"
|
||||
"[event_data][TargetLinkedLogonId]" => "user_linked_logon_id"
|
||||
"[event_data][TargetOutboundDomainName]" => "user_network_account_domain"
|
||||
"[event_data][TargetOutboundUserName]" => "user_network_account_name"
|
||||
"[event_data][TargetUserSid]" => "user_sid"
|
||||
"[event_data][ImpersonationLevel]" => "impersonation_level"
|
||||
"[event_data][LogonGuid]" => "user_logon_guid"
|
||||
"[event_data][WorkstationName]" => "src_host_name"
|
||||
"[event_data][IpAddress]" => "src_ip"
|
||||
"[event_data][IpPort]" => "src_port"
|
||||
"[event_data][LogonProcessName]" => "logon_process_name"
|
||||
"[event_data][AuthenticationPackageName]" => "logon_authentication_package_name"
|
||||
"[event_data][TransmittedServices]" => "logon_transmitted_services"
|
||||
"[event_data][LmPackageName]" => "logon_package_name"
|
||||
"[event_data][KeyLength]" => "logon_key_length"
|
||||
}
|
||||
}
|
||||
if "logon_elevated_token" == "Yes"{
|
||||
mutate {
|
||||
add_tag => ["elevated_logon"]
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4625 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectUserSid]" => "user_reporter_sid"
|
||||
"[event_data][SubjectUserName]" => "user_reporter_name"
|
||||
"[event_data][SubjectDomainName]" => "user_reporter_domain"
|
||||
"[event_data][SubjectLogonId]" => "reporter_logon_id"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][LogonType]" => "logon_type"
|
||||
"[event_data][TargetUserName]" => "user_name"
|
||||
"[event_data][TargetDomainName]" => "user_domain"
|
||||
"[event_data][TargetUserSid]" => "user_sid"
|
||||
"[event_data][WorkstationName]" => "src_host"
|
||||
"[event_data][IpAddress]" => "src_ip"
|
||||
"[event_data][IpPort]" => "src_port"
|
||||
"[event_data][LogonProcessName]" => "logon_process_name"
|
||||
"[event_data][AuthenticationPackageName]" => "logon_authentication_package_name"
|
||||
"[event_data][TransmittedServices]" => "logon_transmitted_services"
|
||||
"[event_data][LmPackageName]" => "logon_package_name"
|
||||
"[event_data][KeyLength]" => "logon_key_length"
|
||||
"[event_data][FailureReason]" => "logon_failure_reason"
|
||||
"[event_data][Status]" => "logon_failure_status"
|
||||
"[event_data][SubStatus]" => "logon_failure_substatus"
|
||||
}
|
||||
}
|
||||
if "logon_elevated_token" == "Yes"{
|
||||
mutate {
|
||||
add_tag => ["elevated_logon"]
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4627 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4627.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectUserSid]" => "user_reporter_sid"
|
||||
"[event_data][SubjectUserName]" => "user_reporter_name"
|
||||
"[event_data][SubjectDomainName]" => "user_reporter_domain"
|
||||
"[event_data][SubjectLogonId]" => "reporter_logon_id"
|
||||
"[event_data][TargetLogonId]" => "user_logon_id"
|
||||
"[event_data][LogonType]" => "logon_type"
|
||||
"[event_data][TargetUserName]" => "user_name"
|
||||
"[event_data][TargetDomainName]" => "user_domain"
|
||||
"[event_data][TargetUserSid]" => "user_sid"
|
||||
"[event_data][GroupMembership]" => "user_group_membership"
|
||||
}
|
||||
remove_field => "[event_data][EventCountTotal]"
|
||||
remove_field => "[event_data][EventIdx]"
|
||||
}
|
||||
}
|
||||
if [event_id] == 4634 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4634.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][LogonType]" => "logon_type"
|
||||
"[event_data][TargetDomainName]" => "user_domain"
|
||||
"[event_data][TargetLogonId]" => "user_logon_id"
|
||||
"[event_data][TargetUserName" => "user_name"
|
||||
"[event_data][TargetUserSid]" => "user_sid"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4647 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4647.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][TargetDomainName]" => "user_domain"
|
||||
"[event_data][TargetLogonId]" => "user_logon_id"
|
||||
"[event_data][TargetUserName" => "user_name"
|
||||
"[event_data][TargetUserSid]" => "user_sid"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4648 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4648.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][LogonGuid]" => "user_logon_guid"
|
||||
"[event_data][TargetUserName]" => "target_user_name"
|
||||
"[event_data][TargetDomainName]" => "target_user_domain"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][TargetLogonId]" => "target_user_logon_id"
|
||||
"[event_data][TargetServerName]" => "service_host_name"
|
||||
"[event_data][TargetInfo]" => "service_host_info"
|
||||
"[event_data][TargetLogonGuid]" => "target_user_logon_guid"
|
||||
"[event_data][IpAddress]" => "src_ip"
|
||||
"[event_data][IpPort]" => "src_port"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4656 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][AccessList]" => "object_access_list_requested"
|
||||
"[event_data][AccessMask]" => "object_access_mask_requested"
|
||||
"[event_data][AccessReason]" => "object_access_reason"
|
||||
"[event_data][ObjectName]" => "object_name"
|
||||
"[event_data][ObjectServer]" => "object_server"
|
||||
"[event_data][ObjectType]" => "object_type"
|
||||
"[event_data][HandleId]" => "object_access_handle_id"
|
||||
"[event_data][PrivilegeList]" => "object_privilege_list"
|
||||
"[event_data][TransactionId" => "object_access_transaction_id"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][ResourceAttributes]" => "object_resource_attributes"
|
||||
"event_data][RestrictedSidCount]" => "object_restricted_sid_count"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4657 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ObjectName]" => "object_name"
|
||||
"[event_data][ObjectValueName]" => "object_value_name"
|
||||
"[event_data][HandleId]" => "object_access_handle_id"
|
||||
"[event_data][OperationType]" => "object_operation_type"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][OldValueType]" => "object_value_old_type"
|
||||
"[event_data][OldValue]" => "object_value_old"
|
||||
"[event_data][NewValueType]" => "object_value_new_type"
|
||||
"[event_data][NewValue]" => "object_value_new"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4658 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][ObjectServer]" => "object_server"
|
||||
"[event_data][HandleId]" => "object_access_handle_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4661 or [event_id] == 4662 or [event_id] == 4663 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4661.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4662.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][Properties]" => "object_properties"
|
||||
"[event_data][AccessMask]" => "object_access_mask_requested"
|
||||
"[event_data][HandleId]" => "object_access_handle_id"
|
||||
"[event_data][ObjectName]" => "object_name"
|
||||
"[event_data][ObjectServer]" => "object_server"
|
||||
"[event_data][ObjectType]" => "object_type"
|
||||
"[event_data][AdditionalInfo2]" => "object_additional_info2"
|
||||
"[event_data][OperationType]" => "object_operation_type"
|
||||
"[event_data][AdditionalInfo]" => "object_additional_info"
|
||||
"[event_data][AccessList]" => "object_access_list_requested"
|
||||
"[event_data][ResourceAttributes]" => "object_resource_attributes"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][AccessReason]" => "object_access_reason"
|
||||
"[event_data][PrivilegeList]" => "object_privilege_list"
|
||||
"[event_data][TransactionId" => "object_access_transaction_id"
|
||||
"event_data][RestrictedSidCount]" => "object_restricted_sid_count"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4670 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4670.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][HandleId]" => "object_access_handle_id"
|
||||
"[event_data][NewSd]" => "object_new_sddl"
|
||||
"[event_data][ObjectName]" => "object_name"
|
||||
"[event_data][ObjectServer]" => "object_server"
|
||||
"[event_data][ObjectType]" => "object_type"
|
||||
"[event_data][OldSd]" => "object_old_sddl"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4672 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4672.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][PrivilegeList]" => "logon_privileges_assigned"
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4673 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4673.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][PrivilegeList]" => "service_privilege_list"
|
||||
"[event_data][ObjectServer]" => "object_server"
|
||||
"[event_data][Service]" => "service_name"
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4674 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4674.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][AccessMask]" => "object_access_mask_requested"
|
||||
"[event_data][HandleId]" => "object_access_handle_id"
|
||||
"[event_data][ObjectName]" => "object_name"
|
||||
"[event_data][ObjectServer]" => "object_server"
|
||||
"[event_data][ObjectType]" => "object_type"
|
||||
"[event_data][PrivilegeList]" => "object_privilege_list"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4688 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4688.md
|
||||
grok {
|
||||
match => { "[event_data][NewProcessName]" => ".*\\%{GREEDYDATA:process_name}" }
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
grok {
|
||||
match => { "[event_data][ParentProcessName]" => ".*\\%{GREEDYDATA:process_parent_name}" }
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][NewProcessId]" => "process_id"
|
||||
"[event_data][NewProcessName]" => "process_path"
|
||||
"[event_data][CommandLine]" => "command_line"
|
||||
"[event_data][ParentProcessName]" => "process_parent_path"
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "user_principal_domain"
|
||||
"[event_data][TargetUserSid]" => "user_principal_sid"
|
||||
"[event_data][TargetUserName]" => "user_principal_name"
|
||||
"[event_data][TargetLogonId]" => "user_principal_id"
|
||||
"[event_data][MandatoryLabel]" => "process_mandatory_level"
|
||||
"[event_data][ProcessId]" => "process_parent_id"
|
||||
"[event_data][TokenElevationType]" => "process_token_elevation_type"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4689 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4689.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][Status]" => "process_status"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4690 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4690.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][SourceHandleId]" => "process_handle_id"
|
||||
"[event_data][SourceProcessId]" => "process_id"
|
||||
"[event_data][TargetHandleId]" => "target_process_handle_id"
|
||||
"[event_data][TargetProcessId]" => "target_process_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4697 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4697.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ServiceAccount]" => "service_account_name"
|
||||
"[event_data][ServiceFileName]" => "service_image_path"
|
||||
"[event_data][ServiceName]" => "service_name"
|
||||
"[event_data][ServiceStartType]" => "service_start_type"
|
||||
"[event_data][ServiceType]" => "service_type"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4701 or [event_id] == 4702 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4702.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TaskContentNew]" => "task_new_content"
|
||||
"[event_data][TaskName]" => "task_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4703 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4703.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "user_target_domain"
|
||||
"[event_data][TargetLogonId]" => "user_target_logon_id"
|
||||
"[event_data][TargetUserSid]" => "user_target_sid"
|
||||
"[event_data][TargetUserName]" => "user_target_name"
|
||||
"[event_data][DisabledPrivilegeList]" => "user_target_disabled_privilegelist"
|
||||
"[event_data][EnabledPrivilegeList]" => "user_target_enabled_privilegelist"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4719 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][AuditPolicyChanges]" => "policy_changes"
|
||||
"[event_data][CategoryId]" => "policy_category_id"
|
||||
"[event_data][SubcategoryGuid]" => "policy_subcategory_guid"
|
||||
"[event_data][SubcategoryId]" => "policy_subcategory_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4724 or [event_id] == 4725 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4724.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4725.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "user_target_domain"
|
||||
"[event_data][TargetSid]" => "user_target_sid"
|
||||
"[event_data][TargetUserName]" => "user_target_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4726 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4726.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "user_target_domain"
|
||||
"[event_data][TargetSid]" => "user_target_sid"
|
||||
"[event_data][TargetUserName]" => "user_target_name"
|
||||
"[event_data][PrivilegeList]" => "user_privilege_list"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4728 or [event_id] == 4729 {
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "group_domain"
|
||||
"[event_data][TargetSid]" => "group_sid"
|
||||
"[event_data][TargetUserName]" => "group_name"
|
||||
"[event_data][MemberName]" => "group_member_name"
|
||||
"[event_data][MemberSid]" => "group_member_sid"
|
||||
"[event_data][PrivilegeList]" => "group_privilege_list"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4732 or [event_id] == 4733 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4733.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "group_domain"
|
||||
"[event_data][TargetSid]" => "group_sid"
|
||||
"[event_data][TargetUserName]" => "group_name"
|
||||
"[event_data][MemberName]" => "group_member_name"
|
||||
"[event_data][MemberSid]" => "group_member_sid"
|
||||
"[event_data][PrivilegeList]" => "group_privilege_list"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4738 or [event_id] == 4720 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4738.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "user_target_domain"
|
||||
"[event_data][TargetSid]" => "user_target_sid"
|
||||
"[event_data][TargetUserName]" => "user_target_name"
|
||||
"[event_data][AccountExpires]" => "user_attribute_account_expires"
|
||||
"[event_data][AllowedToDelegateTo]" => "user_attribute_allowed_todelegate"
|
||||
