infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #93 from neu5ron/master 

Logstash refactoring and many logstash additions
keyword-vs-text-changes
Roberto Rodriguez 2018-08-02 14:30:21 -04:00 committed by GitHub
parent 931d56729f 3433425e16
commit c7af8e42bc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
67 changed files with 4113 additions and 1599 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
helk-kibana/dashboards/Global_Dashboard.json
View File

File diff suppressed because one or more lines are too long

28
helk-kibana/dashboards/Sysmon_Dashboard.json
View File

File diff suppressed because one or more lines are too long

18
helk-kibana/dashboards/Sysmon_Network_Dashboard.json
View File

File diff suppressed because one or more lines are too long

6
helk-kibana/kibana.yml
View File

@ -12,7 +12,7 @@ server.host: "helk-kibana"
#server.basePath: ""
# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576
server.maxPayloadBytes: 2048576
# The Kibana server's name. This is used for display purposes.
server.name: "helk-kibana"
@ -58,11 +58,11 @@ elasticsearch.url: "http://helk-elasticsearch:9200"
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
elasticsearch.pingTimeout: 7500
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
elasticsearch.requestTimeout: 60000
elasticsearch.requestTimeout: 300000
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).

57
helk-logstash/output_templates/10-logs-all-default.json Normal file
View File

@ -0,0 +1,57 @@
{
"order": 10,
"index_patterns": [ "logs-*" ],
"version": 2018080201,
"settings": {
"index": {
"mapping": {
"ignore_malformed": true,
"total_fields.limit": "1000",
"coerce": true
}
},
"refresh_interval": "30s"
},
"mappings": {
"_doc": {
"dynamic": "true",
"dynamic_templates": [
{
"strings": {
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "keyword"
},
"log_ingest_timestamp": {
"type": "date"
},
"z_logstash_type": {
"enabled": false
},
"z_original_message": {
"enabled": false
},
"z_logstash_pipeline": {
"enabled": false
}
}
}
}
}

153
helk-logstash/output_templates/50-logs-winevent-all.json Normal file
View File

@ -0,0 +1,153 @@
{
"order": 50,
"index_patterns": [ "logs-endpoint-winevent-*" ],
"version": 2018080101,
"settings": {
"analysis": {
"analyzer": {
"cli_n_file_analyzer": {
"type": "custom",
"filter": [ "case_change_only_delim_filter", "three_or_more_tokenizer_limit_filter", "cli_n_file_word_delim_filter", "two_or_more_tokenizer_limit_filter", "lowercase", "unique" ],
"tokenizer": "standard"
}
},
"filter": {
"cli_n_file_word_delim_filter": {
"type": "word_delimiter",
"generate_word_parts": true,
"split_on_case_change": true,
"split_on_numerics": false,
"stem_english_possessive": false,
"generate_number_parts": true,
"preserve_original": true
},
"case_change_only_delim_filter": {
"type": "word_delimiter",
"generate_word_parts": true,
"split_on_case_change": true,
"split_on_numerics": false,
"stem_english_possessive": false,
"generate_number_parts": false,
"preserve_original": true
},
"two_or_more_tokenizer_limit_filter": {
"type": "length",
"min": 2
},
"three_or_more_tokenizer_limit_filter": {
"type": "length",
"min": 3
}
},
"normalizer": {
"lowercase_normalizer": {
"type": "custom",
"char_filter": [ ],
"filter": [ "lowercase" ]
}
}
},
"index": {
"mapping": {
"total_fields.limit": "3000"
}
},
"refresh_interval": "30s"
},
"mappings": {
"_doc":{
"properties":{
"process_id":{"type":"integer"},
"event_id":{"type":"integer"},
"file_name": {
"type": "text",
"norms": false,
"analyzer": "cli_n_file_analyzer",
"fields": {
"keyword": {
"ignore_above": 7500,
"type": "keyword"
}
}
},
"logon_process_name": {
"type": "text",
"norms": false,
"analyzer": "cli_n_file_analyzer",
"fields": {
"keyword": {
"ignore_above": 7500,
"type": "keyword"
}
}
},
"object_name": {
"type": "text",
"norms": false,
"analyzer": "cli_n_file_analyzer",
"fields": {
"keyword": {
"ignore_above": 7500,
"type": "keyword"
}
}
},
"process_command_line": {
"type": "text",
"norms": false,
"analyzer": "cli_n_file_analyzer",
"fields": {
"keyword": {
"ignore_above": 7500,
"type": "keyword"
}
}
},
"process_current_directory": {
"type": "text",
"norms": false,
"analyzer": "cli_n_file_analyzer",
"fields": {
"keyword": {
"ignore_above": 7500,
"type": "keyword"
}
}
},
"process_parent_path": {
"type": "text",
"norms": false,
"analyzer": "cli_n_file_analyzer",
"fields": {
"keyword": {
"ignore_above": 7500,
"type": "keyword"
}
}
},
"process_parent_command_line": {
"type": "text",
"norms": false,
"analyzer": "cli_n_file_analyzer",
"fields": {
"keyword": {
"ignore_above": 7500,
"type": "keyword"
}
}
},
"process_path": {
"type": "text",
"norms": false,
"analyzer": "cli_n_file_analyzer",
"fields": {
"keyword": {
"ignore_above": 7500,
"type": "keyword"
}
}
}
}
}
}
}

12
helk-logstash/output_templates/60-powershell-direct-template.json Normal file
View File

@ -0,0 +1,12 @@
{
"order": 60,
"index_patterns" : "logs-endpoint-powershell-direct-*",
"version": 2018080101,
"mappings":{
"_doc":{
"properties":{
"process_id":{"type":"integer"}
}
}
}
}

12
helk-logstash/output_templates/60-winevent-application-template.json Normal file
View File

@ -0,0 +1,12 @@
{
"order": 60,
"index_patterns": [ "logs-endpoint-winevent-application-*" ],
"version": 2018080101,
"mappings":{
"_doc":{
"properties":{
"spp_restart_scheduled":{"type":"date"}
}
}
}
}

232
helk-logstash/output_templates/60-winevent-powershell-template.json Normal file
View File

@ -0,0 +1,232 @@
{
"order": 60,
"index_patterns": [ "logs-endpoint-winevent-powershell-*" ],
"version": 2018080201,
"mappings":{
"_doc": {
"properties": {
"powershell": {
"dynamic": "false",
"properties": {
"command": {
"properties": {
"name": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"line": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"path": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"type": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"connected_user": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"param": {
"properties": {
"name": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"value": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"value_nonalphanumeric": {
"type": "keyword"
}
}
},
"pipeline_id": {
"type": "integer"
},
"remaining_payload": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"runspace_id": {
"type": "keyword"
},
"scriptblock": {
"properties": {
"id": {
"type": "keyword"
},
"message_number": {
"type": "keyword"
},
"message_total": {
"type": "keyword"
},
"text": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"sequence_number": {
"type": "integer"
},
"shell_id": {
"type": "keyword"
},
"script": {
"properties": {
"name": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"path": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"host": {
"properties": {
"application": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
},
"engine_version": {
"type": "keyword"
},
"newproviderstate": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"providername": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"newengine_state": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"previousengine_state": {
"type": "text",
"norms": false,
"analyzer": "standard",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}

19
helk-logstash/output_templates/60-winevent-security-template.json Normal file
View File

@ -0,0 +1,19 @@
{
"order": 60,
"index_patterns": "logs-endpoint-winevent-security-*",
"version": 2018080101,
"mappings":{
"_doc":{
"properties":{
"@date_new_time":{"type":"date"},
"@date_previous_time":{"type":"date"},
"target_process_id":{"type":"integer"},
"process_parent_id":{"type":"integer"},
"user_session_id":{"type":"integer"},
"src_port":{"type":"integer"},
"dst_port":{"type":"integer"},
"version":{"type":"integer"}
}
}
}
}

26
helk-logstash/output_templates/60-winevent-sysmon-template.json Normal file
View File

@ -0,0 +1,26 @@
{
"order": 60,
"index_patterns": [ "logs-endpoint-winevent-sysmon-*" ],
"version": 2018080101,
"settings": {
"index.refresh_interval": "5s"
},
"mappings":{
"_doc":{
"properties":{
"@date_creation":{"type":"date"},
"@date_creation_previous":{"type":"date"},
"dst_port":{"type":"integer"},
"src_port":{"type":"integer"},
"network_initiated":{"type":"boolean"},
"thread_new_id":{"type":"integer"},
"module_signed":{"type":"boolean"},
"process_parent_id":{"type":"integer"},
"target_process_id":{"type":"integer"},
"user_session_id":{"type":"integer"},
"thread_id":{"type":"integer"},
"version":{"type":"integer"}
}
}
}
}

7
helk-logstash/output_templates/60-winevent-system-template.json Normal file
View File

@ -0,0 +1,7 @@
{
"order": 60,
"index_patterns": [ "logs-endpoint-winevent-system-*" ],
"version": 2018080101,
"mappings":{
}
}

7
helk-logstash/output_templates/60-winevent-wmiactivity-template.json Normal file
View File

@ -0,0 +1,7 @@
{
"order": 60,
"index_patterns": [ "logs-endpoint-winevent-wmiactivity-*" ],
"version": 2018080101,
"mappings":{
}
}

26
helk-logstash/output_templates/82-logs-not-ip.json Normal file
View File

@ -0,0 +1,26 @@
{
"order": 82,
"index_patterns": [ "logs-*" ],
"version": 2018080101,
"mappings": {
"_doc": {
"properties": {
"not_ip_dst": {
"type": "keyword"
},
"not_ip_dst_nat": {
"type": "keyword"
},
"not_ip_log": {
"type": "keyword"
},
"not_ip_src": {
"type": "keyword"
},
"not_ip_src_nat": {
"type": "keyword"
}
}
}
}
}

88
helk-logstash/output_templates/91-logs-ip-dst-nat.json Normal file
View File

@ -0,0 +1,88 @@
{
"order": 91,
"index_patterns": [ "logs-*" ],
"version": 2018052301,
"mappings": {
"_doc": {
"properties": {
"dst_nat_ip_addr": {
"type": "ip",
"copy_to": "any_ip_addr"
},
"dst_nat_ip_public": {
"type": "boolean",
"doc_values": false
},
"dst_nat_ip_type": {
"type": "keyword"
},
"meta_dst_nat_ip_geo": {
"properties": {
"asn": {
"type": "integer",
"copy_to": "any_ip_geo.asn"
},
"as_org": {
"type": "text",
"norms": false,
"copy_to": "any_ip_geo.as_org",
"fields": {
"keyword": {
"type": "keyword",
"eager_global_ordinals": true
}
}
},
"country_code2": {
"type": "keyword"
},
"country_code3": {
"type": "keyword"
},
"country_name": {
"type": "keyword"
},
"continent_code": {
"type": "keyword"
},
"region_code": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"city_name": {
"type": "keyword"
},
"postal_code": {
"type": "keyword"
},
"latitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"longitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"dma_code": {
"type": "integer"
},
"area_code": {
"type": "integer"
},
"timezone": {
"type": "keyword",
"index": false
},
"location": {
"type": "geo_point"
}
}
}
}
}
}
}