"[event_data][DisplayName]" => "user_attribute_display_name"
|
||||
"[event_data][Dummy]" => "user_attribute_dummy"
|
||||
"[event_data][HomeDirectory]" => "user_attribute_home_directory"
|
||||
"[event_data][HomePath]" => "user_attribute_home_path"
|
||||
"[event_data][LogonHours]" => "user_attribute_logon_hours"
|
||||
"[event_data][NewUacValue]" => "user_attribute_new_uacvalue"
|
||||
"[event_data][OldUacValue]" => "user_attribute_old_uacvalue"
|
||||
"[event_data][PasswordLastSet]" => "user_attribute_password_lastset"
|
||||
"[event_data][PrimaryGroupId]" => "[user_attribute_primary_group_id"
|
||||
"[event_data][PrivilegeList]" => "user_attribute_privilege_list"
|
||||
"[event_data][ProfilePath]" => "user_attribute_profile_path"
|
||||
"[event_data][SamAccountName]" => "user_attribute_samaccount_name"
|
||||
"[event_data][ScriptPath]" => "user_attribute_script_path"
|
||||
"[event_data][SidHistory]" => "user_attribute_sid_history"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4768 or [event_id] == 4769 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][TargetDomainName]" => "user_domain"
|
||||
"[event_data][TargetUserName]" => "user_name"
|
||||
"[event_data][IpAddress]" => "src_ip"
|
||||
"[event_data][IpPort]" => "src_port"
|
||||
"[event_data][PreAuthType]" => "service_ticket_preauthtype"
|
||||
"[event_data][LogonGuid]" => "user_logon_guid"
|
||||
"[event_data][ServiceName]" => "service_ticket_name"
|
||||
"[event_data][ServiceSid]" => "service_ticket_id"
|
||||
"[event_data][Status]" => "service_ticket_status"
|
||||
"[event_data][TicketEncryptionType]" => "ticket_encryption_type"
|
||||
"[event_data][TicketOptions]" => "ticket_options"
|
||||
"[event_data][FailureCode]" => "ticket_failure_code"
|
||||
"[event_data][TransmittedServices]" => "service_ticket_requested"
|
||||
"[event_data][TargetSid]" => "user_sid"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4797 {
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "service_enumerated_domain"
|
||||
"[event_data][TargetUserName]" => "service_enumerated_name"
|
||||
"[event_data][Workstation]" => "host_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4798 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4798.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][CallerProcessId]" => "process_id"
|
||||
"[event_data][CallerProcessName]" => "process_path"
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "user_domain_enumerated"
|
||||
"[event_data][TargetSid]" => "user_sid_enumerated"
|
||||
"[event_data][TargetUserName]" => "user_name_enumerated"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4799 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4799.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][CallerProcessId]" => "process_id"
|
||||
"[event_data][CallerProcessName]" => "process_path"
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][TargetDomainName]" => "group_domain_enumerated"
|
||||
"[event_data][TargetSid]" => "group_sid_enumerated"
|
||||
"[event_data][TargetUserName]" => "group_name_enumerated"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4800 or [event_id] == 4801 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4800.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4801.md
|
||||
mutate {
|
||||
rename => {
|
||||
|
||||
"[event_data][TargetDomainName]" => "user_domain"
|
||||
"[event_data][TargetUserSid]" => "user_sid"
|
||||
"[event_data][TargetUserName]" => "user_name"
|
||||
"[event_data][TargetLogonId]" => "user_logon_id"
|
||||
"[event_data][SessionId]" => "user_session_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4907 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4907.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][HandleId]" => "object_access_handle_id"
|
||||
"[event_data][NewSd]" => "object_new_sddl"
|
||||
"[event_data][ObjectName]" => "object_name"
|
||||
"[event_data][ObjectServer]" => "object_server"
|
||||
"[event_data][ObjectType]" => "object_type"
|
||||
"[event_data][OldSd]" => "object_old_sddl"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4957 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4957.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][RuleAttr]" => "firewall_rule_attr"
|
||||
"[event_data][RuleId]" => "firewall_rule_id"
|
||||
"[event_data][RuleName]" => "firewall_rule_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5058 or [event_id] == 5059 or [event_id] == 5061 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5058.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5059.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5061.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][AlgorithmName]" => "key_algorithm_name"
|
||||
"[event_data][KeyName]" => "key_name"
|
||||
"[event_data][KeyType]" => "key_type"
|
||||
"[event_data][Operation]" => "key_operation"
|
||||
"[event_data][ProviderName" => "key_provider_name"
|
||||
"[event_data][ReturnCode]" => "key_return_code"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5136 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5136.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][OpCorrelationID]" => "dsoperation_correlation_id"
|
||||
"[event_data][AppCorrelationID]" => "dsoperation_app_correlation_id"
|
||||
"[event_data][DSName]" => "dsobject_domain"
|
||||
"[event_data][DSType]" => "dsobject_domain_type"
|
||||
"[event_data][ObjectDN]" => "dsobject_dn"
|
||||
"[event_data][ObjectGUID]" => "dsobject_guid"
|
||||
"[event_data][ObjectClass]" => "dsobject_class"
|
||||
"[event_data][AttributeLDAPDisplayName]" => "dsobject_attribute_name"
|
||||
"[event_data][AttributeSyntaxOID]" => "dsobject_attribute_type"
|
||||
"[event_data][AttributeValue]" => "dsobject_attribute_value"
|
||||
"[event_data][OperationType]" => "dsoperation_type"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5140 or [event_id] == 5145 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5140.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5145.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][AccessList]" => "object_access_list_requested"
|
||||
"[event_data][AccessMask]" => "object_access_mask_requested"
|
||||
"[event_data][AccessReason]" => "user_access_reason"
|
||||
"[event_data][IpAddress]" => "src_ip"
|
||||
"[event_data][IpPort]" => "src_port"
|
||||
"[event_data][ObjectType]" => "object_type"
|
||||
"[event_data][RelativeTargetName]" => "share_relative_target_name"
|
||||
"[event_data][ShareLocalPath]" => "share_local_path"
|
||||
"[event_data][ShareName]" => "share_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5152 or [event_id] == 5154 or [event_id] == 5156 or [event_id] == 5158 or [event_id] == 5157 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5152.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5154.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5156.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5157.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5158.md
|
||||
grok {
|
||||
match => {
|
||||
"[event_data][Application]" => ".*\\%{GREEDYDATA:process_name}"
|
||||
}
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][Application]" => "process_path"
|
||||
"[event_data][DestAddress]" => "dst_ip"
|
||||
"[event_data][DestPort]" => "dst_port"
|
||||
"[event_data][Direction]" => "network_direction"
|
||||
"[event_data][FilterRTID]" => "network_filter_rtid"
|
||||
"[event_data][LayerName]" => "network_layer_name"
|
||||
"[event_data][LayerRTID]" => "network_layer_rtid"
|
||||
"[event_data][ProcessID]" => "process_id"
|
||||
"[event_data][Protocol]" => "network_protocol"
|
||||
"[event_data][RemoteMachineID]" => "dst_host_name_id"
|
||||
"[event_data][RemoteUserID]" => "dst_user_id"
|
||||
"[event_data][SourceAddress]" => "src_ip"
|
||||
"[event_data][SourcePort]" => "src_port"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5447 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5447.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][AccessList]" => "object_access_list_requested"
|
||||
"[event_data][AccessMask]" => "object_access_mask_requested"
|
||||
"[event_data][AccessReason]" => "user_access_reason"
|
||||
"[event_data][IpAddress]" => "src_ip"
|
||||
"[event_data][IpPort]" => "src_port"
|
||||
"[event_data][ObjectType]" => "object_type"
|
||||
"[event_data][RelativeTargetName]" => "share_relative_target_name"
|
||||
"[event_data][ShareLocalPath]" => "share_local_path"
|
||||
"[event_data][ShareName]" => "share_name"
|
||||
"[event_data][Action]" => "filtering_action"
|
||||
"[event_data][CalloutKey]" => "filtering_callout_key"
|
||||
"[event_data][CalloutName]" => "filtering_callout_name"
|
||||
"[event_data][ChangeType]" => "filtering_change_type"
|
||||
"[event_data][Conditions]" => "filtering_conditions"
|
||||
"[event_data][FilterId]" => "filtering_id"
|
||||
"[event_data][FilterKey]" => "filtering_key"
|
||||
"[event_data][FilterName]" => "filtering_name"
|
||||
"[event_data][FilterType]" => "filtering_type"
|
||||
"[event_data][LayerId]" => "filtering_layer_id"
|
||||
"[event_data][LayerKey]" => "filtering_layer_key"
|
||||
"[event_data][LayerName]" => "filtering_layer_name"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProviderKey]" => "filtering_provider_key"
|
||||
"[event_data][ProviderName" => "filtering_provider_name"
|
||||
"[event_data][UserName]" => "user_name"
|
||||
"[event_data][UserSid]" => "user_sid"
|
||||
"[event_data][Weight]" => "filtering_weight"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 6416 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-6416.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ClassId]" => "device_class_id"
|
||||
"[event_data][ClassName]" => "device_class_name"
|
||||
"[event_data][CompatibleIds]" => "device_compatible_ids"
|
||||
"[event_data][DeviceDescription]" => "device_description"
|
||||
"[event_data][DeviceId]" => "device_id"
|
||||
"[event_data][LocationInformation]" => "device_location_information"
|
||||
"[event_data][VendorIds]" => "device_vendor_ids"
|
||||
}
|
||||
}
|
||||
}
|
||||
mutate {
|
||||
convert => {
|
||||
"src_port" => "integer"
|
||||
"dst_port" => "integer"
|
||||
}
|
||||
rename => {
|
||||
"computer_name" => "host_name"
|
||||
}
|
||||
gsub => ["user_logon_guid","[{}]",""]
|
||||
gsub => ["target_user_logon_guid","[{}]",""]
|
||||
}
|
||||
if [user_logon_id] {
|
||||
mutate { gsub => [ "user_logon_id", "0x", "" ]}
|
||||
ruby {
|
||||
code => "event.set('user_logon_id', event.get('user_logon_id').to_s.hex)"
|
||||
tag_on_exception => "_0591_rubyexception"
|
||||
}
|
||||
}
|
||||
if [process_id] {
|
||||
mutate { gsub => [ "process_id", "0x", "" ]}
|
||||
ruby {
|
||||
code => "event.set('process_id', event.get('process_id').to_s.hex)"
|
||||
tag_on_exception => "_0591_rubyexception"
|
||||
}
|
||||
}
|
||||
if [process_parent_id] {
|
||||
mutate { gsub => [ "process_parent_id", "0x", "" ]}
|
||||
ruby {
|
||||
code => "event.set('process_parent_id', event.get('process_parent_id').to_s.hex)"
|
||||
tag_on_exception => "_0591_rubyexception"
|
||||
}
|
||||
}
|
||||
if [target_process_id] {
|
||||
mutate { gsub => [ "target_process_id", "0x", "" ]}
|
||||
ruby {
|
||||
code => "event.set('target_process_id', event.get('target_process_id').to_s.hex)"
|
||||
tag_on_exception => "_0591_rubyexception"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,81 @@
|
|||
filter {
|
||||
if [event_id] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1500" } }
|
||||
|
||||
# Remove specific keys/fields that have "-"/dash has the only value values
|
||||
# Command Line will be done later on in pipeline because it is all sorts of random fields especially when we custom parse some event IDs
|
||||
# #TONOTE:Prune does not work on nested fields, so we are moving this into the beginning of Windows logs pipeline
|
||||
prune {
|
||||
blacklist_values => [
|
||||
"AccessList", "^\-$",
|
||||
"AccessReason", "^\-$",
|
||||
"AccountExpires", "^\-$",
|
||||
"AccountName", "^\-$",
|
||||
"AdditionalInfo", "^\-$",
|
||||
"Address", "^\-$",
|
||||
"AppCorrelationID", "^\-$",
|
||||
"CallerProcessName", "^\-$",
|
||||
"ClientAddress", "^\-$",
|
||||
"ClientIP", "^\-$",
|
||||
"ClientIPAddress", "^\-$",
|
||||
"CompatibleIds", "^\-$",
|
||||
"ComputerAccountChange", "^\-$",
|
||||
"ConnectedViaIPAddress", "^\-$",
|
||||
"DCIPAddress", "^\-$",
|
||||
"DestinationIp", "^\-$",
|
||||
"DisplayName", "^\-$",
|
||||
"DnsHostName", "^\-$",
|
||||
"Domain", "^\-$",
|
||||
"Dummy", "^\-$",
|
||||
"HomeDirectory", "^\-$",
|
||||
"HomePath", "^\-$",
|
||||
"Identity", "^\-$",
|
||||
"ipAddress", "^\-$",
|
||||
"IpAddress", "^\-$",
|
||||
"IPAddress", "^\-$",
|
||||
"IpPort", "^\-$",
|
||||
"IPString", "^\-$",
|
||||
"LaunchedViaIPAddress", "^\-$",
|
||||
"LmPackageName", "^\-$",
|
||||
"LocationInformation", "^\-$",
|
||||
"LogonGuid", "^\-$",
|
||||
"LogonHours", "^\-$",
|
||||
"NewUacValue", "^\-$",
|
||||
"ObjectName", "^\-$",
|
||||
"ObjectType", "^\-$",
|
||||
"OldUacValue", "^\-$",
|
||||
"PasswordLastSet", "^\-$",
|
||||
"PreAuthType", "^\-$",
|
||||
"PrimaryGroupId", "^\-$",
|
||||
"PrivilegeList", "^\-$",
|
||||
"ProcessName", "^\-$",
|
||||
"ProfilePath", "^\-$",
|
||||
"RestrictedAdminMode", "^\-$",
|
||||
"SamAccountName", "^\-$",
|
||||
"ScriptPath", "^\-$",
|
||||
"ServerIpAddress", "^\-$",
|
||||
"Service", "^\-$",
|
||||
"ServicePrincipalNames", "^\-$",
|
||||
"SourceIp", "^\-$",
|
||||
"SidHistory", "^\-$",
|
||||
"SidList", "^\-$",
|
||||
"SubjectDomainName", "^\-$",
|
||||
"SubjectUserName", "^\-$",
|
||||
"SubjectUserSid", "^\-$",
|
||||
"TargetDomainName", "^\-$",
|
||||
"TargetOutboundDomainName", "^\-$",
|
||||
"TargetOutboundUserName", "^\-$",
|
||||
"TargetUserName", "^\-$",
|
||||
"TargetUserSid", "^\-$",
|
||||
"TraceMessage", "^\-$",
|
||||
"TransmittedServices", "^\-$",
|
||||
"UserAccountControl", "^\-$",
|
||||
"UserID", "^\-$",
|
||||
"UserParameters", "^\-$",
|
||||
"UserPrincipalName", "^\-$",
|
||||
"UserWorkstations", "^\-$",
|
||||
"WorkstationName", "^\-$"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,181 @@
|
|||
filter {
|
||||
# Use this to determine if windows event log or not (for now, until we are properly marking all windows log types as something like "log_type: winevent")
|
||||
if [event_id] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1521" } }
|
||||
|
||||
# Since Sysmon may be the most common EventIDs with IPs lets do that first. This will contain source and destination IPs.
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Microsoft-Windows-Sysmon/Operational:3
|
||||
# Parse "SourceIp" field and then afterwards if it exists then the DestinationIp should exist as well (see note above)
|
||||
if [SourceIp] {
|
||||
if [SourceIsIpv6] == 'false' {
|
||||
mutate {
|
||||
rename => { "SourceIp" => "src_ip_addr" }
|
||||
remove_field => [ "SourceIsIpv6" ]
|
||||
}
|
||||
}
|
||||
else {
|
||||
mutate {
|
||||
rename => { "SourceIp" => "ipv6_src_addr" }
|
||||
remove_field => [ "SourceIsIpv6" ]
|
||||
}
|
||||
}
|
||||
# Parse "DestinationIp" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Microsoft-Windows-Sysmon/Operational:3
|
||||
if [DestinationIp] {
|
||||
if [DestinationIsIpv6] == 'false' {
|
||||
mutate {
|
||||
rename => { "DestinationIp" => "dst_ip_addr" }
|
||||
remove_field => [ "DestinationIsIpv6" ]
|
||||
}
|
||||
}
|
||||
else {
|
||||
mutate {
|
||||
rename => { "DestinationIp" => "ipv6_dst_addr" }
|
||||
remove_field => [ "DestinationIsIpv6" ]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# If not Sysmon IP field try all the rest of the possible IP fields as of 2018-03-19 and going through 3,000 Windows EventIDs
|
||||
else {
|
||||
|
||||
#### Parse all other possible Source IP Address fields, none of the following two fields would exist in any one windows event.. therefore, use "if"/"else if" statements
|
||||
# Parse "IpAddress" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Security:4624, Security:4625, Security:4648, Security:4770, Security:4771, Security:4768, Security:4769, Security:5140, Security:5145
|
||||
if [IpAddress] {
|
||||
if [IpAddress] =~ "^\d{1,3}\." {
|
||||
mutate { rename => { "IpAddress" => "src_ip_addr" } }
|
||||
}
|
||||
else {
|
||||
# First try to match IPv6 & IPv4 combined
|
||||
# Last try IPv6 only
|
||||
grok {
|
||||
match => {
|
||||
"IpAddress" =>
|
||||
[
|
||||
"%{IPV6:ipv6_src_addr} %{IPV4:src_ip_addr}",
|
||||
"%{IPV6:ipv6_src_addr}"
|
||||
]
|
||||
}
|
||||
keep_empty_captures => false
|
||||
named_captures_only => true
|
||||
tag_on_failure => [ "_IpAddress_grokparsefailure", "_grokparsefailure", "_parsefailure", "_windows_ip_parsefailure" ]
|
||||
tag_on_timeout => "_groktimeout"
|
||||
# Timeout .250 seconds
|
||||
timeout_millis => 250
|
||||
remove_field => [ "IpAddress" ]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Parse "SourceAddress" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Security:5152,5154,5156,5157,5158
|
||||
else if [SourceAddress] {
|
||||
mutate { rename => { "SourceAddress" => "src_ip_addr" } }
|
||||
}
|
||||
|
||||
# Parse "ClientAddress" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Security:4778,4779
|
||||
else if [ClientAddress] {
|
||||
mutate { rename => { "ClientAddress" => "src_ip_addr" } }
|
||||
}
|
||||
|
||||
# Parse "ClientIPAddress" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Citrix-XenDesktop-BrokerMonitor/Operational:4,5,44,45
|
||||
else if [ClientIPAddress] {
|
||||
mutate { rename => { "ClientIPAddress" => "src_ip_addr" } }
|
||||
}
|
||||
|
||||
# Parse "ClientIP" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:131
|
||||
else if [ClientIP] {
|
||||
# First lets substitute any characters that have been seen that would cause bad parsing/values
|
||||
mutate { gsub => [ "ClientIP", "[\[\]]", "" ] }
|
||||
if [ClientIP] =~ "^\d{1,3}\." {
|
||||
dissect {
|
||||
mapping => { "ClientIP" => "%{src_ip_addr}:%{port_src}" }
|
||||
tag_on_failure => [ "_dissectfailure", "_parsefailure" ]
|
||||
remove_field => [ "ClientIP" ]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Parse "IPString" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:139,140
|
||||
else if [IPString] {
|
||||
mutate { rename => { "IPString" => "src_ip_addr" } }
|
||||
}
|
||||
#### ^ DONE w/ All Src IP parsing ####
|
||||
|
||||
|
||||
#### Parse all other possible Destination IP Address fields, none of the following two fields would exist in any one windows event.. therefore, use "if"/"else if" statements
|
||||
# Parse "DestAddress" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Application:1039 SourceName Citrix Broker Service
|
||||
if [DestAddress] {
|
||||
mutate { rename => { "DestAddress" => "dst_ip_addr" } }
|
||||
}
|
||||
|
||||
# Parse "LaunchedViaIPAddress" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Citrix-XenDesktop-BrokerMonitor/Operational:4,5,44,45
|
||||
else if [LaunchedViaIPAddress] {
|
||||
mutate { rename => { "LaunchedViaIPAddress" => "dst_ip_addr" } }
|
||||
}
|
||||
|
||||
# Parse "MachineIpAddress" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Citrix-XenDesktop-BrokerMonitor/Operational:10
|
||||
else if [MachineIpAddress] {
|
||||
mutate { rename => { "MachineIpAddress" => "dst_ip_addr" } }
|
||||
}
|
||||
|
||||
# Parse "ipAddress" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Application:1039 SourceName Citrix Broker Service
|
||||
else if [ipAddress] {
|
||||
mutate { rename => { "ipAddress" => "dst_ip_addr" } }
|
||||
}
|
||||
|
||||
# Parse "Value" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Microsoft-Windows-TerminalServices-RDPClient/Operational:1102,1024
|
||||
# Only perform on the above EIDs because otherwise it may be values that are incomprehensible
|
||||
else if [Value] and [wef][channel] == "Microsoft-Windows-TerminalServices-RDPClient/Operational" {
|
||||
if [wef.eid] == 1102 {
|
||||
mutate { rename => { "Value" => "dst_ip_addr" } }
|
||||
}
|
||||
else if [wef.eid] == 1024 {
|
||||
mutate { rename => { "Value" => "dst_ip_addr" } }
|
||||
}
|
||||
}
|
||||
# Parse "TargetServer" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Security:5378
|
||||
else if [TargetServer] {
|
||||
mutate { gsub => [ "TargetServer", "TERMSRV\/", "" ] }
|
||||
mutate { rename => { "TargetServer" => "dst_ip_addr" } }
|
||||
}
|
||||
#### ^ DONE w/ All Dst IP parsing ####
|
||||
|
||||
|
||||
#### Parse all possible Destination NAT IP Address fields, none of the following two fields would exist in any one windows event.. therefore, use "if"/"else if" statements
|
||||
# Parse "ConnectedViaIPAddress" field
|
||||
# Seen in the following EventIDs (not necessarily exhaustive)
|
||||
# Citrix-XenDesktop-BrokerMonitor/Operational:4,44
|
||||
if [ConnectedViaIPAddress] {
|
||||
mutate { rename => { "ConnectedViaIPAddress" => "dst_nat_ip_addr" } }
|
||||
}
|
||||
#### ^ DONE w/ All Dst NAT IP parsing ####
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,143 @@
|
|||
filter {
|
||||
if [event_id] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1522" } }
|
||||
|
||||
mutate {
|
||||
lowercase => [
|
||||
"AccountDistinguishedName",
|
||||
"AccountName",
|
||||
"ActionName",
|
||||
"AllowedToDelegateTo",
|
||||
"ApplicationPath",
|
||||
"AttributeLDAPDisplayName",
|
||||
"AuthenticationPackageName",
|
||||
"CACommonName",
|
||||
"CallerProcessName",
|
||||
"CalloutName",
|
||||
"ClientName",
|
||||
"ClientUserName",
|
||||
"Command Name",
|
||||
"CommandName",
|
||||
"CommandPath",
|
||||
"ConnectionName",
|
||||
"CorruptedFilePath",
|
||||
"CrashedAppName",
|
||||
"CurrentDirectory",
|
||||
"DCDomainName",
|
||||
"DestinationHostname",
|
||||
"DestinationPortName",
|
||||
"DeviceName",
|
||||
"DfsPath",
|
||||
"DisplayName",
|
||||
"displayName",
|
||||
"DnsHostName",
|
||||
"Domain",
|
||||
"DriveName",
|
||||
"DSName",
|
||||
"DSObjectName",
|
||||
"ExtensibleModulePath",
|
||||
"FileName",
|
||||
"Filename",
|
||||
"FilePath",
|
||||
"GPODisplayName",
|
||||
"GPOFileSystemPath",
|
||||
"GPOName",
|
||||
"GroupName",
|
||||
"HiveName",
|
||||
"HomeDirectory",
|
||||
"HomePath",
|
||||
"HostName",
|
||||
"Host Name",
|
||||
"HostOSName",
|
||||
"Host OS Name",
|
||||
"HostOSservicepackName",
|
||||
"Host OS service pack Name",
|
||||
"HostNameChanged",
|
||||
"ImageName",
|
||||
"ImagePath",
|
||||
"InstancePath",
|
||||
"KeepPropertyCanonicalName",
|
||||
"KeyName",
|
||||
"Key Name",
|
||||
"KeyName",
|
||||
"KeyFilePath",
|
||||
"LocalPath",
|
||||
"LogonProcessName",
|
||||
"MachineName",
|
||||
"MappedName",
|
||||
"MemberName",
|
||||
"NAME",
|
||||
"NameServer",
|
||||
"NamespaceName",
|
||||
"NetworkName",
|
||||
"NewProcessName",
|
||||
"NewTargetUserName",
|
||||
"ObjectName",
|
||||
"OldTargetUserName",
|
||||
"OldTargetUserName",
|
||||
"ParentProcessName",
|
||||
"Path",
|
||||
"PortName",
|
||||
"PrincipalCNName",
|
||||
"PrincipalDomainName",
|
||||
"PrincipalSamName",
|
||||
"Process Name",
|
||||
"ProcessName",
|
||||
"ProdessName",
|
||||
"ProcessPath",
|
||||
"processPath",
|
||||
"ProfilePath",
|
||||
"QNAME",
|
||||
"QueryName",
|
||||
"RelativeTargetName",
|
||||
"SamAccountName",
|
||||
"Script Name",
|
||||
"ScriptName",
|
||||
"ScriptPath",
|
||||
"SecurityPackageName",
|
||||
"ServerName",
|
||||
"serverName",
|
||||
"ServiceFileName",
|
||||
"ServiceName",
|
||||
"ServicePrincipalNames",
|
||||
"SessionName",
|
||||
"ShareName",
|
||||
"ShareLocalPath",
|
||||
"SnapshotPath",
|
||||
"SourceHostname",
|
||||
"SourcePortName",
|
||||
"StateName",
|
||||
"SubjectDomainName",
|
||||
"SubjectUserDomainName",
|
||||
"SubjectUserName",
|
||||
"SwitchFName",
|
||||
"TargetDomainName",
|
||||
"TargetFilename",
|
||||
"Targetname",
|
||||
"TargetOutboundDomainName",
|
||||
"TargetOutboundUserName",
|
||||
"TargetProcessName",
|
||||
"TargetRealm",
|
||||
"TargetServerName",
|
||||
"TargetUserName",
|
||||
"TargetUserName",
|
||||
"TaskName",
|
||||
"TransportProtocolName",
|
||||
"UncPath",
|
||||
"User",
|
||||
"user",
|
||||
"UserName",
|
||||
"Username",
|
||||
"userName",
|
||||
"username",
|
||||
"UserPrincipalName",
|
||||
"VhdFileName",
|
||||
"VolumeName",
|
||||
"wmiClassName",
|
||||
"Workstation",
|
||||
"WorkstationName",
|
||||
"XPath"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,286 @@
|
|||
# HELK sysmon filter conf file
|
||||
# HELK build Stage: Alpha
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: GPL-3.0
|
||||
|
||||
filter {
|
||||
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1531" } }
|
||||
mutate {
|
||||
rename => {
|
||||
"[user][domain]" => "user_reporter_domain"
|
||||
"[user][identifier]" => "user_reporter_sid"
|
||||
"[user][name]" => "user_reporter_name"
|
||||
"[user][type]" => "user_reporter_type"
|
||||
"computer_name" => "host_name"
|
||||
}
|
||||
}
|
||||
if [provider_guid] {
|
||||
mutate { gsub => [ "provider_guid", "[{}]", "" ] }
|
||||
}
|
||||
if [RuleName] {
|
||||
kv {
|
||||
source => "RuleName"
|
||||
field_split => ","
|
||||
value_split => "="
|
||||
prefix => "mitre_"
|
||||
transform_key => "lowercase"
|
||||
}
|
||||
}
|
||||
if [Image] {
|
||||
if [Image] =~ /^(\w*$)|^(\w*\..*$)/ {
|
||||
mutate { copy => {"Image" => "process_name"} }
|
||||
}
|
||||
else {
|
||||
grok {
|
||||
match => { "Image" => ".*\\%{GREEDYDATA:process_name}" }
|
||||
tag_on_failure => [ "_Image__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"Image" => "process_path"
|
||||
"ProcessGuid" => "process_guid"
|
||||
"ProcessId" => "process_id"
|
||||
}
|
||||
gsub => [ "process_guid", "[{}]", "" ]
|
||||
}
|
||||
}
|
||||
if [ParentImage] {
|
||||
grok {
|
||||
match => { "ParentImage" => ".*\\%{GREEDYDATA:process_parent_name}" }
|
||||
tag_on_failure => [ "_ParentImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
if [Hashes] {
|
||||
kv {
|
||||
source => "Hashes"
|
||||
field_split => ","
|
||||
value_split => "="
|
||||
prefix => "hash_"
|
||||
transform_key => "lowercase"
|
||||
}
|
||||
}
|
||||
if [TargetImage] {
|
||||
grok {
|
||||
match => { "SourceImage" => ".*\\%{GREEDYDATA:process_name}" }
|
||||
tag_on_failure => [ "_SourceImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
grok {
|
||||
match => { "TargetImage" => ".*\\%{GREEDYDATA:target_process_name}" }
|
||||
tag_on_failure => [ "_TargetImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"SourceImage" => "process_path"
|
||||
"SourceProcessGUID" => "process_guid"
|
||||
"SourceProcessId" => "process_id"
|
||||
"TargetImage" => "target_process_path"
|
||||
"TargetProcessGUID" => "target_process_guid"
|
||||
"TargetProcessId" => "target_process_id"
|
||||
}
|
||||
gsub => [
|
||||
"process_guid", "[{}]", "",
|
||||
"target_process_guid", "[{}]", ""
|
||||
]
|
||||
}
|
||||
}
|
||||
if [User] {
|
||||
grok {
|
||||
match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" }
|
||||
tag_on_failure => [ "_User__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
if [event_id] == 1 {
|
||||
mutate {
|
||||
add_field => { "action" => "processcreate" }
|
||||
rename => {
|
||||
"CommandLine" => "process_command_line"
|
||||
"CurrentDirectory" => "process_current_directory"
|
||||
"ParentImage" => "process_parent_path"
|
||||
"ParentCommandLine" => "process_parent_command_line"
|
||||
"IntegrityLevel" => "process_integrity_level"
|
||||
"LogonGuid" => "user_logon_guid"
|
||||
"ParentProcessGuid" => "process_parent_guid"
|
||||
"ParentProcessId" => "process_parent_id"
|
||||
"TerminalSessionId" => "user_session_id"
|
||||
"FileVersion" => "file_version"
|
||||
"Description" => "file_description"
|
||||
"Product" => "file_product"
|
||||
"Company" => "file_company"
|
||||
}
|
||||
gsub => [ "process_parent_guid", "[{}]", "" ]
|
||||
}
|
||||
}
|
||||
if [event_id] == 2 {
|
||||
mutate {
|
||||
add_field => { "action" => "filecreatetime" }
|
||||
rename => { "TargetFileName" => "file_name" }
|
||||
}
|
||||
}
|
||||
if [event_id] == 3 {
|
||||
mutate {
|
||||
add_field => { "action" => "networkconnect" }
|
||||
rename => {
|
||||
"DestinationHostname" => "dst_host_name"
|
||||
"DestinationPort" => "dst_port"
|
||||
"DestinationPortName" => "dst_port_name"
|
||||
"Initiated" => "network_initiated"
|
||||
"Protocol" => "network_protocol"
|
||||
"SourceHostname" => "src_host_name"
|
||||
"SourcePort" => "src_port"
|
||||
"SourcePortName" => "src_port_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4 {
|
||||
mutate {
|
||||
add_field => { "action" => "sysmonservicestatechanged" }
|
||||
rename => {
|
||||
"State" => "service_state"
|
||||
"Version" => "sysmon_version"
|
||||
"SchemaVersion" => "sysmon_schema_version"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 6 {
|
||||
mutate {
|
||||
add_field => { "action" => "driverload" }
|
||||
rename => {
|
||||
"ImageLoaded" => "driver_loaded"
|
||||
"Signature" => "driver_signature"
|
||||
"SignatureStatus" => "driver_signature_status"
|
||||
"Signed" => "driver_signed"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 7 {
|
||||
mutate {
|
||||
add_field => { "action" => "imageload" }
|
||||
rename => {
|
||||
"ImageLoaded" => "module_loaded"
|
||||
"Signature" => "module_signature"
|
||||
"SignatureStatus" => "module_signature_status"
|
||||
"Signed" => "module_signed"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 8 {
|
||||
mutate {
|
||||
add_field => { "action" => "createremotethread" }
|
||||
rename => {
|
||||
"NewThreadId" => "thread_new_id"
|
||||
"StartAddress" => "thread_start_address"
|
||||
"StartFunction" => "thread_start_function"
|
||||
"StartModule" => "thread_start_module"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 9 {
|
||||
mutate {
|
||||
add_field => { "action" => "rawaccessread" }
|
||||
rename => { "Device" => "device_name" }
|
||||
}
|
||||
}
|
||||
if [event_id] == 10 {
|
||||
mutate {
|
||||
add_field => { "action" => "processaccess" }
|
||||
rename => {
|
||||
"CallTrace" => "process_call_trace"
|
||||
"GrantedAccess" => "process_granted_access"
|
||||
"SourceThreadId" => "thread_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 11 {
|
||||
mutate {
|
||||
add_field => { "action" => "filecreate" }
|
||||
rename => { "TargetFilename" => "file_name" }
|
||||
}
|
||||
}
|
||||
if [event_id] == 12 or [event_id] == 13 or [event_id] == 14 {
|
||||
mutate {
|
||||
add_field => { "action" => "registryevent" }
|
||||
rename => {
|
||||
"EventType" => "event_type"
|
||||
"TargetObject" => "registry_key_path"
|
||||
"Details" => "registry_key_value"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 15 {
|
||||
mutate {
|
||||
add_field => { "action" => "filecreatestreamhash" }
|
||||
rename => {
|
||||
"TargetFilename" => "file_name"
|
||||