88
helk-logstash/output_templates/91-logs-ip-dst.json Normal file
View File

@ -0,0 +1,88 @@
{
"order": 91,
"index_patterns": [ "logs-*" ],
"version": 2018052301,
"mappings": {
"_doc": {
"properties": {
"dst_ip_addr": {
"type": "ip",
"copy_to": "any_ip_addr"
},
"dst_ip_public": {
"type": "boolean",
"doc_values": false
},
"dst_ip_type": {
"type": "keyword"
},
"meta_dst_ip_geo": {
"properties": {
"asn": {
"type": "integer",
"copy_to": "any_ip_geo.asn"
},
"as_org": {
"type": "text",
"norms": false,
"copy_to": "any_ip_geo.as_org",
"fields": {
"keyword": {
"type": "keyword",
"eager_global_ordinals": true
}
}
},
"country_code2": {
"type": "keyword"
},
"country_code3": {
"type": "keyword"
},
"country_name": {
"type": "keyword"
},
"continent_code": {
"type": "keyword"
},
"region_code": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"city_name": {
"type": "keyword"
},
"postal_code": {
"type": "keyword"
},
"latitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"longitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"dma_code": {
"type": "integer"
},
"area_code": {
"type": "integer"
},
"timezone": {
"type": "keyword",
"index": false
},
"location": {
"type": "geo_point"
}
}
}
}
}
}
}

88
helk-logstash/output_templates/91-logs-ip-src-nat.json Normal file
View File

@ -0,0 +1,88 @@
{
"order": 91,
"index_patterns": [ "logs-*" ],
"version": 2018052301,
"mappings": {
"_doc": {
"properties": {
"src_nat_ip_addr": {
"type": "ip",
"copy_to": "any_ip_addr"
},
"src_nat_ip_public": {
"type": "boolean",
"doc_values": false
},
"src_nat_ip_type": {
"type": "keyword"
},
"meta_src_nat_ip_geo": {
"properties": {
"asn": {
"type": "integer",
"copy_to": "any_ip_geo.asn"
},
"as_org": {
"type": "text",
"norms": false,
"copy_to": "any_ip_geo.as_org",
"fields": {
"keyword": {
"type": "keyword",
"eager_global_ordinals": true
}
}
},
"country_code2": {
"type": "keyword"
},
"country_code3": {
"type": "keyword"
},
"country_name": {
"type": "keyword"
},
"continent_code": {
"type": "keyword"
},
"region_code": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"city_name": {
"type": "keyword"
},
"postal_code": {
"type": "keyword"
},
"latitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"longitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"dma_code": {
"type": "integer"
},
"area_code": {
"type": "integer"
},
"timezone": {
"type": "keyword",
"index": false
},
"location": {
"type": "geo_point"
}
}
}
}
}
}
}

88
helk-logstash/output_templates/91-logs-ip-src.json Normal file
View File

@ -0,0 +1,88 @@
{
"order": 91,
"index_patterns": [ "logs-*" ],
"version": 2018052301,
"mappings": {
"_doc": {
"properties": {
"src_ip_addr": {
"type": "ip",
"copy_to": "any_ip_addr"
},
"src_ip_public": {
"type": "boolean",
"doc_values": false
},
"src_ip_type": {
"type": "keyword"
},
"meta_src_ip_geo": {
"properties": {
"asn": {
"type": "integer",
"copy_to": "any_ip_geo.asn"
},
"as_org": {
"type": "text",
"norms": false,
"copy_to": "any_ip_geo.as_org",
"fields": {
"keyword": {
"type": "keyword",
"eager_global_ordinals": true
}
}
},
"country_code2": {
"type": "keyword"
},
"country_code3": {
"type": "keyword"
},
"country_name": {
"type": "keyword"
},
"continent_code": {
"type": "keyword"
},
"region_code": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"city_name": {
"type": "keyword"
},
"postal_code": {
"type": "keyword"
},
"latitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"longitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"dma_code": {
"type": "integer"
},
"area_code": {
"type": "integer"
},
"timezone": {
"type": "keyword",
"index": false
},
"location": {
"type": "geo_point"
}
}
}
}
}
}
}

88
helk-logstash/output_templates/93-logs-ipv6-dst-nat.json Normal file
View File

@ -0,0 +1,88 @@
{
"order": 91,
"index_patterns": [ "logs-*" ],
"version": 2018080101,
"mappings": {
"_doc": {
"properties": {
"dst_nat_ipv6_addr": {
"type": "ip",
"copy_to": "any_ip_addr"
},
"dst_nat_ipv6_public": {
"type": "boolean",
"doc_values": false
},
"dst_nat_ipv6_type": {
"type": "keyword"
},
"meta_dst_nat_ipv6_geo": {
"properties": {
"asn": {
"type": "integer",
"copy_to": "any_ip_geo.asn"
},
"as_org": {
"type": "text",
"norms": false,
"copy_to": "any_ip_geo.as_org",
"fields": {
"keyword": {
"type": "keyword",
"eager_global_ordinals": true
}
}
},
"country_code2": {
"type": "keyword"
},
"country_code3": {
"type": "keyword"
},
"country_name": {
"type": "keyword"
},
"continent_code": {
"type": "keyword"
},
"region_code": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"city_name": {
"type": "keyword"
},
"postal_code": {
"type": "keyword"
},
"latitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"longitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"dma_code": {
"type": "integer"
},
"area_code": {
"type": "integer"
},
"timezone": {
"type": "keyword",
"index": false
},
"location": {
"type": "geo_point"
}
}
}
}
}
}
}

88
helk-logstash/output_templates/93-logs-ipv6-dst.json Normal file
View File

@ -0,0 +1,88 @@
{
"order": 91,
"index_patterns": [ "logs-*" ],
"version": 2018080101,
"mappings": {
"_doc": {
"properties": {
"dst_ipv6_addr": {
"type": "ip",
"copy_to": "any_ip_addr"
},
"dst_ipv6_public": {
"type": "boolean",
"doc_values": false
},
"dst_ipv6_type": {
"type": "keyword"
},
"meta_dst_ipv6_geo": {
"properties": {
"asn": {
"type": "integer",
"copy_to": "any_ip_geo.asn"
},
"as_org": {
"type": "text",
"norms": false,
"copy_to": "any_ip_geo.as_org",
"fields": {
"keyword": {
"type": "keyword",
"eager_global_ordinals": true
}
}
},
"country_code2": {
"type": "keyword"
},
"country_code3": {
"type": "keyword"
},
"country_name": {
"type": "keyword"
},
"continent_code": {
"type": "keyword"
},
"region_code": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"city_name": {
"type": "keyword"
},
"postal_code": {
"type": "keyword"
},
"latitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"longitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"dma_code": {
"type": "integer"
},
"area_code": {
"type": "integer"
},
"timezone": {
"type": "keyword",
"index": false
},
"location": {
"type": "geo_point"
}
}
}
}
}
}
}

88
helk-logstash/output_templates/93-logs-ipv6-src-nat.json Normal file
View File

@ -0,0 +1,88 @@
{
"order": 91,
"index_patterns": [ "logs-*" ],
"version": 2018080101,
"mappings": {
"_doc": {
"properties": {
"ipv6_src_nat_addr": {
"type": "ip",
"copy_to": "any_ip_addr"
},
"ipv6_src_nat_public": {
"type": "boolean",
"doc_values": false
},
"ipv6_src_nat_type": {
"type": "keyword"
},
"meta_src_nat_ipv6_geo": {
"properties": {
"asn": {
"type": "integer",
"copy_to": "any_ip_geo.asn"
},
"as_org": {
"type": "text",
"norms": false,
"copy_to": "any_ip_geo.as_org",
"fields": {
"keyword": {
"type": "keyword",
"eager_global_ordinals": true
}
}
},
"country_code2": {
"type": "keyword"
},
"country_code3": {
"type": "keyword"
},
"country_name": {
"type": "keyword"
},
"continent_code": {
"type": "keyword"
},
"region_code": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"city_name": {
"type": "keyword"
},
"postal_code": {
"type": "keyword"
},
"latitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"longitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"dma_code": {
"type": "integer"
},
"area_code": {
"type": "integer"
},
"timezone": {
"type": "keyword",
"index": false
},
"location": {
"type": "geo_point"
}
}
}
}
}
}
}

88
helk-logstash/output_templates/93-logs-ipv6-src.json Normal file
View File

@ -0,0 +1,88 @@
{
"order": 91,
"index_patterns": [ "logs-*" ],
"version": 2018080101,
"mappings": {
"_doc": {
"properties": {
"src_ipv6_addr": {
"type": "ip",
"copy_to": "any_ip_addr"
},
"src_ipv6_public": {
"type": "boolean",
"doc_values": false
},
"src_ipv6_type": {
"type": "keyword"
},
"meta_src_ipv6_geo": {
"properties": {
"asn": {
"type": "integer",
"copy_to": "any_ip_geo.asn"
},
"as_org": {
"type": "text",
"norms": false,
"copy_to": "any_ip_geo.as_org",
"fields": {
"keyword": {
"type": "keyword",
"eager_global_ordinals": true
}
}
},
"country_code2": {
"type": "keyword"
},
"country_code3": {
"type": "keyword"
},
"country_name": {
"type": "keyword"
},
"continent_code": {
"type": "keyword"
},
"region_code": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"city_name": {
"type": "keyword"
},
"postal_code": {
"type": "keyword"
},
"latitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"longitude": {
"type": "keyword",
"index": false,
"doc_values": false
},
"dma_code": {
"type": "integer"
},
"area_code": {
"type": "integer"
},
"timezone": {
"type": "keyword",
"index": false
},
"location": {
"type": "geo_point"
}
}
}
}
}
}
}

26
helk-logstash/output_templates/99-logs-any-fields.json Normal file
View File

@ -0,0 +1,26 @@
{
"order": 99,
"index_patterns": [ "logs-*" ],
"version": 2018080101,
"mappings": {
"_doc": {
"properties": {
"any_ip_addr": {
"type": "ip"
},
"any_ip_geo": {
"properties": {
"asn": {
"type": "integer",
"doc_values": false
},
"as_org": {
"type": "text",
"norms": false
}
}
}
}
}
}
}

29
helk-logstash/output_templates/powershell-direct-template.json
View File

@ -1,29 +0,0 @@
{
"index_patterns" : "logs-endpoint-powershell-direct-*",
"settings" : {
"index.refresh_interval": "5s"
},
"mappings":{
"doc":{
"dynamic_templates": [{
"strings":{
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"raw": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}],
"properties":{
"@timestamp":{"type":"date"},
"process_id":{"type":"integer"}
}
}
}
}

29
helk-logstash/output_templates/winevent-application-template.json
View File

@ -1,29 +0,0 @@
{
"index_patterns" : "logs-endpoint-winevent-application-*",
"settings" : {
"index.refresh_interval": "5s"
},
"mappings":{
"doc":{
"dynamic_templates": [{
"strings":{
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"raw": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}],
"properties":{
"@timestamp":{"type":"date"},
"spp_restart_scheduled":{"type":"date"}
}
}
}
}

37
helk-logstash/output_templates/winevent-security-template.json
View File

@ -1,37 +0,0 @@
{
"index_patterns" : "logs-endpoint-winevent-security-*",
"settings" : {
"index.refresh_interval": "5s"
},
"mappings":{
"doc":{
"dynamic_templates": [{
"strings":{
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"raw": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}],
"properties":{
"@timestamp":{"type":"date"},
"@date_new_time":{"type":"date"},
"@date_previous_time":{"type":"date"},
"process_id":{"type":"integer"},
"target_process_id":{"type":"integer"},
"process_parent_id":{"type":"integer"},
"user_session_id":{"type":"integer"},
"src_port":{"type":"integer"},
"dst_port":{"type":"integer"},
"version":{"type":"integer"}
}
}
}
}