"Hash" => "hash"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 16 {
|
||||
kv {
|
||||
source => "ConfigurationFileHash"
|
||||
value_split => "="
|
||||
prefix => "sysmon_config_hash_"
|
||||
transform_key => "lowercase"
|
||||
}
|
||||
mutate {
|
||||
add_field => { "action" => "sysmonconfigstatechanged" }
|
||||
rename => {
|
||||
"State" => "sysmon_configuration_state"
|
||||
"Configuration" => "sysmon_configuration"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 18 or [event_id] == 17 {
|
||||
mutate {
|
||||
add_field => { "action" => "pipeevent" }
|
||||
rename => { "PipeName" => "pipe_name" }
|
||||
}
|
||||
}
|
||||
if [event_id] == 19 or [event_id] == 20 or [event_id] == 21 {
|
||||
mutate {
|
||||
add_field => { "action" => "wmievent" }
|
||||
rename => {
|
||||
"EventType" => "wmi_event_type"
|
||||
"Operation" => "wmi_operation"
|
||||
"EventNamespace" => "wmi_namespace"
|
||||
"Name" => "wmi_name"
|
||||
"Query" => "wmi_query"
|
||||
"Type" => "wmi_type"
|
||||
"Destination" => "wmi_destination"
|
||||
}
|
||||
}
|
||||
}
|
||||
date {
|
||||
timezone => "UTC"
|
||||
match => [ "UtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ]
|
||||
tag_on_failure => [ "_sysmon_UtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ]
|
||||
}
|
||||
date {
|
||||
timezone => "UTC"
|
||||
match => [ "CreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ]
|
||||
target => "@date_creation"
|
||||
tag_on_failure => [ "_sysmon_CreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ]
|
||||
}
|
||||
date {
|
||||
timezone => "UTC"
|
||||
match => [ "PreviousCreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ]
|
||||
target => "@date_creation_previous"
|
||||
tag_on_failure => [ "_sysmon_PreviousCreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ]
|
||||
}
|
||||
mutate {
|
||||
rename => { "User" => "user_account"}
|
||||
remove_field => [
|
||||
"message",
|
||||
"Hashes",
|
||||
"ConfigurationFileHash",
|
||||
"UtcTime",
|
||||
"CreationUtcTime",
|
||||
"PreviousCreationUtcTime",
|
||||
"[user]"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,807 @@
|
|||
# HELK winevent-security filter conf file
|
||||
# HELK build Stage: Alpha
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: GPL-3.0
|
||||
|
||||
filter {
|
||||
if [log_name] == "Security"{
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1532" } }
|
||||
if [ProcessName] {
|
||||
grok {
|
||||
match => { "ProcessName" => ".*\\%{GREEDYDATA:process_name}" }
|
||||
tag_on_failure => [ "_ProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
if [event_id] == 4611 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4611.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"LogonProcessName" => "logon_process_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4616 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4616.md
|
||||
mutate {
|
||||
rename => {
|
||||
"NewTime" => "@date_new_time"
|
||||
"PreviousTime" => "@date_previous_time"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4624 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4624.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectUserSid" => "user_reporter_sid"
|
||||
"SubjectUserName" => "user_reporter_name"
|
||||
"SubjectDomainName" => "user_reporter_domain"
|
||||
"SubjectLogonId" => "reporter_logon_id"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"TargetLogonId" => "user_logon_id"
|
||||
"LogonType" => "logon_type"
|
||||
"RestrictedAdminMode" => "logon_restricted_adminmode"
|
||||
"VirtualAccount" => "logon_virtual_account"
|
||||
"ElevatedToken" => "logon_elevated_token"
|
||||
"TargetUserName" => "user_name"
|
||||
"TargetDomainName" => "user_domain"
|
||||
"TargetLinkedLogonId" => "user_linked_logon_id"
|
||||
"TargetOutboundDomainName" => "user_network_account_domain"
|
||||
"TargetOutboundUserName" => "user_network_account_name"
|
||||
"TargetUserSid" => "user_sid"
|
||||
"ImpersonationLevel" => "impersonation_level"
|
||||
"LogonGuid" => "user_logon_guid"
|
||||
"WorkstationName" => "src_host_name"
|
||||
"IpPort" => "src_port"
|
||||
"LogonProcessName" => "logon_process_name"
|
||||
"AuthenticationPackageName" => "logon_authentication_package_name"
|
||||
"TransmittedServices" => "logon_transmitted_services"
|
||||
"LmPackageName" => "logon_package_name"
|
||||
"KeyLength" => "logon_key_length"
|
||||
}
|
||||
}
|
||||
if "logon_elevated_token" == "Yes"{
|
||||
mutate { add_tag => ["elevated_logon"] }
|
||||
}
|
||||
}
|
||||
if [event_id] == 4625 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectUserSid" => "user_reporter_sid"
|
||||
"SubjectUserName" => "user_reporter_name"
|
||||
"SubjectDomainName" => "user_reporter_domain"
|
||||
"SubjectLogonId" => "reporter_logon_id"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"LogonType" => "logon_type"
|
||||
"TargetUserName" => "user_name"
|
||||
"TargetDomainName" => "user_domain"
|
||||
"TargetUserSid" => "user_sid"
|
||||
"WorkstationName" => "src_host"
|
||||
"IpPort" => "src_port"
|
||||
"LogonProcessName" => "logon_process_name"
|
||||
"AuthenticationPackageName" => "logon_authentication_package_name"
|
||||
"TransmittedServices" => "logon_transmitted_services"
|
||||
"LmPackageName" => "logon_package_name"
|
||||
"KeyLength" => "logon_key_length"
|
||||
"FailureReason" => "logon_failure_reason"
|
||||
"Status" => "logon_failure_status"
|
||||
"SubStatus" => "logon_failure_substatus"
|
||||
}
|
||||
}
|
||||
if "logon_elevated_token" == "Yes"{
|
||||
mutate { add_tag => ["elevated_logon"] }
|
||||
}
|
||||
}
|
||||
if [event_id] == 4627 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4627.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectUserSid" => "user_reporter_sid"
|
||||
"SubjectUserName" => "user_reporter_name"
|
||||
"SubjectDomainName" => "user_reporter_domain"
|
||||
"SubjectLogonId" => "reporter_logon_id"
|
||||
"TargetLogonId" => "user_logon_id"
|
||||
"LogonType" => "logon_type"
|
||||
"TargetUserName" => "user_name"
|
||||
"TargetDomainName" => "user_domain"
|
||||
"TargetUserSid" => "user_sid"
|
||||
"GroupMembership" => "user_group_membership"
|
||||
}
|
||||
remove_field => [
|
||||
"EventCountTotal",
|
||||
"EventIdx"
|
||||
]
|
||||
}
|
||||
}
|
||||
if [event_id] == 4634 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4634.md
|
||||
mutate {
|
||||
rename => {
|
||||
"LogonType" => "logon_type"
|
||||
"TargetDomainName" => "user_domain"
|
||||
"TargetLogonId" => "user_logon_id"
|
||||
"TargetUserName" => "user_name"
|
||||
"TargetUserSid" => "user_sid"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4647 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4647.md
|
||||
mutate {
|
||||
rename => {
|
||||
"TargetDomainName" => "user_domain"
|
||||
"TargetLogonId" => "user_logon_id"
|
||||
"TargetUserName" => "user_name"
|
||||
"TargetUserSid" => "user_sid"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4648 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4648.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"LogonGuid" => "user_logon_guid"
|
||||
"TargetUserName" => "target_user_name"
|
||||
"TargetDomainName" => "target_user_domain"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"TargetLogonId" => "target_user_logon_id"
|
||||
"TargetServerName" => "service_host_name"
|
||||
"TargetInfo" => "service_host_info"
|
||||
"TargetLogonGuid" => "target_user_logon_guid"
|
||||
"IpPort" => "src_port"
|
||||
}
|
||||
gsub => [ "target_user_logon_guid", "[{}]", "" ]
|
||||
}
|
||||
}
|
||||
if [event_id] == 4656 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"AccessList" => "object_access_list_requested"
|
||||
"AccessMask" => "object_access_mask_requested"
|
||||
"AccessReason" => "object_access_reason"
|
||||
"ObjectName" => "object_name"
|
||||
"ObjectServer" => "object_server"
|
||||
"ObjectType" => "object_type"
|
||||
"HandleId" => "object_access_handle_id"
|
||||
"PrivilegeList" => "object_privilege_list"
|
||||
"TransactionId" => "object_access_transaction_id"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"ResourceAttributes" => "object_resource_attributes"
|
||||
"RestrictedSidCount" => "object_restricted_sid_count"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4657 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"ObjectName" => "object_name"
|
||||
"ObjectValueName" => "object_value_name"
|
||||
"HandleId" => "object_access_handle_id"
|
||||
"OperationType" => "object_operation_type"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"OldValueType" => "object_value_old_type"
|
||||
"OldValue" => "object_value_old"
|
||||
"NewValueType" => "object_value_new_type"
|
||||
"NewValue" => "object_value_new"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4658 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"ObjectServer" => "object_server"
|
||||
"HandleId" => "object_access_handle_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4661 or [event_id] == 4662 or [event_id] == 4663 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4661.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4662.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"Properties" => "object_properties"
|
||||
"AccessMask" => "object_access_mask_requested"
|
||||
"HandleId" => "object_access_handle_id"
|
||||
"ObjectName" => "object_name"
|
||||
"ObjectServer" => "object_server"
|
||||
"ObjectType" => "object_type"
|
||||
"AdditionalInfo2" => "object_additional_info2"
|
||||
"OperationType" => "object_operation_type"
|
||||
"AdditionalInfo" => "object_additional_info"
|
||||
"AccessList" => "object_access_list_requested"
|
||||
"ResourceAttributes" => "object_resource_attributes"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"AccessReason" => "object_access_reason"
|
||||
"PrivilegeList" => "object_privilege_list"
|
||||
"TransactionId" => "object_access_transaction_id"
|
||||
"RestrictedSidCount" => "object_restricted_sid_count"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4670 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4670.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"HandleId" => "object_access_handle_id"
|
||||
"NewSd" => "object_new_sddl"
|
||||
"ObjectName" => "object_name"
|
||||
"ObjectServer" => "object_server"
|
||||
"ObjectType" => "object_type"
|
||||
"OldSd" => "object_old_sddl"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4672 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4672.md
|
||||
mutate {
|
||||
rename => {
|
||||
"PrivilegeList" => "logon_privileges_assigned"
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4673 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4673.md
|
||||
mutate {
|
||||
rename => {
|
||||
"PrivilegeList" => "service_privilege_list"
|
||||
"ObjectServer" => "object_server"
|
||||
"Service" => "service_name"
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4674 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4674.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"AccessMask" => "object_access_mask_requested"
|
||||
"HandleId" => "object_access_handle_id"
|
||||
"ObjectName" => "object_name"
|
||||
"ObjectServer" => "object_server"
|
||||
"ObjectType" => "object_type"
|
||||
"PrivilegeList" => "object_privilege_list"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4688 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4688.md
|
||||
grok {
|
||||
match => { "NewProcessName" => ".*\\%{GREEDYDATA:process_name}" }
|
||||
tag_on_failure => [ "_NewProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
if [ParentProcessName] {
|
||||
grok {
|
||||
match => { "ParentProcessName" => ".*\\%{GREEDYDATA:process_parent_name}" }
|
||||
tag_on_failure => [ "_ParentProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"NewProcessId" => "process_id"
|
||||
"NewProcessName" => "process_path"
|
||||
"CommandLine" => "command_line"
|
||||
"ParentProcessName" => "process_parent_path"
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "user_principal_domain"
|
||||
"TargetUserSid" => "user_principal_sid"
|
||||
"TargetUserName" => "user_principal_name"
|
||||
"TargetLogonId" => "user_principal_id"
|
||||
"MandatoryLabel" => "process_mandatory_level"
|
||||
"ProcessId" => "process_parent_id"
|
||||
"TokenElevationType" => "process_token_elevation_type"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4689 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4689.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"Status" => "process_status"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4690 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4690.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"SourceHandleId" => "process_handle_id"
|
||||
"SourceProcessId" => "process_id"
|
||||
"TargetHandleId" => "target_process_handle_id"
|
||||
"TargetProcessId" => "target_process_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4697 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4697.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"ServiceAccount" => "service_account_name"
|
||||
"ServiceFileName" => "service_image_path"
|
||||
"ServiceName" => "service_name"
|
||||
"ServiceStartType" => "service_start_type"
|
||||
"ServiceType" => "service_type"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4701 or [event_id] == 4702 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4702.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TaskContentNew" => "task_new_content"
|
||||
"TaskName" => "task_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4703 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4703.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "user_target_domain"
|
||||
"TargetLogonId" => "user_target_logon_id"
|
||||
"TargetUserSid" => "user_target_sid"
|
||||
"TargetUserName" => "user_target_name"
|
||||
"DisabledPrivilegeList" => "user_target_disabled_privilegelist"
|
||||
"EnabledPrivilegeList" => "user_target_enabled_privilegelist"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4719 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"AuditPolicyChanges" => "policy_changes"
|
||||
"CategoryId" => "policy_category_id"
|
||||
"SubcategoryGuid" => "policy_subcategory_guid"
|
||||
"SubcategoryId" => "policy_subcategory_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4724 or [event_id] == 4725 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4724.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4725.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "user_target_domain"
|
||||
"TargetSid" => "user_target_sid"
|
||||
"TargetUserName" => "user_target_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4726 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4726.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "user_target_domain"
|
||||
"TargetSid" => "user_target_sid"
|
||||
"TargetUserName" => "user_target_name"
|
||||
"PrivilegeList" => "user_privilege_list"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4728 or [event_id] == 4729 {
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "group_domain"
|
||||
"TargetSid" => "group_sid"
|
||||
"TargetUserName" => "group_name"
|
||||
"MemberName" => "group_member_name"
|
||||
"MemberSid" => "group_member_sid"
|
||||
"PrivilegeList" => "group_privilege_list"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4732 or [event_id] == 4733 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4733.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "group_domain"
|
||||
"TargetSid" => "group_sid"
|
||||
"TargetUserName" => "group_name"
|
||||
"MemberName" => "group_member_name"
|
||||
"MemberSid" => "group_member_sid"
|
||||
"PrivilegeList" => "group_privilege_list"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4738 or [event_id] == 4720 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4738.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "user_target_domain"
|
||||
"TargetSid" => "user_target_sid"
|
||||
"TargetUserName" => "user_target_name"
|
||||
"AccountExpires" => "user_attribute_account_expires"
|
||||
"AllowedToDelegateTo" => "user_attribute_allowed_todelegate"
|
||||
"DisplayName" => "user_attribute_display_name"
|
||||
"Dummy" => "user_attribute_dummy"
|
||||
"HomeDirectory" => "user_attribute_home_directory"
|
||||
"HomePath" => "user_attribute_home_path"
|
||||
"LogonHours" => "user_attribute_logon_hours"
|
||||
"NewUacValue" => "user_attribute_new_uacvalue"
|
||||
"OldUacValue" => "user_attribute_old_uacvalue"
|
||||
"PasswordLastSet" => "user_attribute_password_lastset"
|
||||
"PrimaryGroupId" => "[user_attribute_primary_group_id"
|
||||
"PrivilegeList" => "user_attribute_privilege_list"
|
||||
"ProfilePath" => "user_attribute_profile_path"
|
||||
"SamAccountName" => "user_attribute_samaccount_name"
|
||||
"ScriptPath" => "user_attribute_script_path"
|
||||
"SidHistory" => "user_attribute_sid_history"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4768 or [event_id] == 4769 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md
|
||||
mutate {
|
||||
rename => {
|
||||
"TargetDomainName" => "user_domain"
|
||||
"TargetUserName" => "user_name"
|
||||
"IpPort" => "src_port"
|
||||
"PreAuthType" => "service_ticket_preauthtype"
|
||||
"LogonGuid" => "user_logon_guid"
|
||||
"ServiceName" => "service_ticket_name"
|
||||
"ServiceSid" => "service_ticket_id"
|
||||
"Status" => "service_ticket_status"
|
||||
"TicketEncryptionType" => "ticket_encryption_type"
|
||||
"TicketOptions" => "ticket_options"
|
||||
"FailureCode" => "ticket_failure_code"
|
||||
"TransmittedServices" => "service_ticket_requested"
|
||||
"TargetSid" => "user_sid"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4797 {
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "service_enumerated_domain"
|
||||
"TargetUserName" => "service_enumerated_name"
|
||||
"Workstation" => "host_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4798 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4798.md
|
||||
mutate {
|
||||
rename => {
|
||||
"CallerProcessId" => "process_id"
|
||||
"CallerProcessName" => "process_path"
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "user_domain_enumerated"
|
||||
"TargetSid" => "user_sid_enumerated"
|
||||
"TargetUserName" => "user_name_enumerated"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4799 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4799.md
|
||||
mutate {
|
||||
rename => {
|
||||
"CallerProcessId" => "process_id"
|
||||
"CallerProcessName" => "process_path"
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"TargetDomainName" => "group_domain_enumerated"
|
||||
"TargetSid" => "group_sid_enumerated"
|
||||
"TargetUserName" => "group_name_enumerated"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4800 or [event_id] == 4801 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4800.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4801.md
|
||||
mutate {
|
||||
rename => {
|
||||
"TargetDomainName" => "user_domain"
|
||||
"TargetUserSid" => "user_sid"
|
||||
"TargetUserName" => "user_name"
|
||||
"TargetLogonId" => "user_logon_id"
|
||||
"SessionId" => "user_session_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4907 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4907.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"ProcessId" => "process_id"
|
||||
"ProcessName" => "process_path"
|
||||
"HandleId" => "object_access_handle_id"
|
||||
"NewSd" => "object_new_sddl"
|
||||
"ObjectName" => "object_name"
|
||||
"ObjectServer" => "object_server"
|
||||
"ObjectType" => "object_type"
|
||||
"OldSd" => "object_old_sddl"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4957 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4957.md
|
||||
mutate {
|
||||
rename => {
|
||||
"RuleAttr" => "firewall_rule_attr"
|
||||
"RuleId" => "firewall_rule_id"
|
||||
"RuleName" => "firewall_rule_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5058 or [event_id] == 5059 or [event_id] == 5061 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5058.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5059.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5061.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"AlgorithmName" => "key_algorithm_name"
|
||||
"KeyName" => "key_name"
|
||||
"KeyType" => "key_type"
|
||||
"Operation" => "key_operation"
|
||||
"ProviderName" => "key_provider_name"
|
||||
"ReturnCode" => "key_return_code"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5136 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5136.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"OpCorrelationID" => "dsoperation_correlation_id"
|
||||
"AppCorrelationID" => "dsoperation_app_correlation_id"
|
||||
"DSName" => "dsobject_domain"
|
||||
"DSType" => "dsobject_domain_type"
|
||||
"ObjectDN" => "dsobject_dn"
|
||||
"ObjectGUID" => "dsobject_guid"
|
||||
"ObjectClass" => "dsobject_class"
|
||||
"AttributeLDAPDisplayName" => "dsobject_attribute_name"
|
||||
"AttributeSyntaxOID" => "dsobject_attribute_type"
|
||||
"AttributeValue" => "dsobject_attribute_value"
|
||||
"OperationType" => "dsoperation_type"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5140 or [event_id] == 5145 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5140.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5145.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"AccessList" => "object_access_list_requested"
|
||||
"AccessMask" => "object_access_mask_requested"
|
||||
"AccessReason" => "user_access_reason"
|
||||
"IpPort" => "src_port"
|
||||
"ObjectType" => "object_type"
|
||||
"RelativeTargetName" => "share_relative_target_name"
|
||||
"ShareLocalPath" => "share_local_path"
|
||||
"ShareName" => "share_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5152 or [event_id] == 5154 or [event_id] == 5156 or [event_id] == 5158 or [event_id] == 5157 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5152.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5154.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5156.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5157.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5158.md
|
||||
grok {
|
||||
match => {
|
||||
"Application" => ".*\\%{GREEDYDATA:process_name}"
|
||||
}
|
||||
tag_on_failure => [ "_Application_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"Application" => "process_path"
|
||||
"DestPort" => "dst_port"
|
||||
"Direction" => "network_direction"
|
||||
"FilterRTID" => "network_filter_rtid"
|
||||
"LayerName" => "network_layer_name"
|
||||
"LayerRTID" => "network_layer_rtid"
|
||||
"ProcessID" => "process_id"
|
||||
"Protocol" => "network_protocol"
|
||||
"RemoteMachineID" => "dst_host_name_id"
|
||||
"RemoteUserID" => "dst_user_id"
|
||||
"SourcePort" => "src_port"
|
||||
"ProcessId" => "process_id"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5447 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5447.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"AccessList" => "object_access_list_requested"
|
||||
"AccessMask" => "object_access_mask_requested"
|
||||
"AccessReason" => "user_access_reason"
|
||||
"IpPort" => "src_port"
|
||||
"ObjectType" => "object_type"
|
||||
"RelativeTargetName" => "share_relative_target_name"
|
||||
"ShareLocalPath" => "share_local_path"
|
||||
"ShareName" => "share_name"
|
||||
"Action" => "filtering_action"
|
||||
"CalloutKey" => "filtering_callout_key"
|
||||
"CalloutName" => "filtering_callout_name"
|
||||
"ChangeType" => "filtering_change_type"
|
||||
"Conditions" => "filtering_conditions"
|
||||
"FilterId" => "filtering_id"
|
||||
"FilterKey" => "filtering_key"
|
||||
"FilterName" => "filtering_name"
|
||||
"FilterType" => "filtering_type"
|
||||
"LayerId" => "filtering_layer_id"
|
||||
"LayerKey" => "filtering_layer_key"
|
||||
"LayerName" => "filtering_layer_name"
|
||||
"ProcessId" => "process_id"
|
||||
"ProviderKey" => "filtering_provider_key"
|
||||
"ProviderName" => "filtering_provider_name"
|
||||
"UserName" => "user_name"
|
||||
"UserSid" => "user_sid"
|
||||
"Weight" => "filtering_weight"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 6416 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-6416.md
|
||||
mutate {
|
||||
rename => {
|
||||
"SubjectDomainName" => "user_domain"
|
||||
"SubjectLogonId" => "user_logon_id"
|
||||
"SubjectUserName" => "user_name"
|
||||
"SubjectUserSid" => "user_sid"
|
||||
"ClassId" => "device_class_id"
|
||||
"ClassName" => "device_class_name"
|
||||
"CompatibleIds" => "device_compatible_ids"
|
||||
"DeviceDescription" => "device_description"
|
||||
"DeviceId" => "device_id"
|
||||
"LocationInformation" => "device_location_information"
|
||||
"VendorIds" => "device_vendor_ids"
|
||||
}
|
||||
}
|
||||
}
|
||||
mutate { rename => { "computer_name" => "host_name" } }
|
||||
}
|
||||
}
|
||||
|
|
@ -5,29 +5,32 @@
|
|||
|
||||
filter {
|
||||
if [log_name] == "System" {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1533" } }
|
||||
if [event_id] == 7045 {
|
||||
# https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for_11.html
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][AccountName]" => "service_account_name"
|
||||
"[event_data][ImagePath]" => "service_image_path"
|
||||
"[event_data][ServiceName]" => "service_name"
|
||||
"[event_data][ServiceType]" => "service_type"
|
||||
"[event_data][StartType]" => "service_start_type"
|
||||
"AccountName" => "service_account_name"
|
||||
"ImagePath" => "service_image_path"
|
||||
"ServiceName" => "service_name"
|
||||
"ServiceType" => "service_type"
|
||||
"StartType" => "service_start_type"
|
||||
}
|
||||
add_tag => ["new_service"]
|
||||
remove_field => ["message"]
|
||||
remove_field => "host"
|
||||
remove_field => "process_id"
|
||||
add_tag => [ "new_service" ]
|
||||
remove_field => [
|
||||
"message",
|
||||
"host",
|
||||
"process_id"
|
||||
]
|
||||
}
|
||||
}
|
||||
if [event_id] == 16 {
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][HiveName]" => "hive_name"
|
||||
"[event_data][HiveNameLength]" => "hive_name_length"
|
||||
"[event_data][KeysUpdated]" => "hive_keys_updated"
|
||||
"[event_data][DirtyPages]" => "hive_dirty_pages"
|
||||
"HiveName" => "hive_name"
|
||||
"HiveNameLength" => "hive_name_length"
|
||||
"KeysUpdated" => "hive_keys_updated"
|
||||
"DirtyPages" => "hive_dirty_pages"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -6,19 +6,16 @@
|
|||
filter {
|
||||
if [log_name] == "Application"{
|
||||
if [source_name] == "Microsoft-Windows-Security-SPP"{
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1534" } }
|
||||
if [event_id] == 16384 {
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][param1]" => "spp_restart_scheduled"
|
||||
"[event_data][param2]" => "spp_restart_reason"
|
||||
"param1" => "spp_restart_scheduled"
|
||||
"param2" => "spp_restart_reason"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"computer_name" => "host_name"
|
||||
}
|
||||
}
|
||||
mutate { rename => { "computer_name" => "host_name" } }
|
||||
}
|
||||
}
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
filter {
|
||||
if [log_name] == "Microsoft-Windows-WMI-Activity/Operational"{
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1535" } }
|
||||
mutate {
|
||||
rename => {
|
||||
"[user][domain]" => "user_reporter_domain"
|
||||
|
@ -14,10 +15,10 @@ filter {
|
|||
"computer_name" => "host_name"
|
||||
}
|
||||
}
|
||||
if [event_data][User] {
|
||||
if [User] {
|
||||
grok {
|
||||
match => { "[event_data][User]" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" }
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" }
|
||||
tag_on_failure => [ "_User_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -236,11 +237,7 @@ filter {
|
|||
}
|
||||
|
||||
# Common to all events
|
||||
mutate {
|
||||
convert => {
|
||||
"process_id" => "integer"
|
||||
}
|
||||
}
|
||||
mutate { convert => { "process_id" => "integer" } }
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
filter {
|
||||
|
||||
if [event_id] {
|
||||
|
||||
if [user_logon_id] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1543_1" } }
|
||||
mutate { gsub => [ "user_logon_id", "0x", "" ]}
|
||||
ruby {
|
||||
code => "event.set('user_logon_id', event.get('user_logon_id').to_s.hex)"
|
||||
tag_on_exception => "_rubyexception_1543_1"
|
||||
}
|
||||
}
|
||||
if [process_id] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1543_2" } }
|
||||
mutate { gsub => [ "process_id", "0x", "" ]}
|
||||
ruby {
|
||||
code => "event.set('process_id', event.get('process_id').to_s.hex)"
|
||||
tag_on_exception => "_rubyexception_1543_2"
|
||||
}
|
||||
}
|
||||
if [process_parent_id] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1543_3" } }
|
||||
mutate { gsub => [ "process_parent_id", "0x", "" ]}
|
||||
ruby {
|
||||
code => "event.set('process_parent_id', event.get('process_parent_id').to_s.hex)"
|
||||
tag_on_exception => "_rubyexception_1543_3"
|
||||
}
|
||||
}
|
||||
if [target_process_id] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1543_4" } }
|
||||
mutate { gsub => [ "target_process_id", "0x", "" ]}
|
||||
ruby {
|
||||
code => "event.set('target_process_id', event.get('target_process_id').to_s.hex)"
|
||||
tag_on_exception => "_rubyexception_1543_4"
|
||||
}
|
||||
}
|
||||
if [ProdessName] {
|
||||
mutate { rename => { "ProdessName" => "ProcessName" } }
|
||||
}
|
||||
|
||||
}
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
filter {
|
||||
if [event_id] {
|
||||
if [user_logon_guid] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "1544" } }
|
||||
mutate { gsub => [ "user_logon_guid", "[{}]", "" ] }
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,207 @@
|
|||
# HELK powershell filter conf file
|
||||
# HELK build Stage: Alpha
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: GPL-3.0
|
||||
|
||||
# Reference:
|
||||
# Nate Guagenti (@neu5ron) https://gist.github.com/neu5ron/450289373db61d5c8d7378e79455ef07#file-511-windows-event-powershell-operational-conf
|
||||
|
||||
filter {
|
||||
if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell" {
|
||||
if [event_id] == 4103 {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "2511_1" } }
|
||||
mutate {
|
||||
add_field => {
|
||||
"PayloadInvocation" => "%{Payload}"
|
||||
"PayloadParams" => "%{Payload}"
|
||||
}
|
||||
gsub => [
|
||||
"ContextInfo", " ", "",
|
||||
"ContextInfo", " = ", "="
|
||||
]
|
||||
}
|
||||
kv {
|
||||
source => "ContextInfo"
|
||||
field_split => "\r\n"
|
||||
value_split => "="
|
||||
remove_char_key => " "
|
||||
allow_duplicate_values => false
|
||||
include_keys => [
|
||||
"Severity",
|
||||
"HostName",
|
||||
"HostVersion",
|
||||
"HostID",
|
||||
"HostApplication",
|
||||
"EngineVersion",
|
||||
"RunspaceID",
|
||||
"PipelineID",
|
||||
"CommandName",
|
||||
"CommandType",
|
||||
"ScriptName",
|
||||
"CommandPath",
|
||||
"SequenceNumber",
|
||||
"ConnectedUser",
|
||||
"ShellID"
|
||||
]
|
||||
}
|
||||
mutate {
|
||||
gsub => [
|
||||
"PayloadInvocation", "CommandInvocation\(.*\)", "CommandInvocation",
|
||||
"PayloadInvocation", "ParameterBinding.*\r\n", "",
|
||||
"PayloadParams", "CommandInvocation.*\r\n", "",
|
||||
"PayloadParams", "ParameterBinding\(\S+\): ", "|||SPLITMEHEHE|||",
|
||||
"Payload", "CommandInvocation.*\r\n", "",
|
||||
"Payload", "ParameterBinding.*\r\n", ""
|
||||
]
|
||||
}
|
||||
kv {
|
||||
source => "PayloadInvocation"
|
||||
field_split => "\n"
|
||||
value_split => ":"
|
||||
allow_duplicate_values => false
|
||||
target => "[powershell]"
|
||||
include_keys => [ "CommandInvocation" ]
|
||||
}
|
||||
ruby {
|
||||
code => "
|
||||
params_split = event.get('PayloadParams').split('|||SPLITMEHEHE|||')
|
||||
params_split = params_split.drop(1)
|
||||
params_split_length = params_split.length
|
||||
all_names = Array.new
|
||||
all_values = Array.new
|
||||
all_values_non_alphanumeric = Array.new
|
||||
all_contains_net = Array.new
|
||||
all_ascii_only = Array.new
|
||||
|
||||
for param in params_split
|
||||
slice_and_dice = param.index('; value=')
|
||||
param_name = param.slice(6..slice_and_dice-2)
|
||||
param_value = param.slice(param.index('value=')..-1)[6..-1]
|
||||
param_value = param_value.strip
|
||||
param_value[0] = ''
|
||||
param_value[-1] = ''
|
||||
value_non_alphanumeric = param_value.gsub(/[A-Za-z0-9\s]+/i, '')
|
||||
value_lowercased = param_value.downcase
|
||||
if !param_value.nil?