50
helk-logstash/output_templates/winevent-sysmon-template.json
View File

@ -1,50 +0,0 @@
{
"index_patterns" : "logs-endpoint-winevent-sysmon-*",
"settings" : {
"index.refresh_interval": "5s"
},
"mappings":{
"doc":{
"dynamic_templates": [{
"strings":{
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"raw": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}],
"properties":{
"@timestamp":{"type":"date"},
"@date_creation":{"type":"date"},
"@date_creation_previous":{"type":"date"},
"dst_port":{"type":"integer"},
"src_port":{"type":"integer"},
"event_id":{"type":"integer"},
"geoip":{
"properties":{
"dma_code":{"type":"integer"},
"latitude":{"type":"float"},
"location":{"type": "geo_point"},
"longitude":{"type":"float"}
}
},
"network_initiated":{"type":"boolean"},
"process_id":{"type":"integer"},
"thread_new_id":{"type":"integer"},
"module_signed":{"type":"boolean"},
"process_parent_id":{"type":"integer"},
"target_process_id":{"type":"integer"},
"user_session_id":{"type":"integer"},
"thread_id":{"type":"integer"},
"version":{"type":"integer"}
}
}
}
}

28
helk-logstash/output_templates/winevent-system-template.json
View File

@ -1,28 +0,0 @@
{
"index_patterns" : "logs-endpoint-winevent-system-*",
"settings" : {
"index.refresh_interval": "5s"
},
"mappings":{
"doc":{
"dynamic_templates": [{
"strings":{
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"raw": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}],
"properties":{
"@timestamp":{"type":"date"}
}
}
}
}

29
helk-logstash/output_templates/winevent-wmiactivity-template.json
View File

@ -1,29 +0,0 @@
{
"index_patterns" : "logs-endpoint-winevent-wmiactivity-*",
"settings" : {
"index.refresh_interval": "5s"
},
"mappings":{
"doc":{
"dynamic_templates": [{
"strings":{
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"raw": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}],
"properties":{
"@timestamp":{"type":"date"},
"process_id":{"type":"integer"}
}
}
}
}

3
helk-logstash/pipeline/02-kafka-input.conf → helk-logstash/pipeline/0002-kafka-input.conf
View File

@ -4,8 +4,7 @@
# License: GPL-3.0
input {
kafka
{
kafka {
bootstrap_servers => "helk-kafka-broker:9092,helk-kafka-broker2:9093"
topics => ["winlogbeat"]
decorate_events => true

3
helk-logstash/pipeline/03-attack-input.conf → helk-logstash/pipeline/0003-attack-input.conf
View File

@ -5,8 +5,7 @@
# License: GPL-3.0
input {
file
{
file {
path => "/usr/share/logstash/cti/mitre_attack.csv"
start_position => "beginning"
sincedb_path => "/dev/null"

11
helk-logstash/pipeline/0004-beats-input.conf Normal file
View File

@ -0,0 +1,11 @@
# HELK Kafka input conf file
# HELK build Stage: Alpha
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
input {
beats {
port => 5044
include_codec_tag => false
}
}

19
helk-logstash/pipeline/0098-all-filter.conf Normal file
View File

@ -0,0 +1,19 @@
# HELK All filter conf file
# HELK build Stage: Alpha
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
filter {
if [message] {
mutate {
add_field => {
"z_logstash_pipeline" => "0098"
"log_ingest_timestamp" => "%{@timestamp}"
}
copy => {
"message" => "z_original_message"
"type" => "z_logstash_type"
}
}
}
}

1
helk-logstash/pipeline/09-all-filter.conf → helk-logstash/pipeline/0099-all-finpgerint-hash-filter.conf
View File

@ -5,6 +5,7 @@
filter {
if [message] {
mutate { add_field => { "z_logstash_pipeline" => "0099" } }
fingerprint {
source => "message"
target => "[@metadata][log_hash]"

136
helk-logstash/pipeline/10-winevent-powershell-filter.conf
View File

@ -1,136 +0,0 @@
# HELK powershell filter conf file
# HELK build Stage: Alpha
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
# Reference:
# Nate Guagenti (@neu5ron) https://gist.github.com/neu5ron/450289373db61d5c8d7378e79455ef07#file-511-windows-event-powershell-operational-conf
filter {
if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell"{
if [event_id] == 4103 {
mutate {
add_field => [ "PayloadInvocation", "%{[event_data][Payload]}" ]
add_field => [ "PayloadParams", "%{[event_data][Payload]}" ]
gsub => [
"[event_data][ContextInfo]", " ", "",
"[event_data][ContextInfo]", " = ", "="
]
}
mutate {
gsub => [
"PayloadInvocation", "CommandInvocation\(.*\)", "commandinvocation",
"PayloadInvocation", "ParameterBinding.*\r\n", "",
"PayloadParams", "parameterbinding\(.*\)", "parameterbinding",
"PayloadParams", "CommandInvocation.*\r\n", "",
"[event_data][Payload]", "CommandInvocation.*\r\n", "",
"[event_data][Payload]", "ParameterBinding.*\r\n", ""
]
rename => { "[event_load][Payload]" => "[powershell][payload]" }
}
kv {
source => "PayloadInvocation"
field_split => "\n"
value_split => ":"
allow_duplicate_values => false
target => "[powershell]"
include_keys => [ "commandinvocation" ]
}
kv {
source => "PayloadParams"
value_split => "="
allow_duplicate_values => false
target => "[powershell][param]"
include_keys => [ "name", "value" ]
}
kv {
source => "[event_data][ContextInfo]"
field_split => "\r\n"
value_split => "="
remove_char_key => " "
allow_duplicate_values => false
include_keys => [ "Severity", "HostName", "HostVersion", "HostID", "HostApplication", "EngineVersion", "RunspaceID", "PipelineID", "CommandName", "CommandType", "ScriptName", "CommandPath", "SequenceNumber", "ConnectedUser", "ShellID" ]
}
mutate {
rename => {
"CommandName" => "[powershell][command][name]"
"CommandPath" => "[powershell][command][path]"
"CommandType" => "[powershell][command][type]"
"ConnectedUser" => "[powershell][connected][user]"
"EngineVersion" => "[powershell][engine][version]"
"HostApplication" => "[powershell][host][application]"
"HostID" => "[powershell][host][id]"
"HostName" => "[powershell][host][name]"
"HostVersion" => "[powershell][host][version]"
"PipelineID" => "[powershell][pipeline][id]"
"RunspaceID" => "[powershell][runspace][id]"
"Scriptname" => "[powershell][script][name]"
"SequenceNumber" => "[powershell][sequence][number]"
"ShellID" => "[powershell][shell][id]"
}
remove_field => [
"Severity",
"EventType",
"Keywords",
"message",
"Opcode",
"PayloadInvocation",
"PayloadParams",
"[event_data][Payload]",
"[event_data][ContextInfo]"
]
convert => { "[powershell][pipeline][id]" => "integer" }
convert => { "[powershell][sequence][number]" => "integer" }
}
}
if [event_id] == 4104 {
mutate {
rename => {
"[event_data][MessageNumber]" => "[powershell][message][number]"
"[event_data][MessageTotal]" => "[powershell][message][total]"
"[event_data][ScriptBlockId]" => "[powershell][scriptblock][id]"
"[event_data][ScriptBlockText]" => "[powershell][scriptblock][text]"
"[event_data][Path]" => "[powershell][script][path]"
}
remove_field => [ "message" ]
convert => { "[powershell][message][number]" => "integer" }
convert => { "[powershell][message][total]" => "integer" }
convert => { "[powershell][scriptblock][id]" => "integer" }
}
}
if [event_id] == 400 or [event_id] == 600 {
kv {
source => "[event_data][param3]"
field_split => "\n"
value_split => "="
trim_key => "\t"
allow_duplicate_values => false
}
mutate {
rename => {
"ProviderName" => "[powershell][providername]"
"NewProviderState" => "[powershell][newproviderstate]"
"SequenceNumber" => "[powershell][sequencenumber"
"HostName" => "[powershell][host][name]"
"HostVersion" => "[powershell][host][version]"
"HostId" => "[powershell][host][id]"
"HostApplication" => "[powershell][host][application]"
"EngineVersion" => "[powershell][engine][version]"
"RunspaceId" => "[powershell][runspace][id]"
"PipelineId" => "[powershell][pipeline][id]"
"CommandName" => "[powershell][command][name]"
"CommandType" => "[powershell][command][type]"
"ScriptName" => "[powershell][script][name]"
"CommandPath" => "[powershell][command][path]"
"CommandLine" => "[powershell][command][line]"
"NewEngineState" => "[powershell][newengine][state]"
"PreviousEngineState" => "[powershell][previousengine][state]"
}
remove_field => [ "message" ]
remove_field => "[event_data][param1]"
remove_field => "[event_data][param2]"
remove_field => "[event_data][param3]"
}
}
}
}

28
helk-logstash/pipeline/1010-winevent-remove-winlogbeats-prepend-of-eventdata.conf Normal file
View File

@ -0,0 +1,28 @@
filter {
# Use the following to get rid of the prepended "event_data" nest that (elastic) winlogbeats adds to windows logs
if [type] == "wineventlog" and [beat] {
ruby {
code => "
eventdata = event.get('event_data')
# Sometimes does not exist, so check that first -- then move the nests
if !eventdata.nil?
eventdata.each {|k, v|
if eventdata.to_s != '(NULL)'
event.set(k, v)
end
}
end
# Finally remove the nest completely
event.remove('event_data')
"
tag_on_exception => "_rubyexception_1010"
#code => "
# event.get('event_data').each {|k, v|
# event.set(k, v)
# }
# event.remove('event_data')
#"
#tag_on_exception => "_rubyexception_1010"
}
}
}

315
helk-logstash/pipeline/11-winevent-sysmon-filter.conf
View File

@ -1,315 +0,0 @@
# HELK sysmon filter conf file
# HELK build Stage: Alpha
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
filter {
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
mutate {
rename => {
"[user][domain]" => "user_reporter_domain"
"[user][identifier]" => "user_reporter_sid"
"[user][name]" => "user_reporter_name"
"[user][type]" => "user_reporter_type"
"computer_name" => "host_name"
}
}
if [provider_guid] {
mutate {
gsub => ["provider_guid","[{}]",""]
}
}
if [event_data][RuleName] {
kv {
source => "[event_data][RuleName]"
field_split => ","
value_split => "="
prefix => "mitre_"
transform_key => "lowercase"
}
}
if [event_data][Image] {
if [event_data][Image] =~ /^(\w*$)|^(\w*\..*$)/ {
mutate {
copy => {"[event_data][Image]" => "process_name"}
}
}
else {
grok {
match => { "[event_data][Image]" => ".*\\%{GREEDYDATA:process_name}" }
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
}
}
mutate {
rename => {
"[event_data][Image]" => "process_path"
"[event_data][ProcessGuid]" => "process_guid"
"[event_data][ProcessId]" => "process_id"
}
gsub => ["process_guid","[{}]",""]
}
}
if [event_data][ParentImage] {
grok {
match => { "[event_data][ParentImage]" => ".*\\%{GREEDYDATA:process_parent_name}" }
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
}
}
if [event_data][Hashes] {
kv {
source => "[event_data][Hashes]"
field_split => ","
value_split => "="
prefix => "hash_"
transform_key => "lowercase"
}
}
if [event_data][TargetImage] {
grok {
match => { "[event_data][SourceImage]" => ".*\\%{GREEDYDATA:process_name}" }
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
}
grok {
match => { "[event_data][TargetImage]" => ".*\\%{GREEDYDATA:target_process_name}" }
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
}
mutate {
rename => {
"[event_data][SourceImage]" => "process_path"
"[event_data][SourceProcessGUID]" => "process_guid"
"[event_data][SourceProcessId]" => "process_id"
"[event_data][TargetImage]" => "target_process_path"
"[event_data][TargetProcessGUID]" => "target_process_guid"
"[event_data][TargetProcessId]" => "target_process_id"
}
gsub => ["process_guid","[{}]",""]
gsub => ["target_process_guid","[{}]",""]
}
}
if [event_data][User] {
grok {
match => { "[event_data][User]" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" }
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
}
}
if [event_data][LogonId] {
mutate { rename => { "[event_data][LogonId]" => "user_logon_id" }}
mutate { gsub => [ "user_logon_id", "0x", "" ]}
ruby {
code => "
userlogonid = event.get('user_logon_id')
userlogonid = userlogonid.hex
event.set('user_logon_id', userlogonid)
"
tag_on_exception => "_0591_rubyexception"
}
}
if [event_id] == 1 {
mutate {
add_field => { "action" => "processcreate" }
rename => {
"[event_data][CommandLine]" => "process_command_line"
"[event_data][CurrentDirectory]" => "process_current_directory"
"[event_data][ParentImage]" => "process_parent_path"
"[event_data][ParentCommandLine]" => "process_parent_command_line"
"[event_data][IntegrityLevel]" => "process_integrity_level"
"[event_data][LogonGuid]" => "user_logon_guid"
"[event_data][ParentProcessGuid]" => "process_parent_guid"
"[event_data][ParentProcessId]" => "process_parent_id"
"[event_data][TerminalSessionId]" => "user_session_id"
"[event_data][FileVersion]" => "file_version"
"[event_data][Description]" => "file_description"
"[event_data][Product]" => "file_product"
"[event_data][Company]" => "file_company"
}
gsub => ["process_parent_guid","[{}]",""]
gsub => ["user_logon_guid","[{}]",""]
}
}
if [event_id] == 2 {
mutate {
add_field => { "action" => "filecreatetime" }
rename => {
"[event_data][TargetFileName]" => "file_name"
}
}
}
if [event_id] == 3 {
mutate {
add_field => { "action" => "networkconnect" }
rename => {
"[event_data][DestinationHostname]" => "dst_host_name"
"[event_data][DestinationIp]" => "dst_ip"
"[event_data][DestinationIsIpv6]" => "dst_is_ipv6"
"[event_data][DestinationPort]" => "dst_port"
"[event_data][DestinationPortName]" => "dst_port_name"
"[event_data][Initiated]" => "network_initiated"
"[event_data][Protocol]" => "network_protocol"
"[event_data][SourceHostname]" => "src_host_name"
"[event_data][SourceIp]" => "src_ip"
"[event_data][SourceIsIpv6]" => "src_is_ipv6"
"[event_data][SourcePort]" => "src_port"
"[event_data][SourcePortName]" => "src_port_name"
}
}
geoip {
source => "dst_ip"
remove_field => "[geoip][ip]"
}
}
if [event_id] == 4 {
mutate {
add_field => { "action" => "sysmonservicestatechanged" }
rename => {
"[event_data][State]" => "service_state"
"[event_data][Version]" => "sysmon_version"
"[event_data][SchemaVersion]" => "sysmon_schema_version"
}
}
}
if [event_id] == 6 {
mutate {
add_field => { "action" => "driverload" }
rename => {
"[event_data][ImageLoaded]" => "driver_loaded"
"[event_data][Signature]" => "driver_signature"
"[event_data][SignatureStatus]" => "driver_signature_status"
"[event_data][Signed]" => "driver_signed"
}
}
}
if [event_id] == 7 {
mutate {
add_field => { "action" => "imageload" }
rename => {
"[event_data][ImageLoaded]" => "module_loaded"
"[event_data][Signature]" => "module_signature"
"[event_data][SignatureStatus]" => "module_signature_status"
"[event_data][Signed]" => "module_signed"
}
}
}
if [event_id] == 8 {
mutate {
add_field => { "action" => "createremotethread" }
rename => {
"[event_data][NewThreadId]" => "thread_new_id"
"[event_data][StartAddress]" => "thread_start_address"
"[event_data][StartFunction]" => "thread_start_function"
"[event_data][StartModule]" => "thread_start_module"
}
}
}
if [event_id] == 9 {
mutate {
add_field => { "action" => "rawaccessread" }
rename => {
"[event_data][Device]" => "device_name"
}
}
}
if [event_id] == 10 {
mutate {
add_field => { "action" => "processaccess" }
rename => {
"[event_data][CallTrace]" => "process_call_trace"
"[event_data][GrantedAccess]" => "process_granted_access"
"[event_data][SourceThreadId]" => "thread_id"
}
}
}
if [event_id] == 11 {
mutate {
add_field => { "action" => "filecreate" }
rename => {
"[event_data][TargetFilename]" => "file_name"
}
}
}
if [event_id] == 12 or [event_id] == 13 or [event_id] == 14 {
mutate {
add_field => { "action" => "registryevent" }
rename => {
"[event_data][EventType]" => "event_type"
"[event_data][TargetObject]" => "registry_key_path"
"[event_data][Details]" => "registry_key_value"
}
}
}
if [event_id] == 15 {
mutate {
add_field => { "action" => "filecreatestreamhash" }
rename => {
"[event_data][TargetFilename]" => "file_name"
"[event_data][Hash]" => "hash"
}
}
}
if [event_id] == 16 {
kv {
source => "[event_data][ConfigurationFileHash]"
value_split => "="
prefix => "sysmon_config_hash_"
transform_key => "lowercase"
}
mutate {
add_field => { "action" => "sysmonconfigstatechanged" }
rename => {
"[event_data][State]" => "sysmon_configuration_state"
"[event_data][Configuration]" => "sysmon_configuration"
}
}
}
if [event_id] == 18 or [event_id] == 17 {
mutate {
add_field => { "action" => "pipeevent" }
rename => {
"[event_data][PipeName]" => "pipe_name"
}
}
}
if [event_id] == 19 or [event_id] == 20 or [event_id] == 21 {
mutate {
add_field => { "action" => "wmievent" }
rename => {
"[event_data][EventType]" => "wmi_event_type"
"[event_data][Operation]" => "wmi_operation"
"[event_data][EventNamespace]" => "wmi_namespace"
"[event_data][Name]" => "wmi_name"
"[event_data][Query]" => "wmi_query"
"[event_data][Type]" => "wmi_type"
"[event_data][Destination]" => "wmi_destination"
}
}
}
date {
timezone => "UTC"
match => [ "[event_data][UtcTime]", "YYYY-MM-dd HH:mm:ss.SSS" ]
tag_on_failure => [ "_sysmon_datefailure", "_dateparsefailure" ]
}
date {
timezone => "UTC"
match => [ "[event_data][CreationUtcTime]", "YYYY-MM-dd HH:mm:ss.SSS" ]
target => "@date_creation"
tag_on_failure => [ "_sysmon_datefailure", "_dateparsefailure" ]
}
date {
timezone => "UTC"
match => [ "[event_data][PreviousCreationUtcTime]", "YYYY-MM-dd HH:mm:ss.SSS" ]
target => "@date_creation_previous"
tag_on_failure => [ "_sysmon_datefailure", "_dateparsefailure" ]
}
mutate {
remove_field => "[event_data]"
remove_field => "message"
remove_field => "[event_data][Hashes]"
remove_field => "[event_data][ConfigurationFileHash]"
remove_field => "[event_data][UtcTime]"
remove_field => "[event_data][CreationUtcTime]"
remove_field => "[event_data][PreviousCreationUtcTime]"
remove_field => "[user]"
rename => { "[event_data][User]" => "user_account"}
}
}
}