|
||||
all_values.push(param_value)
|
||||
all_values_non_alphanumeric.push(value_non_alphanumeric)
|
||||
end
|
||||
if !param_name.nil?
|
||||
all_names.push(param_name)
|
||||
end
|
||||
end
|
||||
all_names = all_names.uniq
|
||||
all_values = all_values.uniq
|
||||
all_values_non_alphanumeric = all_values_non_alphanumeric.uniq
|
||||
event.set('[powershell][param][name]', all_names)
|
||||
event.set('[powershell][param][value]', all_values)
|
||||
event.set('[powershell][param][value_nonalphanumeric]', all_values_non_alphanumeric)
|
||||
"
|
||||
tag_on_exception => "_rubyexception_2511_1"
|
||||
}
|
||||
prune { blacklist_values => [ "Payload", "^$" ] }
|
||||
mutate {
|
||||
rename => {
|
||||
"CommandName" => "[powershell][command][name]"
|
||||
"CommandPath" => "[powershell][command][path]"
|
||||
"CommandType" => "[powershell][command][type]"
|
||||
"ConnectedUser" => "[powershell][connected_user]"
|
||||
"EngineVersion" => "[powershell][engine_version]"
|
||||
"HostApplication" => "[powershell][host][application]"
|
||||
"HostID" => "[powershell][host][id]"
|
||||
"HostName" => "[powershell][host][name]"
|
||||
"HostVersion" => "[powershell][host][version]"
|
||||
"PipelineID" => "[powershell][pipeline_id]"
|
||||
"RunspaceID" => "[powershell][runspace_id]"
|
||||
"Scriptname" => "[powershell][script][name]"
|
||||
"SequenceNumber" => "[powershell][sequence_number]"
|
||||
"ShellID" => "[powershell][shell_id]"
|
||||
"Payload" => "[powershell][remaining_payload]"
|
||||
}
|
||||
remove_field => [
|
||||
"Severity",
|
||||
"EventType",
|
||||
"Keywords",
|
||||
"message",
|
||||
"Opcode",
|
||||
"PayloadInvocation",
|
||||
"PayloadParams",
|
||||
"Payload",
|
||||
"ContextInfo"
|
||||
]
|
||||
convert => {
|
||||
"[powershell][pipeline_id]" => "integer"
|
||||
"[powershell][sequence_number]" => "integer"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4104 {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "2511_2" } }
|
||||
if [ScriptBlockText] {
|
||||
mutate { remove_field => [ "message" ] }
|
||||
}
|
||||
else {
|
||||
# Lets use GSUB to make sure we can get things to split on / make it easier more efficient to split on
|
||||
grok {
|
||||
match => {
|
||||
"message" => "^Creating Scriptblock text \(%{INT:MessageNumber} of %{INT:MessageTotal}\):\r\n%{GREEDYDATA:ScriptBlockText}\r\n\r\nScriptBlock ID: %{UUID:ScriptBlockId}\r\nPath: %{DATA:Path}$"
|
||||
}
|
||||
break_on_match => true
|
||||
keep_empty_captures => false
|
||||
named_captures_only => true
|
||||
# Sometimes the ScriptBlockText literally could be empty, so you may see this in _grokparesfailure and would then cause a ruby failure below.
|
||||
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
|
||||
tag_on_timeout => "_groktimeout"
|
||||
# Timeout 1.5 seconds
|
||||
timeout_millis => 1500
|
||||
remove_field => [ "message" ]
|
||||
}
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"MessageNumber" => "[powershell][scriptblock][message_number]"
|
||||
"MessageTotal" => "[powershell][scriptblock][message_total]"
|
||||
"ScriptBlockId" => "[powershell][scriptblock][id]"
|
||||
"ScriptBlockText" => "[powershell][scriptblock][text]"
|
||||
"Path" => "[powershell][script][path]"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 400 or [event_id] == 600 {
|
||||
kv {
|
||||
source => "param3"
|
||||
field_split => "\n"
|
||||
value_split => "="
|
||||
trim_key => "\t"
|
||||
allow_duplicate_values => false
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"ProviderName" => "[powershell][providername]"
|
||||
"NewProviderState" => "[powershell][newproviderstate]"
|
||||
"SequenceNumber" => "[powershell][sequence_number]"
|
||||
"HostName" => "[powershell][host][name]"
|
||||
"HostVersion" => "[powershell][host][version]"
|
||||
"HostId" => "[powershell][host][id]"
|
||||
"HostApplication" => "[powershell][host][application]"
|
||||
"EngineVersion" => "[powershell][engine_version]"
|
||||
"RunspaceId" => "[powershell][runspace_id]"
|
||||
"PipelineId" => "[powershell][pipeline_id]"
|
||||
"CommandName" => "[powershell][command][name]"
|
||||
"CommandType" => "[powershell][command][type]"
|
||||
"ScriptName" => "[powershell][script][name]"
|
||||
"CommandPath" => "[powershell][command][path]"
|
||||
"CommandLine" => "[powershell][command][line]"
|
||||
"NewEngineState" => "[powershell][newengine_state]"
|
||||
"PreviousEngineState" => "[powershell][previousengine_state]"
|
||||
}
|
||||
remove_field => [
|
||||
"message",
|
||||
"param1",
|
||||
"param2",
|
||||
"param3"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -6,7 +6,7 @@ filter {
|
|||
if [log_name] == "Security" {
|
||||
# event_id 4698 for Created Scheduled Task
|
||||
if [event_id] == 4698 {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "0511" } }
|
||||
mutate { add_field => { "z_logstash_pipeline" => "2512" } }
|
||||
# Copy Message field incase we bork/mess it up
|
||||
mutate { copy => { "Message" => "deleteme" } }
|
||||
# #TONOTE: encoding is UTF-16
|
|
@ -0,0 +1,81 @@
|
|||
filter {
|
||||
#TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security"
|
||||
|
||||
if [dst_ip_addr] {
|
||||
# Add pipeline field
|
||||
mutate { add_field => { "z_logstash_pipeline" => "8012" } }
|
||||
ruby {
|
||||
code => "
|
||||
temp_ip_addresses = event.get('dst_ip_addr')
|
||||
ip_addresses = Array.new
|
||||
|
||||
# Determine if the IP field is an array if not make it an array
|
||||
if temp_ip_addresses.is_a? Enumerable
|
||||
ip_addresses = temp_ip_addresses.uniq
|
||||
else
|
||||
ip_addresses.push(temp_ip_addresses)
|
||||
end
|
||||
|
||||
clean_ip_addresses_v4 = Array.new
|
||||
clean_ip_addresses_v6 = Array.new
|
||||
not_ip_addresses = Array.new
|
||||
|
||||
ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/
|
||||
|
||||
for ip_address in ip_addresses
|
||||
#### General Cleanup
|
||||
# Remove ending '.'
|
||||
ip_address = ip_address.chomp
|
||||
# Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster
|
||||
ip_address = ip_address.reverse.chomp('.').reverse
|
||||
# Remove ending or beginning whitespace
|
||||
ip_address = ip_address.lstrip.rstrip
|
||||
# Remove things that would make an IP a share but we want the IP :)
|
||||
ip_address = ip_address.gsub(/^\\:?/, '')
|
||||
# Downcase/lowercase for checking if possible ipv6
|
||||
ip_address = ip_address.downcase
|
||||
|
||||
# Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7
|
||||
ip_address_length = ip_address.length
|
||||
if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only?
|
||||
# Remove any preceeding zeroes in each octet
|
||||
temp_ip = Array.new
|
||||
ip_address.split('.').each do |octet|
|
||||
octet = octet.to_i.to_s
|
||||
temp_ip.push(octet)
|
||||
end
|
||||
ip_address = temp_ip.join('.')
|
||||
clean_ip_addresses_v4.push(ip_address)
|
||||
|
||||
# Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2
|
||||
elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only?
|
||||
if ipv6_regex === ip_address
|
||||
clean_ip_addresses_v6.push(ip_address)
|
||||
else
|
||||
not_ip_addresses.push(ip_address)
|
||||
end
|
||||
else
|
||||
not_ip_addresses.push(ip_address)
|
||||
end
|
||||
end
|
||||
|
||||
# Set the new IP addresses
|
||||
if !clean_ip_addresses_v4.empty?
|
||||
event.set('dst_ip_addr', clean_ip_addresses_v4)
|
||||
# Set the number of ip addresses so we can use array or non array later in pipeline
|
||||
event.set('temp_number_of_ipv4_dst_addresses', clean_ip_addresses_v4.length)
|
||||
else
|
||||
event.remove('dst_ip_addr')
|
||||
end
|
||||
if !clean_ip_addresses_v6.empty?
|
||||
event.set('ipv6_dst_addr', clean_ip_addresses_v6)
|
||||
#TODO:eventually set ipv6 number of ip addresses
|
||||
end
|
||||
if !not_ip_addresses.empty?
|
||||
event.set('not_ip_dst', not_ip_addresses)
|
||||
end
|
||||
"
|
||||
tag_on_exception => "_rubyexception_8012"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,81 @@
|
|||
filter {
|
||||
#TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security"
|
||||
|
||||
if [src_ip_addr] {
|
||||
# Add pipeline field
|
||||
mutate { add_field => { "z_logstash_pipeline" => "8013" } }
|
||||
ruby {
|
||||
code => "
|
||||
temp_ip_addresses = event.get('src_ip_addr')
|
||||
ip_addresses = Array.new
|
||||
|
||||
# Determine if the IP field is an array if not make it an array
|
||||
if temp_ip_addresses.is_a? Enumerable
|
||||
ip_addresses = temp_ip_addresses.uniq
|
||||
else
|
||||
ip_addresses.push(temp_ip_addresses)
|
||||
end
|
||||
|
||||
clean_ip_addresses_v4 = Array.new
|
||||
clean_ip_addresses_v6 = Array.new
|
||||
not_ip_addresses = Array.new
|
||||
|
||||
ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/
|
||||
|
||||
for ip_address in ip_addresses
|
||||
#### General Cleanup
|
||||
# Remove ending '.'
|
||||
ip_address = ip_address.chomp
|
||||
# Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster
|
||||
ip_address = ip_address.reverse.chomp('.').reverse
|
||||
# Remove ending or beginning whitespace
|
||||
ip_address = ip_address.lstrip.rstrip
|
||||
# Remove things that would make an IP a share but we want the IP :)
|
||||
ip_address = ip_address.gsub(/^\\:?/, '')
|
||||
# Downcase/lowercase for checking if possible ipv6
|
||||
ip_address = ip_address.downcase
|
||||
|
||||
# Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7
|
||||
ip_address_length = ip_address.length
|
||||
if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only?
|
||||
# Remove any preceeding zeroes in each octet
|
||||
temp_ip = Array.new
|
||||
ip_address.split('.').each do |octet|
|
||||
octet = octet.to_i.to_s
|
||||
temp_ip.push(octet)
|
||||
end
|
||||
ip_address = temp_ip.join('.')
|
||||
clean_ip_addresses_v4.push(ip_address)
|
||||
|
||||
# Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2
|
||||
elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only?
|
||||
if ipv6_regex === ip_address
|
||||
clean_ip_addresses_v6.push(ip_address)
|
||||
else
|
||||
not_ip_addresses.push(ip_address)
|
||||
end
|
||||
else
|
||||
not_ip_addresses.push(ip_address)
|
||||
end
|
||||
end
|
||||
|
||||
# Set the new IP addresses
|
||||
if !clean_ip_addresses_v4.empty?
|
||||
event.set('src_ip_addr', clean_ip_addresses_v4)
|
||||
# Set the number of ip addresses so we can use array or non array later in pipeline
|
||||
event.set('temp_number_of_ipv4_src_addresses', clean_ip_addresses_v4.length)
|
||||
else
|
||||
event.remove('src_ip_addr')
|
||||
end
|
||||
if !clean_ip_addresses_v6.empty?
|
||||
event.set('ipv6_src_addr', clean_ip_addresses_v6)
|
||||
#TODO:eventually set ipv6 number of ip addresses
|
||||
end
|
||||
if !not_ip_addresses.empty?
|
||||
event.set('not_ip_src', not_ip_addresses)
|
||||
end
|
||||
"
|
||||
tag_on_exception => "_rubyexception_8013"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,81 @@
|
|||
filter {
|
||||
#TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security"
|
||||
|
||||
if [dst_nat_ip_addr] {
|
||||
# Add pipeline field
|
||||
mutate { add_field => { "z_logstash_pipeline" => "8014" } }
|
||||
ruby {
|
||||
code => "
|
||||
temp_ip_addresses = event.get('dst_nat_ip_addr')
|
||||
ip_addresses = Array.new
|
||||
|
||||
# Determine if the IP field is an array if not make it an array
|
||||
if temp_ip_addresses.is_a? Enumerable
|
||||
ip_addresses = temp_ip_addresses.uniq
|
||||
else
|
||||
ip_addresses.push(temp_ip_addresses)
|
||||
end
|
||||
|
||||
clean_ip_addresses_v4 = Array.new
|
||||
clean_ip_addresses_v6 = Array.new
|
||||
not_ip_addresses = Array.new
|
||||
|
||||
ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/
|
||||
|
||||
for ip_address in ip_addresses
|
||||
#### General Cleanup
|
||||
# Remove ending '.'
|
||||
ip_address = ip_address.chomp
|
||||
# Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster
|
||||
ip_address = ip_address.reverse.chomp('.').reverse
|
||||
# Remove ending or beginning whitespace
|
||||
ip_address = ip_address.lstrip.rstrip
|
||||
# Remove things that would make an IP a share but we want the IP :)
|
||||
ip_address = ip_address.gsub(/^\\:?/, '')
|
||||
# Downcase/lowercase for checking if possible ipv6
|
||||
ip_address = ip_address.downcase
|
||||
|
||||
# Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7
|
||||
ip_address_length = ip_address.length
|
||||
if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only?
|
||||
# Remove any preceeding zeroes in each octet
|
||||
temp_ip = Array.new
|
||||
ip_address.split('.').each do |octet|
|
||||
octet = octet.to_i.to_s
|
||||
temp_ip.push(octet)
|
||||
end
|
||||
ip_address = temp_ip.join('.')
|
||||
clean_ip_addresses_v4.push(ip_address)
|
||||
|
||||
# Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2
|
||||
elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only?