854
helk-logstash/pipeline/12-winevent-security-filter.conf
View File

@ -1,854 +0,0 @@
# HELK winevent-security filter conf file
# HELK build Stage: Alpha
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
filter {
if [log_name] == "Security"{
if [event_data][ProcessName] {
grok {
match => {
"[event_data][ProcessName]" => ".*\\%{GREEDYDATA:process_name}"
}
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
}
}
if [event_id] == 4611 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4611.md
mutate {
rename => {
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][LogonProcessName]" => "logon_process_name"
}
}
}
if [event_id] == 4616 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4616.md
mutate {
rename => {
"[event_data][NewTime]" => "@date_new_time"
"[event_data][PreviousTime]" => "@date_previous_time"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
}
}
}
if [event_id] == 4624 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4624.md
mutate {
rename => {
"[event_data][SubjectUserSid]" => "user_reporter_sid"
"[event_data][SubjectUserName]" => "user_reporter_name"
"[event_data][SubjectDomainName]" => "user_reporter_domain"
"[event_data][SubjectLogonId]" => "reporter_logon_id"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][TargetLogonId]" => "user_logon_id"
"[event_data][LogonType]" => "logon_type"
"[event_data][RestrictedAdminMode]" => "logon_restricted_adminmode"
"[event_data][VirtualAccount]" => "logon_virtual_account"
"[event_data][ElevatedToken]" => "logon_elevated_token"
"[event_data][TargetUserName]" => "user_name"
"[event_data][TargetDomainName]" => "user_domain"
"[event_data][TargetLinkedLogonId]" => "user_linked_logon_id"
"[event_data][TargetOutboundDomainName]" => "user_network_account_domain"
"[event_data][TargetOutboundUserName]" => "user_network_account_name"
"[event_data][TargetUserSid]" => "user_sid"
"[event_data][ImpersonationLevel]" => "impersonation_level"
"[event_data][LogonGuid]" => "user_logon_guid"
"[event_data][WorkstationName]" => "src_host_name"
"[event_data][IpAddress]" => "src_ip"
"[event_data][IpPort]" => "src_port"
"[event_data][LogonProcessName]" => "logon_process_name"
"[event_data][AuthenticationPackageName]" => "logon_authentication_package_name"
"[event_data][TransmittedServices]" => "logon_transmitted_services"
"[event_data][LmPackageName]" => "logon_package_name"
"[event_data][KeyLength]" => "logon_key_length"
}
}
if "logon_elevated_token" == "Yes"{
mutate {
add_tag => ["elevated_logon"]
}
}
}
if [event_id] == 4625 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md
mutate {
rename => {
"[event_data][SubjectUserSid]" => "user_reporter_sid"
"[event_data][SubjectUserName]" => "user_reporter_name"
"[event_data][SubjectDomainName]" => "user_reporter_domain"
"[event_data][SubjectLogonId]" => "reporter_logon_id"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][LogonType]" => "logon_type"
"[event_data][TargetUserName]" => "user_name"
"[event_data][TargetDomainName]" => "user_domain"
"[event_data][TargetUserSid]" => "user_sid"
"[event_data][WorkstationName]" => "src_host"
"[event_data][IpAddress]" => "src_ip"
"[event_data][IpPort]" => "src_port"
"[event_data][LogonProcessName]" => "logon_process_name"
"[event_data][AuthenticationPackageName]" => "logon_authentication_package_name"
"[event_data][TransmittedServices]" => "logon_transmitted_services"
"[event_data][LmPackageName]" => "logon_package_name"
"[event_data][KeyLength]" => "logon_key_length"
"[event_data][FailureReason]" => "logon_failure_reason"
"[event_data][Status]" => "logon_failure_status"
"[event_data][SubStatus]" => "logon_failure_substatus"
}
}
if "logon_elevated_token" == "Yes"{
mutate {
add_tag => ["elevated_logon"]
}
}
}
if [event_id] == 4627 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4627.md
mutate {
rename => {
"[event_data][SubjectUserSid]" => "user_reporter_sid"
"[event_data][SubjectUserName]" => "user_reporter_name"
"[event_data][SubjectDomainName]" => "user_reporter_domain"
"[event_data][SubjectLogonId]" => "reporter_logon_id"
"[event_data][TargetLogonId]" => "user_logon_id"
"[event_data][LogonType]" => "logon_type"
"[event_data][TargetUserName]" => "user_name"
"[event_data][TargetDomainName]" => "user_domain"
"[event_data][TargetUserSid]" => "user_sid"
"[event_data][GroupMembership]" => "user_group_membership"
}
remove_field => "[event_data][EventCountTotal]"
remove_field => "[event_data][EventIdx]"
}
}
if [event_id] == 4634 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4634.md
mutate {
rename => {
"[event_data][LogonType]" => "logon_type"
"[event_data][TargetDomainName]" => "user_domain"
"[event_data][TargetLogonId]" => "user_logon_id"
"[event_data][TargetUserName" => "user_name"
"[event_data][TargetUserSid]" => "user_sid"
}
}
}
if [event_id] == 4647 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4647.md
mutate {
rename => {
"[event_data][TargetDomainName]" => "user_domain"
"[event_data][TargetLogonId]" => "user_logon_id"
"[event_data][TargetUserName" => "user_name"
"[event_data][TargetUserSid]" => "user_sid"
}
}
}
if [event_id] == 4648 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4648.md
mutate {
rename => {
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][LogonGuid]" => "user_logon_guid"
"[event_data][TargetUserName]" => "target_user_name"
"[event_data][TargetDomainName]" => "target_user_domain"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][TargetLogonId]" => "target_user_logon_id"
"[event_data][TargetServerName]" => "service_host_name"
"[event_data][TargetInfo]" => "service_host_info"
"[event_data][TargetLogonGuid]" => "target_user_logon_guid"
"[event_data][IpAddress]" => "src_ip"
"[event_data][IpPort]" => "src_port"
}
}
}
if [event_id] == 4656 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][AccessList]" => "object_access_list_requested"
"[event_data][AccessMask]" => "object_access_mask_requested"
"[event_data][AccessReason]" => "object_access_reason"
"[event_data][ObjectName]" => "object_name"
"[event_data][ObjectServer]" => "object_server"
"[event_data][ObjectType]" => "object_type"
"[event_data][HandleId]" => "object_access_handle_id"
"[event_data][PrivilegeList]" => "object_privilege_list"
"[event_data][TransactionId" => "object_access_transaction_id"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][ResourceAttributes]" => "object_resource_attributes"
"event_data][RestrictedSidCount]" => "object_restricted_sid_count"
}
}
}
if [event_id] == 4657 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][ObjectName]" => "object_name"
"[event_data][ObjectValueName]" => "object_value_name"
"[event_data][HandleId]" => "object_access_handle_id"
"[event_data][OperationType]" => "object_operation_type"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][OldValueType]" => "object_value_old_type"
"[event_data][OldValue]" => "object_value_old"
"[event_data][NewValueType]" => "object_value_new_type"
"[event_data][NewValue]" => "object_value_new"
}
}
}
if [event_id] == 4658 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][ObjectServer]" => "object_server"
"[event_data][HandleId]" => "object_access_handle_id"
}
}
}
if [event_id] == 4661 or [event_id] == 4662 or [event_id] == 4663 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4661.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4662.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][Properties]" => "object_properties"
"[event_data][AccessMask]" => "object_access_mask_requested"
"[event_data][HandleId]" => "object_access_handle_id"
"[event_data][ObjectName]" => "object_name"
"[event_data][ObjectServer]" => "object_server"
"[event_data][ObjectType]" => "object_type"
"[event_data][AdditionalInfo2]" => "object_additional_info2"
"[event_data][OperationType]" => "object_operation_type"
"[event_data][AdditionalInfo]" => "object_additional_info"
"[event_data][AccessList]" => "object_access_list_requested"
"[event_data][ResourceAttributes]" => "object_resource_attributes"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][AccessReason]" => "object_access_reason"
"[event_data][PrivilegeList]" => "object_privilege_list"
"[event_data][TransactionId" => "object_access_transaction_id"
"event_data][RestrictedSidCount]" => "object_restricted_sid_count"
}
}
}
if [event_id] == 4670 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4670.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][HandleId]" => "object_access_handle_id"
"[event_data][NewSd]" => "object_new_sddl"
"[event_data][ObjectName]" => "object_name"
"[event_data][ObjectServer]" => "object_server"
"[event_data][ObjectType]" => "object_type"
"[event_data][OldSd]" => "object_old_sddl"
}
}
}
if [event_id] == 4672 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4672.md
mutate {
rename => {
"[event_data][PrivilegeList]" => "logon_privileges_assigned"
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
}
}
}
if [event_id] == 4673 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4673.md
mutate {
rename => {
"[event_data][PrivilegeList]" => "service_privilege_list"
"[event_data][ObjectServer]" => "object_server"
"[event_data][Service]" => "service_name"
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
}
}
}
if [event_id] == 4674 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4674.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][AccessMask]" => "object_access_mask_requested"
"[event_data][HandleId]" => "object_access_handle_id"
"[event_data][ObjectName]" => "object_name"
"[event_data][ObjectServer]" => "object_server"
"[event_data][ObjectType]" => "object_type"
"[event_data][PrivilegeList]" => "object_privilege_list"
}
}
}
if [event_id] == 4688 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4688.md
grok {
match => { "[event_data][NewProcessName]" => ".*\\%{GREEDYDATA:process_name}" }
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
}
grok {
match => { "[event_data][ParentProcessName]" => ".*\\%{GREEDYDATA:process_parent_name}" }
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
}
mutate {
rename => {
"[event_data][NewProcessId]" => "process_id"
"[event_data][NewProcessName]" => "process_path"
"[event_data][CommandLine]" => "command_line"
"[event_data][ParentProcessName]" => "process_parent_path"
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "user_principal_domain"
"[event_data][TargetUserSid]" => "user_principal_sid"
"[event_data][TargetUserName]" => "user_principal_name"
"[event_data][TargetLogonId]" => "user_principal_id"
"[event_data][MandatoryLabel]" => "process_mandatory_level"
"[event_data][ProcessId]" => "process_parent_id"
"[event_data][TokenElevationType]" => "process_token_elevation_type"
}
}
}
if [event_id] == 4689 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4689.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][Status]" => "process_status"
}
}
}
if [event_id] == 4690 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4690.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][SourceHandleId]" => "process_handle_id"
"[event_data][SourceProcessId]" => "process_id"
"[event_data][TargetHandleId]" => "target_process_handle_id"
"[event_data][TargetProcessId]" => "target_process_id"
}
}
}
if [event_id] == 4697 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4697.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][ServiceAccount]" => "service_account_name"
"[event_data][ServiceFileName]" => "service_image_path"
"[event_data][ServiceName]" => "service_name"
"[event_data][ServiceStartType]" => "service_start_type"
"[event_data][ServiceType]" => "service_type"
}
}
}
if [event_id] == 4701 or [event_id] == 4702 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4702.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TaskContentNew]" => "task_new_content"
"[event_data][TaskName]" => "task_name"
}
}
}
if [event_id] == 4703 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4703.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "user_target_domain"
"[event_data][TargetLogonId]" => "user_target_logon_id"
"[event_data][TargetUserSid]" => "user_target_sid"
"[event_data][TargetUserName]" => "user_target_name"
"[event_data][DisabledPrivilegeList]" => "user_target_disabled_privilegelist"
"[event_data][EnabledPrivilegeList]" => "user_target_enabled_privilegelist"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
}
}
}
if [event_id] == 4719 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][AuditPolicyChanges]" => "policy_changes"
"[event_data][CategoryId]" => "policy_category_id"
"[event_data][SubcategoryGuid]" => "policy_subcategory_guid"
"[event_data][SubcategoryId]" => "policy_subcategory_id"
}
}
}
if [event_id] == 4724 or [event_id] == 4725 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4724.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4725.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "user_target_domain"
"[event_data][TargetSid]" => "user_target_sid"
"[event_data][TargetUserName]" => "user_target_name"
}
}
}
if [event_id] == 4726 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4726.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "user_target_domain"
"[event_data][TargetSid]" => "user_target_sid"
"[event_data][TargetUserName]" => "user_target_name"
"[event_data][PrivilegeList]" => "user_privilege_list"
}
}
}
if [event_id] == 4728 or [event_id] == 4729 {
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "group_domain"
"[event_data][TargetSid]" => "group_sid"
"[event_data][TargetUserName]" => "group_name"
"[event_data][MemberName]" => "group_member_name"
"[event_data][MemberSid]" => "group_member_sid"
"[event_data][PrivilegeList]" => "group_privilege_list"
}
}
}
if [event_id] == 4732 or [event_id] == 4733 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4733.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "group_domain"
"[event_data][TargetSid]" => "group_sid"
"[event_data][TargetUserName]" => "group_name"
"[event_data][MemberName]" => "group_member_name"
"[event_data][MemberSid]" => "group_member_sid"
"[event_data][PrivilegeList]" => "group_privilege_list"
}
}
}
if [event_id] == 4738 or [event_id] == 4720 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4738.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "user_target_domain"
"[event_data][TargetSid]" => "user_target_sid"
"[event_data][TargetUserName]" => "user_target_name"
"[event_data][AccountExpires]" => "user_attribute_account_expires"
"[event_data][AllowedToDelegateTo]" => "user_attribute_allowed_todelegate"
"[event_data][DisplayName]" => "user_attribute_display_name"
"[event_data][Dummy]" => "user_attribute_dummy"
"[event_data][HomeDirectory]" => "user_attribute_home_directory"
"[event_data][HomePath]" => "user_attribute_home_path"
"[event_data][LogonHours]" => "user_attribute_logon_hours"
"[event_data][NewUacValue]" => "user_attribute_new_uacvalue"
"[event_data][OldUacValue]" => "user_attribute_old_uacvalue"
"[event_data][PasswordLastSet]" => "user_attribute_password_lastset"
"[event_data][PrimaryGroupId]" => "[user_attribute_primary_group_id"
"[event_data][PrivilegeList]" => "user_attribute_privilege_list"
"[event_data][ProfilePath]" => "user_attribute_profile_path"
"[event_data][SamAccountName]" => "user_attribute_samaccount_name"
"[event_data][ScriptPath]" => "user_attribute_script_path"
"[event_data][SidHistory]" => "user_attribute_sid_history"
}
}
}
if [event_id] == 4768 or [event_id] == 4769 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md
mutate {
rename => {
"[event_data][TargetDomainName]" => "user_domain"
"[event_data][TargetUserName]" => "user_name"
"[event_data][IpAddress]" => "src_ip"
"[event_data][IpPort]" => "src_port"
"[event_data][PreAuthType]" => "service_ticket_preauthtype"
"[event_data][LogonGuid]" => "user_logon_guid"
"[event_data][ServiceName]" => "service_ticket_name"
"[event_data][ServiceSid]" => "service_ticket_id"
"[event_data][Status]" => "service_ticket_status"
"[event_data][TicketEncryptionType]" => "ticket_encryption_type"
"[event_data][TicketOptions]" => "ticket_options"
"[event_data][FailureCode]" => "ticket_failure_code"
"[event_data][TransmittedServices]" => "service_ticket_requested"
"[event_data][TargetSid]" => "user_sid"
}
}
}
if [event_id] == 4797 {
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "service_enumerated_domain"
"[event_data][TargetUserName]" => "service_enumerated_name"
"[event_data][Workstation]" => "host_name"
}
}
}
if [event_id] == 4798 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4798.md
mutate {
rename => {
"[event_data][CallerProcessId]" => "process_id"
"[event_data][CallerProcessName]" => "process_path"
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "user_domain_enumerated"
"[event_data][TargetSid]" => "user_sid_enumerated"
"[event_data][TargetUserName]" => "user_name_enumerated"
}
}
}
if [event_id] == 4799 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4799.md
mutate {
rename => {
"[event_data][CallerProcessId]" => "process_id"
"[event_data][CallerProcessName]" => "process_path"
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][TargetDomainName]" => "group_domain_enumerated"
"[event_data][TargetSid]" => "group_sid_enumerated"
"[event_data][TargetUserName]" => "group_name_enumerated"
}
}
}
if [event_id] == 4800 or [event_id] == 4801 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4800.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4801.md
mutate {
rename => {
"[event_data][TargetDomainName]" => "user_domain"
"[event_data][TargetUserSid]" => "user_sid"
"[event_data][TargetUserName]" => "user_name"
"[event_data][TargetLogonId]" => "user_logon_id"
"[event_data][SessionId]" => "user_session_id"
}
}
}
if [event_id] == 4907 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4907.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProcessName]" => "process_path"
"[event_data][HandleId]" => "object_access_handle_id"
"[event_data][NewSd]" => "object_new_sddl"
"[event_data][ObjectName]" => "object_name"
"[event_data][ObjectServer]" => "object_server"
"[event_data][ObjectType]" => "object_type"
"[event_data][OldSd]" => "object_old_sddl"
}
}
}
if [event_id] == 4957 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4957.md
mutate {
rename => {
"[event_data][RuleAttr]" => "firewall_rule_attr"
"[event_data][RuleId]" => "firewall_rule_id"
"[event_data][RuleName]" => "firewall_rule_name"
}
}
}
if [event_id] == 5058 or [event_id] == 5059 or [event_id] == 5061 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5058.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5059.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5061.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][AlgorithmName]" => "key_algorithm_name"
"[event_data][KeyName]" => "key_name"
"[event_data][KeyType]" => "key_type"
"[event_data][Operation]" => "key_operation"
"[event_data][ProviderName" => "key_provider_name"
"[event_data][ReturnCode]" => "key_return_code"
}
}
}
if [event_id] == 5136 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5136.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][OpCorrelationID]" => "dsoperation_correlation_id"
"[event_data][AppCorrelationID]" => "dsoperation_app_correlation_id"
"[event_data][DSName]" => "dsobject_domain"
"[event_data][DSType]" => "dsobject_domain_type"
"[event_data][ObjectDN]" => "dsobject_dn"
"[event_data][ObjectGUID]" => "dsobject_guid"
"[event_data][ObjectClass]" => "dsobject_class"
"[event_data][AttributeLDAPDisplayName]" => "dsobject_attribute_name"
"[event_data][AttributeSyntaxOID]" => "dsobject_attribute_type"
"[event_data][AttributeValue]" => "dsobject_attribute_value"
"[event_data][OperationType]" => "dsoperation_type"
}
}
}
if [event_id] == 5140 or [event_id] == 5145 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5140.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5145.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][AccessList]" => "object_access_list_requested"
"[event_data][AccessMask]" => "object_access_mask_requested"
"[event_data][AccessReason]" => "user_access_reason"
"[event_data][IpAddress]" => "src_ip"
"[event_data][IpPort]" => "src_port"
"[event_data][ObjectType]" => "object_type"
"[event_data][RelativeTargetName]" => "share_relative_target_name"
"[event_data][ShareLocalPath]" => "share_local_path"
"[event_data][ShareName]" => "share_name"
}
}
}
if [event_id] == 5152 or [event_id] == 5154 or [event_id] == 5156 or [event_id] == 5158 or [event_id] == 5157 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5152.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5154.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5156.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5157.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5158.md
grok {
match => {
"[event_data][Application]" => ".*\\%{GREEDYDATA:process_name}"
}
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
}
mutate {
rename => {
"[event_data][Application]" => "process_path"
"[event_data][DestAddress]" => "dst_ip"
"[event_data][DestPort]" => "dst_port"
"[event_data][Direction]" => "network_direction"
"[event_data][FilterRTID]" => "network_filter_rtid"
"[event_data][LayerName]" => "network_layer_name"
"[event_data][LayerRTID]" => "network_layer_rtid"
"[event_data][ProcessID]" => "process_id"
"[event_data][Protocol]" => "network_protocol"
"[event_data][RemoteMachineID]" => "dst_host_name_id"
"[event_data][RemoteUserID]" => "dst_user_id"
"[event_data][SourceAddress]" => "src_ip"
"[event_data][SourcePort]" => "src_port"
"[event_data][ProcessId]" => "process_id"
}
}
}
if [event_id] == 5447 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5447.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][AccessList]" => "object_access_list_requested"
"[event_data][AccessMask]" => "object_access_mask_requested"
"[event_data][AccessReason]" => "user_access_reason"
"[event_data][IpAddress]" => "src_ip"
"[event_data][IpPort]" => "src_port"
"[event_data][ObjectType]" => "object_type"
"[event_data][RelativeTargetName]" => "share_relative_target_name"
"[event_data][ShareLocalPath]" => "share_local_path"
"[event_data][ShareName]" => "share_name"
"[event_data][Action]" => "filtering_action"
"[event_data][CalloutKey]" => "filtering_callout_key"
"[event_data][CalloutName]" => "filtering_callout_name"
"[event_data][ChangeType]" => "filtering_change_type"
"[event_data][Conditions]" => "filtering_conditions"
"[event_data][FilterId]" => "filtering_id"
"[event_data][FilterKey]" => "filtering_key"
"[event_data][FilterName]" => "filtering_name"
"[event_data][FilterType]" => "filtering_type"
"[event_data][LayerId]" => "filtering_layer_id"
"[event_data][LayerKey]" => "filtering_layer_key"
"[event_data][LayerName]" => "filtering_layer_name"
"[event_data][ProcessId]" => "process_id"
"[event_data][ProviderKey]" => "filtering_provider_key"
"[event_data][ProviderName" => "filtering_provider_name"
"[event_data][UserName]" => "user_name"
"[event_data][UserSid]" => "user_sid"
"[event_data][Weight]" => "filtering_weight"
}
}
}
if [event_id] == 6416 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-6416.md
mutate {
rename => {
"[event_data][SubjectDomainName]" => "user_domain"
"[event_data][SubjectLogonId]" => "user_logon_id"
"[event_data][SubjectUserName]" => "user_name"
"[event_data][SubjectUserSid]" => "user_sid"
"[event_data][ClassId]" => "device_class_id"
"[event_data][ClassName]" => "device_class_name"
"[event_data][CompatibleIds]" => "device_compatible_ids"
"[event_data][DeviceDescription]" => "device_description"
"[event_data][DeviceId]" => "device_id"
"[event_data][LocationInformation]" => "device_location_information"
"[event_data][VendorIds]" => "device_vendor_ids"
}
}
}
mutate {
convert => {
"src_port" => "integer"
"dst_port" => "integer"
}
rename => {
"computer_name" => "host_name"
}
gsub => ["user_logon_guid","[{}]",""]
gsub => ["target_user_logon_guid","[{}]",""]
}
if [user_logon_id] {
mutate { gsub => [ "user_logon_id", "0x", "" ]}
ruby {
code => "event.set('user_logon_id', event.get('user_logon_id').to_s.hex)"
tag_on_exception => "_0591_rubyexception"
}
}
if [process_id] {
mutate { gsub => [ "process_id", "0x", "" ]}
ruby {
code => "event.set('process_id', event.get('process_id').to_s.hex)"
tag_on_exception => "_0591_rubyexception"
}
}
if [process_parent_id] {
mutate { gsub => [ "process_parent_id", "0x", "" ]}
ruby {
code => "event.set('process_parent_id', event.get('process_parent_id').to_s.hex)"
tag_on_exception => "_0591_rubyexception"
}
}
if [target_process_id] {
mutate { gsub => [ "target_process_id", "0x", "" ]}
ruby {
code => "event.set('target_process_id', event.get('target_process_id').to_s.hex)"
tag_on_exception => "_0591_rubyexception"
}
}
}
}

0
helk-logstash/pipeline/16-attack-filter.conf → helk-logstash/pipeline/1216-attack-filter.conf
View File

81
helk-logstash/pipeline/1500-winevent-cleanup-no-dashes-only-values-filter.conf Normal file
View File

@ -0,0 +1,81 @@
filter {
if [event_id] {
mutate { add_field => { "z_logstash_pipeline" => "1500" } }
# Remove specific keys/fields that have "-"/dash has the only value values
# Command Line will be done later on in pipeline because it is all sorts of random fields especially when we custom parse some event IDs
# #TONOTE:Prune does not work on nested fields, so we are moving this into the beginning of Windows logs pipeline
prune {
blacklist_values => [
"AccessList", "^\-$",
"AccessReason", "^\-$",
"AccountExpires", "^\-$",
"AccountName", "^\-$",
"AdditionalInfo", "^\-$",
"Address", "^\-$",
"AppCorrelationID", "^\-$",
"CallerProcessName", "^\-$",
"ClientAddress", "^\-$",
"ClientIP", "^\-$",
"ClientIPAddress", "^\-$",
"CompatibleIds", "^\-$",
"ComputerAccountChange", "^\-$",
"ConnectedViaIPAddress", "^\-$",
"DCIPAddress", "^\-$",
"DestinationIp", "^\-$",
"DisplayName", "^\-$",
"DnsHostName", "^\-$",
"Domain", "^\-$",
"Dummy", "^\-$",
"HomeDirectory", "^\-$",
"HomePath", "^\-$",
"Identity", "^\-$",
"ipAddress", "^\-$",
"IpAddress", "^\-$",
"IPAddress", "^\-$",
"IpPort", "^\-$",
"IPString", "^\-$",
"LaunchedViaIPAddress", "^\-$",
"LmPackageName", "^\-$",
"LocationInformation", "^\-$",
"LogonGuid", "^\-$",
"LogonHours", "^\-$",
"NewUacValue", "^\-$",
"ObjectName", "^\-$",
"ObjectType", "^\-$",
"OldUacValue", "^\-$",
"PasswordLastSet", "^\-$",
"PreAuthType", "^\-$",
"PrimaryGroupId", "^\-$",
"PrivilegeList", "^\-$",
"ProcessName", "^\-$",
"ProfilePath", "^\-$",
"RestrictedAdminMode", "^\-$",
"SamAccountName", "^\-$",
"ScriptPath", "^\-$",
"ServerIpAddress", "^\-$",
"Service", "^\-$",
"ServicePrincipalNames", "^\-$",
"SourceIp", "^\-$",
"SidHistory", "^\-$",
"SidList", "^\-$",
"SubjectDomainName", "^\-$",
"SubjectUserName", "^\-$",
"SubjectUserSid", "^\-$",
"TargetDomainName", "^\-$",
"TargetOutboundDomainName", "^\-$",
"TargetOutboundUserName", "^\-$",
"TargetUserName", "^\-$",
"TargetUserSid", "^\-$",
"TraceMessage", "^\-$",
"TransmittedServices", "^\-$",
"UserAccountControl", "^\-$",
"UserID", "^\-$",
"UserParameters", "^\-$",
"UserPrincipalName", "^\-$",
"UserWorkstations", "^\-$",
"WorkstationName", "^\-$"
]
}
}
}