|
||||
if ipv6_regex === ip_address
|
||||
clean_ip_addresses_v6.push(ip_address)
|
||||
else
|
||||
not_ip_addresses.push(ip_address)
|
||||
end
|
||||
else
|
||||
not_ip_addresses.push(ip_address)
|
||||
end
|
||||
end
|
||||
|
||||
# Set the new IP addresses
|
||||
if !clean_ip_addresses_v4.empty?
|
||||
event.set('dst_nat_ip_addr', clean_ip_addresses_v4)
|
||||
# Set the number of ip addresses so we can use array or non array later in pipeline
|
||||
event.set('temp_number_of_ipv4_dst_nat_addresses', clean_ip_addresses_v4.length)
|
||||
else
|
||||
event.remove('dst_nat_ip_addr')
|
||||
end
|
||||
if !clean_ip_addresses_v6.empty?
|
||||
event.set('ipv6_dst_nat_addr', clean_ip_addresses_v6)
|
||||
#TODO:eventually set ipv6 number of ip addresses
|
||||
end
|
||||
if !not_ip_addresses.empty?
|
||||
event.set('not_ip_dst_nat', not_ip_addresses)
|
||||
end
|
||||
"
|
||||
tag_on_exception => "_rubyexception_8014"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,81 @@
|
|||
filter {
|
||||
#TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security"
|
||||
|
||||
if [src_nat_ip_addr] {
|
||||
# Add pipeline field
|
||||
mutate { add_field => { "z_logstash_pipeline" => "8015" } }
|
||||
ruby {
|
||||
code => "
|
||||
temp_ip_addresses = event.get('src_nat_ip_addr')
|
||||
ip_addresses = Array.new
|
||||
|
||||
# Determine if the IP field is an array if not make it an array
|
||||
if temp_ip_addresses.is_a? Enumerable
|
||||
ip_addresses = temp_ip_addresses.uniq
|
||||
else
|
||||
ip_addresses.push(temp_ip_addresses)
|
||||
end
|
||||
|
||||
clean_ip_addresses_v4 = Array.new
|
||||
clean_ip_addresses_v6 = Array.new
|
||||
not_ip_addresses = Array.new
|
||||
|
||||
ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/
|
||||
|
||||
for ip_address in ip_addresses
|
||||
#### General Cleanup
|
||||
# Remove ending '.'
|
||||
ip_address = ip_address.chomp
|
||||
# Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster
|
||||
ip_address = ip_address.reverse.chomp('.').reverse
|
||||
# Remove ending or beginning whitespace
|
||||
ip_address = ip_address.lstrip.rstrip
|
||||
# Remove things that would make an IP a share but we want the IP :)
|
||||
ip_address = ip_address.gsub(/^\\:?/, '')
|
||||
# Downcase/lowercase for checking if possible ipv6
|
||||
ip_address = ip_address.downcase
|
||||
|
||||
# Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7
|
||||
ip_address_length = ip_address.length
|
||||
if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only?
|
||||
# Remove any preceeding zeroes in each octet
|
||||
temp_ip = Array.new
|
||||
ip_address.split('.').each do |octet|
|
||||
octet = octet.to_i.to_s
|
||||
temp_ip.push(octet)
|
||||
end
|
||||
ip_address = temp_ip.join('.')
|
||||
clean_ip_addresses_v4.push(ip_address)
|
||||
|
||||
# Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2
|
||||
elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only?
|
||||
if ipv6_regex === ip_address
|
||||
clean_ip_addresses_v6.push(ip_address)
|
||||
else
|
||||
not_ip_addresses.push(ip_address)
|
||||
end
|
||||
else
|
||||
not_ip_addresses.push(ip_address)
|
||||
end
|
||||
end
|
||||
|
||||
# Set the new IP addresses
|
||||
if !clean_ip_addresses_v4.empty?
|
||||
event.set('src_nat_ip_addr', clean_ip_addresses_v4)
|
||||
# Set the number of ip addresses so we can use array or non array later in pipeline
|
||||
event.set('temp_number_of_ipv4_src_nat_addresses', clean_ip_addresses_v4.length)
|
||||
else
|
||||
event.remove('src_nat_ip_addr')
|
||||
end
|
||||
if !clean_ip_addresses_v6.empty?
|
||||
event.set('ipv6_src_nat_addr', clean_ip_addresses_v6)
|
||||
#TODO:eventually set ipv6 number of ip addresses
|
||||
end
|
||||
if !not_ip_addresses.empty?
|
||||
event.set('not_ip_src_nat', not_ip_addresses)
|
||||
end
|
||||
"
|
||||
tag_on_exception => "_rubyexception_8015"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,131 @@
|
|||
filter {
|
||||
# If dst_ip_addr field exists from previous config settings
|
||||
if [dst_ip_addr] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "8112" } }
|
||||
|
||||
#TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff.
|
||||
ruby {
|
||||
code => "
|
||||
# Get the ip address from the event
|
||||
ip_addresses = event.get('dst_ip_addr')
|
||||
|
||||
ip_addresses_public = Array.new
|
||||
ip_addresses_type = Array.new
|
||||
|
||||
for ip_address in ip_addresses
|
||||
# Set IP type and public for now so easier checking later
|
||||
ip_public = true
|
||||
ip_type = 'public'
|
||||
|
||||
# Private/RFC1918
|
||||
if ip_address.start_with?( '10.', '192.168.' )
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
|
||||
# (Local)link-local RFC3927
|
||||
elsif ip_address.start_with?( '169.254.' )
|
||||
ip_public = false
|
||||
ip_type = 'local'
|
||||
|
||||
# Loopback RFC1122-3.2.1.3
|
||||
elsif ip_address.start_with?( '127.' )
|
||||
ip_public = false
|
||||
ip_type = 'loopback'
|
||||
|
||||
# RFC 1122
|
||||
elsif ip_address.start_with?('0.')
|
||||
ip_public = false
|
||||
ip_type = 'this_rfc1122'
|
||||
|
||||
# IPv6 to IP4 anycast RFC3068
|
||||
elsif ip_address.start_with?( '192.88.99.' )
|
||||
ip_public = false
|
||||
ip_type = '6to4'
|
||||
|
||||
# Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737
|
||||
elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' )
|
||||
ip_public = false
|
||||
ip_type = 'reserved'
|
||||
|
||||
# Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255
|
||||
elsif ip_address.start_with?( '172.' )
|
||||
# Check if 2nd octet is in range(between) 16 to 31
|
||||
if ip_address.split('.')[1].to_i.between?(16,31)
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
end
|
||||
|
||||
# Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254
|
||||
elsif ip_address.start_with?( '100.' )
|
||||
# Check if 2nd octet is in range(between) 64 to 127
|
||||
if ip_address.split('.')[1].to_i.between?(64,127)
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
end
|
||||
|
||||
# The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast
|
||||
elsif ip_address.start_with?( '2' )
|
||||
# Broadcast
|
||||
if ip_address == '255.255.255.255'
|
||||
ip_public = false
|
||||
ip_type = 'broadcast'
|
||||
|
||||
# Multicast
|
||||
# Check if 1st octet is in range(between) 224 to 255
|
||||
elsif ip_address.split('.')[0].to_i.between?(224,255)
|
||||
ip_public = false
|
||||
ip_type = 'multicast'
|
||||
end
|
||||
end
|
||||
# set parameters for array
|
||||
ip_addresses_public.push(ip_public)
|
||||
ip_addresses_type.push(ip_type)
|
||||
end
|
||||
|
||||
# Use to make array versus non array
|
||||
# and then Set event parameters accordingly
|
||||
if event.get('temp_number_of_ipv4_src_addresses') == 1
|
||||
event.set('dst_ip_addr', ip_addresses[0])
|
||||
event.set('dst_ip_public', ip_addresses_public[0])
|
||||
event.set('dst_ip_type', ip_addresses_type[0])
|
||||
else
|
||||
event.set('dst_ip_public', ip_addresses_public)
|
||||
event.set('dst_ip_type', ip_addresses_type)
|
||||
# ip is already array so no need to set accordingly
|
||||
end
|
||||
"
|
||||
tag_on_exception => "_rubyexception_8112"
|
||||
remove_field => [ "temp_number_of_ipv4_dst_addresses" ]
|
||||
}
|
||||
|
||||
# Perform GeoIP enrichment if is public / internet routable
|
||||
if [dst_ip_public] {
|
||||
# Geo Location
|
||||
geoip {
|
||||
source => "dst_ip_addr"
|
||||
target => "meta_dst_ip_geo"
|
||||
default_database_type => "City"
|
||||
# database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb"
|
||||
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
|
||||
cache_size => 90000
|
||||
remove_field => [ "[meta_dst_ip_geo][ip]", "[meta_dst_ip_geo][real_region_name]" ]
|
||||
#tag_on_failure => [ "_geoip_ip_dst_failure", "_geoip_ip_dst_location_lookup_failure", "_geoip_lookup_failure" ]
|
||||
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
|
||||
tag_on_failure => [ ]
|
||||
}
|
||||
#QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg==
|
||||
# Geo ASName and ASNumber / BGP AS Info
|
||||
geoip {
|
||||
source => "dst_ip_addr"
|
||||
target => "meta_dst_ip_geo"
|
||||
default_database_type => "ASN"
|
||||
# database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb"
|
||||
remove_field => [ "[meta_dst_ip_geo][ip]" ]
|
||||
# tag_on_failure => [ "_geoip_ip_dst_failure", "_geoip_ip_dst_as_lookup_failure", "_geoip_lookup_failure" ]
|
||||
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
|
||||
tag_on_failure => [ ]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,130 @@
|
|||
filter {
|
||||
# If src_ip_addr field exists from previous config settings
|
||||
if [src_ip_addr] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "8113" } }
|
||||
|
||||
#TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff.
|
||||
ruby {
|
||||
code => "
|
||||
# Get the ip address from the event
|
||||
ip_addresses = event.get('src_ip_addr')
|
||||
|
||||
ip_addresses_public = Array.new
|
||||
ip_addresses_type = Array.new
|
||||
|
||||
for ip_address in ip_addresses
|
||||
# Set IP type and public for now so easier checking later
|
||||
ip_public = true
|
||||
ip_type = 'public'
|
||||
|
||||
# Private/RFC1918
|
||||
if ip_address.start_with?( '10.', '192.168.' )
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
|
||||
# (Local)link-local RFC3927
|
||||
elsif ip_address.start_with?( '169.254.' )
|
||||
ip_public = false
|
||||
ip_type = 'local'
|
||||
|
||||
# Loopback RFC1122-3.2.1.3
|
||||
elsif ip_address.start_with?( '127.' )
|
||||
ip_public = false
|
||||
ip_type = 'loopback'
|
||||
|
||||
# RFC 1122
|
||||
elsif ip_address.start_with?('0.')
|
||||
ip_public = false
|
||||
ip_type = 'this_rfc1122'
|
||||
|
||||
# IPv6 to IP4 anycast RFC3068
|
||||
elsif ip_address.start_with?( '192.88.99.' )
|
||||
ip_public = false
|
||||
ip_type = '6to4'
|
||||
|
||||
# Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737
|
||||
elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' )
|
||||
ip_public = false
|
||||
ip_type = 'reserved'
|
||||
|
||||
# Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255
|
||||
elsif ip_address.start_with?( '172.' )
|
||||
# Check if 2nd octet is in range(between) 16 to 31
|
||||
if ip_address.split('.')[1].to_i.between?(16,31)
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
end
|
||||
|
||||
# Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254
|
||||
elsif ip_address.start_with?( '100.' )
|
||||
# Check if 2nd octet is in range(between) 64 to 127
|
||||
if ip_address.split('.')[1].to_i.between?(64,127)
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
end
|
||||
|
||||
# The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast
|
||||
elsif ip_address.start_with?( '2' )
|
||||
# Broadcast
|
||||
if ip_address == '255.255.255.255'
|
||||
ip_public = false
|
||||
ip_type = 'broadcast'
|
||||
|
||||
# Multicast
|
||||
# Check if 1st octet is in range(between) 224 to 255
|
||||
elsif ip_address.split('.')[0].to_i.between?(224,255)
|
||||
ip_public = false
|
||||
ip_type = 'multicast'
|
||||
end
|
||||
end
|
||||
# set parameters for array
|
||||
ip_addresses_public.push(ip_public)
|
||||
ip_addresses_type.push(ip_type)
|
||||
end
|
||||
|
||||
# Use to make array versus non array
|
||||
# and then Set event parameters accordingly
|
||||
if event.get('temp_number_of_ipv4_src_addresses') == 1
|
||||
event.set('src_ip_addr', ip_addresses[0])
|
||||
event.set('src_ip_public', ip_addresses_public[0])
|
||||
event.set('src_ip_type', ip_addresses_type[0])
|
||||
else
|
||||
event.set('src_ip_public', ip_addresses_public)
|
||||
event.set('src_ip_type', ip_addresses_type)
|
||||
# ip is already array so no need to set accordingly
|
||||
end
|
||||
"
|
||||
tag_on_exception => "_rubyexception_8113"
|
||||
}
|
||||
|
||||
# Perform GeoIP enrichment if is public / internet routable
|
||||
if [src_ip_public] {
|
||||
# Geo Location
|
||||
geoip {
|
||||
source => "src_ip_addr"
|
||||
target => "meta_src_ip_geo"
|
||||
default_database_type => "City"
|
||||
# database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb"
|
||||
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
|
||||
cache_size => 90000
|
||||
remove_field => [ "[meta_src_ip_geo][ip]", "[meta_src_ip_geo][real_region_name]" ]
|
||||
# tag_on_failure => [ "_geoip_ip_src_location_lookup_failure", "_geoip_lookup_failure" ]
|
||||
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
|
||||
tag_on_failure => [ ]
|
||||
}
|
||||
#QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg==
|
||||
# Geo ASName and ASNumber / BGP AS Info
|
||||
geoip {
|
||||
source => "src_ip_addr"
|
||||
target => "meta_src_ip_geo"
|
||||
default_database_type => "ASN"
|
||||
# database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb"
|
||||
remove_field => [ "[meta_src_ip_geo][ip]" ]
|
||||
# tag_on_failure => [ "_geoip_ip_src_as_lookup_failure", "_geoip_lookup_failure" ]
|
||||
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
|
||||
tag_on_failure => [ ]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,131 @@
|
|||
filter {
|
||||
# If dst_nat_ip_addr field exists from previous config settings
|
||||
if [dst_nat_ip_addr] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "8114" } }
|
||||
|
||||
#TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff.
|
||||
ruby {
|
||||
code => "
|
||||
# Get the ip address from the event
|
||||
ip_addresses = event.get('dst_nat_ip_addr')
|
||||
|
||||
ip_addresses_public = Array.new
|
||||
ip_addresses_type = Array.new
|
||||
|
||||
for ip_address in ip_addresses
|
||||
# Set IP type and public for now so easier checking later
|
||||
ip_public = true
|
||||
ip_type = 'public'
|
||||
|
||||
# Private/RFC1918
|
||||
if ip_address.start_with?( '10.', '192.168.' )
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
|
||||
# (Local)link-local RFC3927
|
||||
elsif ip_address.start_with?( '169.254.' )
|
||||
ip_public = false
|
||||
ip_type = 'local'
|
||||
|
||||
# Loopback RFC1122-3.2.1.3
|
||||
elsif ip_address.start_with?( '127.' )
|
||||
ip_public = false
|
||||
ip_type = 'loopback'
|
||||
|
||||
# RFC 1122
|
||||
elsif ip_address.start_with?('0.')