181
helk-logstash/pipeline/1521-winevent-conversions-ip-conversions-basic-filter.conf Normal file
View File

@ -0,0 +1,181 @@
filter {
# Use this to determine if windows event log or not (for now, until we are properly marking all windows log types as something like "log_type: winevent")
if [event_id] {
mutate { add_field => { "z_logstash_pipeline" => "1521" } }
# Since Sysmon may be the most common EventIDs with IPs lets do that first. This will contain source and destination IPs.
# Seen in the following EventIDs (not necessarily exhaustive)
# Microsoft-Windows-Sysmon/Operational:3
# Parse "SourceIp" field and then afterwards if it exists then the DestinationIp should exist as well (see note above)
if [SourceIp] {
if [SourceIsIpv6] == 'false' {
mutate {
rename => { "SourceIp" => "src_ip_addr" }
remove_field => [ "SourceIsIpv6" ]
}
}
else {
mutate {
rename => { "SourceIp" => "ipv6_src_addr" }
remove_field => [ "SourceIsIpv6" ]
}
}
# Parse "DestinationIp" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Microsoft-Windows-Sysmon/Operational:3
if [DestinationIp] {
if [DestinationIsIpv6] == 'false' {
mutate {
rename => { "DestinationIp" => "dst_ip_addr" }
remove_field => [ "DestinationIsIpv6" ]
}
}
else {
mutate {
rename => { "DestinationIp" => "ipv6_dst_addr" }
remove_field => [ "DestinationIsIpv6" ]
}
}
}
}
# If not Sysmon IP field try all the rest of the possible IP fields as of 2018-03-19 and going through 3,000 Windows EventIDs
else {
#### Parse all other possible Source IP Address fields, none of the following two fields would exist in any one windows event.. therefore, use "if"/"else if" statements
# Parse "IpAddress" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Security:4624, Security:4625, Security:4648, Security:4770, Security:4771, Security:4768, Security:4769, Security:5140, Security:5145
if [IpAddress] {
if [IpAddress] =~ "^\d{1,3}\." {
mutate { rename => { "IpAddress" => "src_ip_addr" } }
}
else {
# First try to match IPv6 & IPv4 combined
# Last try IPv6 only
grok {
match => {
"IpAddress" =>
[
"%{IPV6:ipv6_src_addr} %{IPV4:src_ip_addr}",
"%{IPV6:ipv6_src_addr}"
]
}
keep_empty_captures => false
named_captures_only => true
tag_on_failure => [ "_IpAddress_grokparsefailure", "_grokparsefailure", "_parsefailure", "_windows_ip_parsefailure" ]
tag_on_timeout => "_groktimeout"
# Timeout .250 seconds
timeout_millis => 250
remove_field => [ "IpAddress" ]
}
}
}
# Parse "SourceAddress" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Security:5152,5154,5156,5157,5158
else if [SourceAddress] {
mutate { rename => { "SourceAddress" => "src_ip_addr" } }
}
# Parse "ClientAddress" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Security:4778,4779
else if [ClientAddress] {
mutate { rename => { "ClientAddress" => "src_ip_addr" } }
}
# Parse "ClientIPAddress" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Citrix-XenDesktop-BrokerMonitor/Operational:4,5,44,45
else if [ClientIPAddress] {
mutate { rename => { "ClientIPAddress" => "src_ip_addr" } }
}
# Parse "ClientIP" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:131
else if [ClientIP] {
# First lets substitute any characters that have been seen that would cause bad parsing/values
mutate { gsub => [ "ClientIP", "[\[\]]", "" ] }
if [ClientIP] =~ "^\d{1,3}\." {
dissect {
mapping => { "ClientIP" => "%{src_ip_addr}:%{port_src}" }
tag_on_failure => [ "_dissectfailure", "_parsefailure" ]
remove_field => [ "ClientIP" ]
}
}
}
# Parse "IPString" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:139,140
else if [IPString] {
mutate { rename => { "IPString" => "src_ip_addr" } }
}
#### ^ DONE w/ All Src IP parsing ####
#### Parse all other possible Destination IP Address fields, none of the following two fields would exist in any one windows event.. therefore, use "if"/"else if" statements
# Parse "DestAddress" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Application:1039 SourceName Citrix Broker Service
if [DestAddress] {
mutate { rename => { "DestAddress" => "dst_ip_addr" } }
}
# Parse "LaunchedViaIPAddress" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Citrix-XenDesktop-BrokerMonitor/Operational:4,5,44,45
else if [LaunchedViaIPAddress] {
mutate { rename => { "LaunchedViaIPAddress" => "dst_ip_addr" } }
}
# Parse "MachineIpAddress" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Citrix-XenDesktop-BrokerMonitor/Operational:10
else if [MachineIpAddress] {
mutate { rename => { "MachineIpAddress" => "dst_ip_addr" } }
}
# Parse "ipAddress" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Application:1039 SourceName Citrix Broker Service
else if [ipAddress] {
mutate { rename => { "ipAddress" => "dst_ip_addr" } }
}
# Parse "Value" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Microsoft-Windows-TerminalServices-RDPClient/Operational:1102,1024
# Only perform on the above EIDs because otherwise it may be values that are incomprehensible
else if [Value] and [wef][channel] == "Microsoft-Windows-TerminalServices-RDPClient/Operational" {
if [wef.eid] == 1102 {
mutate { rename => { "Value" => "dst_ip_addr" } }
}
else if [wef.eid] == 1024 {
mutate { rename => { "Value" => "dst_ip_addr" } }
}
}
# Parse "TargetServer" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Security:5378
else if [TargetServer] {
mutate { gsub => [ "TargetServer", "TERMSRV\/", "" ] }
mutate { rename => { "TargetServer" => "dst_ip_addr" } }
}
#### ^ DONE w/ All Dst IP parsing ####
#### Parse all possible Destination NAT IP Address fields, none of the following two fields would exist in any one windows event.. therefore, use "if"/"else if" statements
# Parse "ConnectedViaIPAddress" field
# Seen in the following EventIDs (not necessarily exhaustive)
# Citrix-XenDesktop-BrokerMonitor/Operational:4,44
if [ConnectedViaIPAddress] {
mutate { rename => { "ConnectedViaIPAddress" => "dst_nat_ip_addr" } }
}
#### ^ DONE w/ All Dst NAT IP parsing ####
}
}
}

143
helk-logstash/pipeline/1522-winevent-cleanup-lowercasing-windows-is-case-insensitive.conf Normal file
View File

@ -0,0 +1,143 @@
filter {
if [event_id] {
mutate { add_field => { "z_logstash_pipeline" => "1522" } }
mutate {
lowercase => [
"AccountDistinguishedName",
"AccountName",
"ActionName",
"AllowedToDelegateTo",
"ApplicationPath",
"AttributeLDAPDisplayName",
"AuthenticationPackageName",
"CACommonName",
"CallerProcessName",
"CalloutName",
"ClientName",
"ClientUserName",
"Command Name",
"CommandName",
"CommandPath",
"ConnectionName",
"CorruptedFilePath",
"CrashedAppName",
"CurrentDirectory",
"DCDomainName",
"DestinationHostname",
"DestinationPortName",
"DeviceName",
"DfsPath",
"DisplayName",
"displayName",
"DnsHostName",
"Domain",
"DriveName",
"DSName",
"DSObjectName",
"ExtensibleModulePath",
"FileName",
"Filename",
"FilePath",
"GPODisplayName",
"GPOFileSystemPath",
"GPOName",
"GroupName",
"HiveName",
"HomeDirectory",
"HomePath",
"HostName",
"Host Name",
"HostOSName",
"Host OS Name",
"HostOSservicepackName",
"Host OS service pack Name",
"HostNameChanged",
"ImageName",
"ImagePath",
"InstancePath",
"KeepPropertyCanonicalName",
"KeyName",
"Key Name",
"KeyName",
"KeyFilePath",
"LocalPath",
"LogonProcessName",
"MachineName",
"MappedName",
"MemberName",
"NAME",
"NameServer",
"NamespaceName",
"NetworkName",
"NewProcessName",
"NewTargetUserName",
"ObjectName",
"OldTargetUserName",
"OldTargetUserName",
"ParentProcessName",
"Path",
"PortName",
"PrincipalCNName",
"PrincipalDomainName",
"PrincipalSamName",
"Process Name",
"ProcessName",
"ProdessName",
"ProcessPath",
"processPath",
"ProfilePath",
"QNAME",
"QueryName",
"RelativeTargetName",
"SamAccountName",
"Script Name",
"ScriptName",
"ScriptPath",
"SecurityPackageName",
"ServerName",
"serverName",
"ServiceFileName",
"ServiceName",
"ServicePrincipalNames",
"SessionName",
"ShareName",
"ShareLocalPath",
"SnapshotPath",
"SourceHostname",
"SourcePortName",
"StateName",
"SubjectDomainName",
"SubjectUserDomainName",
"SubjectUserName",
"SwitchFName",
"TargetDomainName",
"TargetFilename",
"Targetname",
"TargetOutboundDomainName",
"TargetOutboundUserName",
"TargetProcessName",
"TargetRealm",
"TargetServerName",
"TargetUserName",
"TargetUserName",
"TaskName",
"TransportProtocolName",
"UncPath",
"User",
"user",
"UserName",
"Username",
"userName",
"username",
"UserPrincipalName",
"VhdFileName",
"VolumeName",
"wmiClassName",
"Workstation",
"WorkstationName",
"XPath"
]
}
}
}

286
helk-logstash/pipeline/1531-winevent-sysmon-filter.conf Normal file
View File

@ -0,0 +1,286 @@
# HELK sysmon filter conf file
# HELK build Stage: Alpha
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
filter {
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
mutate { add_field => { "z_logstash_pipeline" => "1531" } }
mutate {
rename => {
"[user][domain]" => "user_reporter_domain"
"[user][identifier]" => "user_reporter_sid"
"[user][name]" => "user_reporter_name"
"[user][type]" => "user_reporter_type"
"computer_name" => "host_name"
}
}
if [provider_guid] {
mutate { gsub => [ "provider_guid", "[{}]", "" ] }
}
if [RuleName] {
kv {
source => "RuleName"
field_split => ","
value_split => "="
prefix => "mitre_"
transform_key => "lowercase"
}
}
if [Image] {
if [Image] =~ /^(\w*$)|^(\w*\..*$)/ {
mutate { copy => {"Image" => "process_name"} }
}
else {
grok {
match => { "Image" => ".*\\%{GREEDYDATA:process_name}" }
tag_on_failure => [ "_Image__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
}
mutate {
rename => {
"Image" => "process_path"
"ProcessGuid" => "process_guid"
"ProcessId" => "process_id"
}
gsub => [ "process_guid", "[{}]", "" ]
}
}
if [ParentImage] {
grok {
match => { "ParentImage" => ".*\\%{GREEDYDATA:process_parent_name}" }
tag_on_failure => [ "_ParentImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
}
if [Hashes] {
kv {
source => "Hashes"
field_split => ","
value_split => "="
prefix => "hash_"
transform_key => "lowercase"
}
}
if [TargetImage] {
grok {
match => { "SourceImage" => ".*\\%{GREEDYDATA:process_name}" }
tag_on_failure => [ "_SourceImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
grok {
match => { "TargetImage" => ".*\\%{GREEDYDATA:target_process_name}" }
tag_on_failure => [ "_TargetImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
mutate {
rename => {
"SourceImage" => "process_path"
"SourceProcessGUID" => "process_guid"
"SourceProcessId" => "process_id"
"TargetImage" => "target_process_path"
"TargetProcessGUID" => "target_process_guid"
"TargetProcessId" => "target_process_id"
}
gsub => [
"process_guid", "[{}]", "",
"target_process_guid", "[{}]", ""
]
}
}
if [User] {
grok {
match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" }
tag_on_failure => [ "_User__grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
}
if [event_id] == 1 {
mutate {
add_field => { "action" => "processcreate" }
rename => {
"CommandLine" => "process_command_line"
"CurrentDirectory" => "process_current_directory"
"ParentImage" => "process_parent_path"
"ParentCommandLine" => "process_parent_command_line"
"IntegrityLevel" => "process_integrity_level"
"LogonGuid" => "user_logon_guid"
"ParentProcessGuid" => "process_parent_guid"
"ParentProcessId" => "process_parent_id"
"TerminalSessionId" => "user_session_id"
"FileVersion" => "file_version"
"Description" => "file_description"
"Product" => "file_product"
"Company" => "file_company"
}
gsub => [ "process_parent_guid", "[{}]", "" ]
}
}
if [event_id] == 2 {
mutate {
add_field => { "action" => "filecreatetime" }
rename => { "TargetFileName" => "file_name" }
}
}
if [event_id] == 3 {
mutate {
add_field => { "action" => "networkconnect" }
rename => {
"DestinationHostname" => "dst_host_name"
"DestinationPort" => "dst_port"
"DestinationPortName" => "dst_port_name"
"Initiated" => "network_initiated"
"Protocol" => "network_protocol"
"SourceHostname" => "src_host_name"
"SourcePort" => "src_port"
"SourcePortName" => "src_port_name"
}
}
}
if [event_id] == 4 {
mutate {
add_field => { "action" => "sysmonservicestatechanged" }
rename => {
"State" => "service_state"
"Version" => "sysmon_version"
"SchemaVersion" => "sysmon_schema_version"
}
}
}
if [event_id] == 6 {
mutate {
add_field => { "action" => "driverload" }
rename => {
"ImageLoaded" => "driver_loaded"
"Signature" => "driver_signature"
"SignatureStatus" => "driver_signature_status"
"Signed" => "driver_signed"
}
}
}
if [event_id] == 7 {
mutate {
add_field => { "action" => "imageload" }
rename => {
"ImageLoaded" => "module_loaded"
"Signature" => "module_signature"
"SignatureStatus" => "module_signature_status"
"Signed" => "module_signed"
}
}
}
if [event_id] == 8 {
mutate {
add_field => { "action" => "createremotethread" }
rename => {
"NewThreadId" => "thread_new_id"
"StartAddress" => "thread_start_address"
"StartFunction" => "thread_start_function"
"StartModule" => "thread_start_module"
}
}
}
if [event_id] == 9 {
mutate {
add_field => { "action" => "rawaccessread" }
rename => { "Device" => "device_name" }
}
}
if [event_id] == 10 {
mutate {
add_field => { "action" => "processaccess" }
rename => {
"CallTrace" => "process_call_trace"
"GrantedAccess" => "process_granted_access"
"SourceThreadId" => "thread_id"
}
}
}
if [event_id] == 11 {
mutate {
add_field => { "action" => "filecreate" }
rename => { "TargetFilename" => "file_name" }
}
}
if [event_id] == 12 or [event_id] == 13 or [event_id] == 14 {
mutate {
add_field => { "action" => "registryevent" }
rename => {
"EventType" => "event_type"
"TargetObject" => "registry_key_path"
"Details" => "registry_key_value"
}
}
}
if [event_id] == 15 {
mutate {
add_field => { "action" => "filecreatestreamhash" }
rename => {
"TargetFilename" => "file_name"
"Hash" => "hash"
}
}
}
if [event_id] == 16 {
kv {
source => "ConfigurationFileHash"
value_split => "="
prefix => "sysmon_config_hash_"
transform_key => "lowercase"
}
mutate {
add_field => { "action" => "sysmonconfigstatechanged" }
rename => {
"State" => "sysmon_configuration_state"
"Configuration" => "sysmon_configuration"
}
}
}
if [event_id] == 18 or [event_id] == 17 {
mutate {
add_field => { "action" => "pipeevent" }
rename => { "PipeName" => "pipe_name" }
}
}
if [event_id] == 19 or [event_id] == 20 or [event_id] == 21 {
mutate {
add_field => { "action" => "wmievent" }
rename => {
"EventType" => "wmi_event_type"
"Operation" => "wmi_operation"
"EventNamespace" => "wmi_namespace"
"Name" => "wmi_name"
"Query" => "wmi_query"
"Type" => "wmi_type"
"Destination" => "wmi_destination"
}
}
}
date {
timezone => "UTC"
match => [ "UtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ]
tag_on_failure => [ "_sysmon_UtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ]
}
date {
timezone => "UTC"
match => [ "CreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ]
target => "@date_creation"
tag_on_failure => [ "_sysmon_CreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ]
}
date {
timezone => "UTC"
match => [ "PreviousCreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ]
target => "@date_creation_previous"
tag_on_failure => [ "_sysmon_PreviousCreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ]
}
mutate {
rename => { "User" => "user_account"}
remove_field => [
"message",
"Hashes",
"ConfigurationFileHash",
"UtcTime",
"CreationUtcTime",
"PreviousCreationUtcTime",
"[user]"
]
}
}
}

807
helk-logstash/pipeline/1532-winevent-security-filter.conf Normal file
View File

@ -0,0 +1,807 @@
# HELK winevent-security filter conf file
# HELK build Stage: Alpha
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
filter {
if [log_name] == "Security"{
mutate { add_field => { "z_logstash_pipeline" => "1532" } }
if [ProcessName] {
grok {
match => { "ProcessName" => ".*\\%{GREEDYDATA:process_name}" }
tag_on_failure => [ "_ProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
}
if [event_id] == 4611 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4611.md
mutate {
rename => {
"SubjectUserSid" => "user_sid"
"SubjectUserName" => "user_name"
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"LogonProcessName" => "logon_process_name"
}
}
}
if [event_id] == 4616 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4616.md
mutate {
rename => {
"NewTime" => "@date_new_time"
"PreviousTime" => "@date_previous_time"
"SubjectUserSid" => "user_sid"
"SubjectUserName" => "user_name"
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
}
}
}
if [event_id] == 4624 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4624.md
mutate {
rename => {
"SubjectUserSid" => "user_reporter_sid"
"SubjectUserName" => "user_reporter_name"
"SubjectDomainName" => "user_reporter_domain"
"SubjectLogonId" => "reporter_logon_id"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"TargetLogonId" => "user_logon_id"
"LogonType" => "logon_type"
"RestrictedAdminMode" => "logon_restricted_adminmode"
"VirtualAccount" => "logon_virtual_account"
"ElevatedToken" => "logon_elevated_token"
"TargetUserName" => "user_name"
"TargetDomainName" => "user_domain"
"TargetLinkedLogonId" => "user_linked_logon_id"
"TargetOutboundDomainName" => "user_network_account_domain"
"TargetOutboundUserName" => "user_network_account_name"
"TargetUserSid" => "user_sid"
"ImpersonationLevel" => "impersonation_level"
"LogonGuid" => "user_logon_guid"
"WorkstationName" => "src_host_name"
"IpPort" => "src_port"
"LogonProcessName" => "logon_process_name"
"AuthenticationPackageName" => "logon_authentication_package_name"
"TransmittedServices" => "logon_transmitted_services"
"LmPackageName" => "logon_package_name"
"KeyLength" => "logon_key_length"
}
}
if "logon_elevated_token" == "Yes"{
mutate { add_tag => ["elevated_logon"] }
}
}
if [event_id] == 4625 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md
mutate {
rename => {
"SubjectUserSid" => "user_reporter_sid"
"SubjectUserName" => "user_reporter_name"
"SubjectDomainName" => "user_reporter_domain"
"SubjectLogonId" => "reporter_logon_id"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"LogonType" => "logon_type"
"TargetUserName" => "user_name"
"TargetDomainName" => "user_domain"
"TargetUserSid" => "user_sid"
"WorkstationName" => "src_host"
"IpPort" => "src_port"
"LogonProcessName" => "logon_process_name"
"AuthenticationPackageName" => "logon_authentication_package_name"
"TransmittedServices" => "logon_transmitted_services"
"LmPackageName" => "logon_package_name"
"KeyLength" => "logon_key_length"
"FailureReason" => "logon_failure_reason"
"Status" => "logon_failure_status"
"SubStatus" => "logon_failure_substatus"
}
}
if "logon_elevated_token" == "Yes"{
mutate { add_tag => ["elevated_logon"] }
}
}
if [event_id] == 4627 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4627.md
mutate {
rename => {
"SubjectUserSid" => "user_reporter_sid"
"SubjectUserName" => "user_reporter_name"
"SubjectDomainName" => "user_reporter_domain"
"SubjectLogonId" => "reporter_logon_id"
"TargetLogonId" => "user_logon_id"
"LogonType" => "logon_type"
"TargetUserName" => "user_name"
"TargetDomainName" => "user_domain"
"TargetUserSid" => "user_sid"
"GroupMembership" => "user_group_membership"
}
remove_field => [
"EventCountTotal",
"EventIdx"
]
}
}
if [event_id] == 4634 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4634.md
mutate {
rename => {
"LogonType" => "logon_type"
"TargetDomainName" => "user_domain"
"TargetLogonId" => "user_logon_id"
"TargetUserName" => "user_name"
"TargetUserSid" => "user_sid"
}
}
}
if [event_id] == 4647 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4647.md
mutate {
rename => {
"TargetDomainName" => "user_domain"
"TargetLogonId" => "user_logon_id"
"TargetUserName" => "user_name"
"TargetUserSid" => "user_sid"
}
}
}
if [event_id] == 4648 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4648.md
mutate {
rename => {
"SubjectUserSid" => "user_sid"
"SubjectUserName" => "user_name"
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"LogonGuid" => "user_logon_guid"
"TargetUserName" => "target_user_name"
"TargetDomainName" => "target_user_domain"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"TargetLogonId" => "target_user_logon_id"
"TargetServerName" => "service_host_name"
"TargetInfo" => "service_host_info"
"TargetLogonGuid" => "target_user_logon_guid"
"IpPort" => "src_port"
}
gsub => [ "target_user_logon_guid", "[{}]", "" ]
}
}
if [event_id] == 4656 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"AccessList" => "object_access_list_requested"
"AccessMask" => "object_access_mask_requested"
"AccessReason" => "object_access_reason"