|
||||
ip_public = false
|
||||
ip_type = 'this_rfc1122'
|
||||
|
||||
# IPv6 to IP4 anycast RFC3068
|
||||
elsif ip_address.start_with?( '192.88.99.' )
|
||||
ip_public = false
|
||||
ip_type = '6to4'
|
||||
|
||||
# Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737
|
||||
elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' )
|
||||
ip_public = false
|
||||
ip_type = 'reserved'
|
||||
|
||||
# Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255
|
||||
elsif ip_address.start_with?( '172.' )
|
||||
# Check if 2nd octet is in range(between) 16 to 31
|
||||
if ip_address.split('.')[1].to_i.between?(16,31)
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
end
|
||||
|
||||
# Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254
|
||||
elsif ip_address.start_with?( '100.' )
|
||||
# Check if 2nd octet is in range(between) 64 to 127
|
||||
if ip_address.split('.')[1].to_i.between?(64,127)
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
end
|
||||
|
||||
# The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast
|
||||
elsif ip_address.start_with?( '2' )
|
||||
# Broadcast
|
||||
if ip_address == '255.255.255.255'
|
||||
ip_public = false
|
||||
ip_type = 'broadcast'
|
||||
|
||||
# Multicast
|
||||
# Check if 1st octet is in range(between) 224 to 255
|
||||
elsif ip_address.split('.')[0].to_i.between?(224,255)
|
||||
ip_public = false
|
||||
ip_type = 'multicast'
|
||||
end
|
||||
end
|
||||
# set parameters for array
|
||||
ip_addresses_public.push(ip_public)
|
||||
ip_addresses_type.push(ip_type)
|
||||
end
|
||||
|
||||
# Use to make array versus non array
|
||||
# and then Set event parameters accordingly
|
||||
if event.get('temp_number_of_ipv4_dst_nat_addresses') == 1
|
||||
event.set('dst_nat_ip_addr', ip_addresses[0])
|
||||
event.set('dst_nat_ip_public', ip_addresses_public[0])
|
||||
event.set('dst_nat_ip_type', ip_addresses_type[0])
|
||||
else
|
||||
event.set('dst_nat_ip_public', ip_addresses_public)
|
||||
event.set('dst_nat_ip_type', ip_addresses_type)
|
||||
# ip is already array so no need to set accordingly
|
||||
end
|
||||
"
|
||||
tag_on_exception => "_rubyexception_8114"
|
||||
remove_field => [ "temp_number_of_ipv4_dst_nat_addresses" ]
|
||||
}
|
||||
|
||||
# Perform GeoIP enrichment if is public / internet routable
|
||||
if [dst_nat_ip_public] {
|
||||
# Geo Location
|
||||
geoip {
|
||||
source => "dst_nat_ip_addr"
|
||||
target => "meta_dst_nat_ip_geo"
|
||||
default_database_type => "City"
|
||||
# database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb"
|
||||
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
|
||||
cache_size => 90000
|
||||
remove_field => [ "[meta_dst_nat_ip_geo][ip]", "[meta_dst_nat_ip_geo][real_region_name]" ]
|
||||
# tag_on_failure => [ "_geo_ip_dst_nat_location_lookup_failure", "_geoip_lookup_failure" ]
|
||||
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
|
||||
tag_on_failure => [ ]
|
||||
}
|
||||
#QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg==
|
||||
# Geo ASName and ASNumber / BGP AS Info
|
||||
geoip {
|
||||
source => "dst_nat_ip_addr"
|
||||
target => "meta_dst_nat_ip_geo"
|
||||
default_database_type => "ASN"
|
||||
# database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb"
|
||||
remove_field => [ "[meta_dst_nat_ip_geo][ip]" ]
|
||||
# tag_on_failure => [ "_geo_ip_dst_nat_as_lookup_failure", "_geoip_lookup_failure" ]
|
||||
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
|
||||
tag_on_failure => [ ]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,131 @@
|
|||
filter {
|
||||
# If src_nat_ip_addr field exists from previous config settings
|
||||
if [src_nat_ip_addr] {
|
||||
mutate { add_field => { "z_logstash_pipeline" => "8115" } }
|
||||
|
||||
#TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff.
|
||||
ruby {
|
||||
code => "
|
||||
# Get the ip address from the event
|
||||
ip_addresses = event.get('src_nat_ip_addr')
|
||||
|
||||
ip_addresses_public = Array.new
|
||||
ip_addresses_type = Array.new
|
||||
|
||||
for ip_address in ip_addresses
|
||||
# Set IP type and public for now so easier checking later
|
||||
ip_public = true
|
||||
ip_type = 'public'
|
||||
|
||||
# Private/RFC1918
|
||||
if ip_address.start_with?( '10.', '192.168.' )
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
|
||||
# (Local)link-local RFC3927
|
||||
elsif ip_address.start_with?( '169.254.' )
|
||||
ip_public = false
|
||||
ip_type = 'local'
|
||||
|
||||
# Loopback RFC1122-3.2.1.3
|
||||
elsif ip_address.start_with?( '127.' )
|
||||
ip_public = false
|
||||
ip_type = 'loopback'
|
||||
|
||||
# RFC 1122
|
||||
elsif ip_address.start_with?('0.')
|
||||
ip_public = false
|
||||
ip_type = 'this_rfc1122'
|
||||
|
||||
# IPv6 to IP4 anycast RFC3068
|
||||
elsif ip_address.start_with?( '192.88.99.' )
|
||||
ip_public = false
|
||||
ip_type = '6to4'
|
||||
|
||||
# Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737
|
||||
elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' )
|
||||
ip_public = false
|
||||
ip_type = 'reserved'
|
||||
|
||||
# Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255
|
||||
elsif ip_address.start_with?( '172.' )
|
||||
# Check if 2nd octet is in range(between) 16 to 31
|
||||
if ip_address.split('.')[1].to_i.between?(16,31)
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
end
|
||||
|
||||
# Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254
|
||||
elsif ip_address.start_with?( '100.' )
|
||||
# Check if 2nd octet is in range(between) 64 to 127
|
||||
if ip_address.split('.')[1].to_i.between?(64,127)
|
||||
ip_public = false
|
||||
ip_type = 'private'
|
||||
end
|
||||
|
||||
# The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast
|
||||
elsif ip_address.start_with?( '2' )
|
||||
# Broadcast
|
||||
if ip_address == '255.255.255.255'
|
||||
ip_public = false
|
||||
ip_type = 'broadcast'
|
||||
|
||||
# Multicast
|
||||
# Check if 1st octet is in range(between) 224 to 255
|
||||
elsif ip_address.split('.')[0].to_i.between?(224,255)
|
||||
ip_public = false
|
||||
ip_type = 'multicast'
|
||||
end
|
||||
end
|
||||
# set parameters for array
|
||||
ip_addresses_public.push(ip_public)
|
||||
ip_addresses_type.push(ip_type)
|
||||
end
|
||||
|
||||
# Use to make array versus non array
|
||||
# and then Set event parameters accordingly
|
||||
if event.get('temp_number_of_ipv4_src_nat_addresses') == 1
|
||||
event.set('src_nat_ip_addr', ip_addresses[0])
|
||||
event.set('src_nat_ip_public', ip_addresses_public[0])
|
||||
event.set('src_nat_ip_type', ip_addresses_type[0])
|
||||
else
|
||||
event.set('src_nat_ip_public', ip_addresses_public)
|
||||
event.set('src_nat_ip_type', ip_addresses_type)
|
||||
# ip is already array so no need to set accordingly
|
||||
end
|
||||
"
|
||||
tag_on_exception => "_rubyexception_8115"
|
||||
remove_field => [ "temp_number_of_ipv4_src_nat_addresses" ]
|
||||
}
|
||||
|
||||
# Perform GeoIP enrichment if is public / internet routable
|
||||
if [src_nat_ip_public] {
|
||||
# Geo Location
|
||||
geoip {
|
||||
source => "src_nat_ip_addr"
|
||||
target => "meta_src_nat_ip_geo"
|
||||
default_database_type => "City"
|
||||
# database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb"
|
||||
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
|
||||
cache_size => 90000
|
||||
remove_field => [ "[meta_src_nat_ip_geo][ip]", "[meta_src_nat_ip_geo][real_region_name]" ]
|
||||
# tag_on_failure => [ "_geo_ip_src_nat_location_lookup_failure", "_geoip_lookup_failure" ]
|
||||
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
|
||||
tag_on_failure => [ ]
|
||||
}
|
||||
#QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg==
|
||||
# Geo ASName and ASNumber / BGP AS Info
|
||||
geoip {
|
||||
source => "src_nat_ip_addr"
|
||||
target => "meta_src_nat_ip_geo"
|
||||
default_database_type => "ASN"
|
||||
# database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb"
|
||||
remove_field => [ "[meta_src_nat_ip_geo][ip]" ]
|
||||
# tag_on_failure => [ "_geo_ip_src_nat_as_lookup_failure", "_geoip_lookup_failure" ]
|
||||
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
|
||||
tag_on_failure => [ ]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -8,10 +8,8 @@ output {
|
|||
elasticsearch {
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-sysmon-%{+YYYY.MM.dd}"
|
||||
template => "/usr/share/logstash/output_templates/winevent-sysmon-template.json"
|
||||
template_name => "logs-endpoint-winevent-sysmon"
|
||||
template_overwrite => true
|
||||
document_id => "%{[@metadata][log_hash]}"
|
||||
document_type => "_doc"
|
||||
}
|
||||
kafka {
|
||||
bootstrap_servers => "helk-kafka-broker:9092"
|
|
@ -8,10 +8,8 @@ output {
|
|||
elasticsearch {
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-security-%{+YYYY.MM.dd}"
|
||||
template => "/usr/share/logstash/output_templates/winevent-security-template.json"
|
||||
template_name => "logs-endpoint-winevent-security"
|
||||
template_overwrite => true
|
||||
document_id => "%{[@metadata][log_hash]}"
|
||||
document_type => "_doc"
|
||||
}
|
||||
kafka {
|
||||
bootstrap_servers => "helk-kafka-broker:9092"
|
|
@ -8,10 +8,8 @@ output {
|
|||
elasticsearch {
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-system-%{+YYYY.MM.dd}"
|
||||
template => "/usr/share/logstash/output_templates/winevent-system-template.json"
|
||||
template_name => "logs-endpoint-winevent-system"
|
||||
template_overwrite => true
|
||||
document_id => "%{[@metadata][log_hash]}"
|
||||
document_type => "_doc"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -8,10 +8,8 @@ output {
|
|||
elasticsearch {
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-application-%{+YYYY.MM.dd}"
|
||||
template => "/usr/share/logstash/output_templates/winevent-application-template.json"
|
||||
template_name => "logs-endpoint-winevent-application"
|
||||
template_overwrite => true
|
||||
document_id => "%{[@metadata][log_hash]}"
|
||||
document_type => "_doc"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -7,9 +7,9 @@ output {
|
|||
if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell"{
|
||||
elasticsearch {
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
manage_template => false
|
||||
index => "logs-endpoint-winevent-powershell-%{+YYYY.MM.dd}"
|
||||
document_id => "%{[@metadata][log_hash]}"
|
||||
document_type => "_doc"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -8,10 +8,8 @@ output {
|
|||
elasticsearch {
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-wmiactivity-%{+YYYY.MM.dd}"
|
||||
template => "/usr/share/logstash/output_templates/winevent-wmiactivity-template.json"
|
||||
template_name => "logs-endpoint-winevent-wmiactivity"
|
||||
template_overwrite => true
|
||||
document_id => "%{[@metadata][log_hash]}"
|
||||
document_type => "_doc"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -9,6 +9,7 @@ output {
|
|||
elasticsearch {
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "mitre-attack-%{+YYYY.MM.dd}"
|
||||
document_type => "_doc"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,15 +1,91 @@
|
|||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
server {
|
||||
listen 80;
|
||||
server_name 127.0.0.1;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
## Log location ##
|
||||
#access_log /var/log/nginx/kibana.access.log;
|
||||
#error_log /var/log/nginx/kibana.error.log;
|
||||
## End ##
|
||||
|
||||
## (Web) Server Configuration ##
|
||||
listen 443 ssl;
|
||||
ssl_certificate_key /etc/ssl/private/HELK_Nginx.key;
|
||||
ssl_certificate /etc/ssl/certs/HELK_Nginx.crt;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
## End ##
|
||||
|
||||
## Hide Version ##
|
||||
server_tokens off;
|
||||
## End ##
|
||||
|
||||
## Local Authentication ##
|
||||
auth_basic "Restricted Access";
|
||||
auth_basic_user_file /etc/nginx/htpasswd.users;
|
||||
## End ##
|
||||
|
||||
## Some Hardening/Security ##
|
||||
# Web Server Attack (ie: XSS, Clickjacking)
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
# BufferOverflow Hardening
|
||||
client_body_buffer_size 100K;
|
||||
client_header_buffer_size 1k;
|
||||
client_max_body_size 150k;
|
||||
# TLS/SSL
|
||||
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
|
||||
ssl_prefer_server_ciphers on;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
||||
# HTTP Methods
|
||||
# DELETE is required for some index management
|
||||
if ($request_method !~ ^(GET|PUT|POST|DELETE)$ ) {
|
||||
return 444;
|
||||
}
|
||||
## End ##
|
||||
|
||||
## Timeout definitions ##
|
||||
proxy_connect_timeout 900;
|
||||
proxy_send_timeout 600;
|
||||
proxy_read_timeout 600;
|
||||
|
||||
listen 80;
|
||||
client_body_timeout 10;
|
||||
client_header_timeout 10;
|
||||
keepalive_timeout 10 10;
|
||||
send_timeout 10;
|
||||
## End ##
|
||||
|
||||
server_name 127.0.0.1;
|
||||
## Performance Tuning ##
|
||||
gzip on;
|
||||
gzip_comp_level 1;
|
||||
gzip_min_length 1000;
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
## End ##
|
||||
|
||||
auth_basic "Restricted Access";
|
||||
auth_basic_user_file /etc/nginx/htpasswd.users;
|
||||
## Kibana Settings / Kibana Proxy ##
|
||||
# Kibana generates really long URI's so need to set this
|
||||
large_client_header_buffers 4 16k;
|
||||
|
||||
# Cache static resources that are regularly requested
|
||||
location ~ \.(jpg|png|ico|svg|woff2)$ {
|
||||
proxy_pass http://helk-kibana:5601;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection 'upgrade';
|
||||
proxy_set_header Host $host;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
proxy_cache kibana_cache;
|
||||
add_header Cache-Control "public";
|
||||
expires 12h;
|
||||
}
|
||||
# Proxy forward to elasticsearch
|
||||
location / {
|
||||
proxy_pass http://helk-kibana:5601;
|
||||
proxy_http_version 1.1;
|
||||
|
@ -18,4 +94,21 @@ server {
|
|||
proxy_set_header Host $host;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
}
|
||||
## End ##
|
||||
|
||||
## Jupyter Proxy ##
|
||||
location /jupyter/ {
|
||||
if ($scheme = 'http') {
|
||||
#Insecure, lets go to https
|
||||
rewrite ^/(.*)$ https://$host/$1 redirect;
|
||||
}
|
||||
proxy_pass http://helk-jupyter:8000;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# websocket headers
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
## End ##
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue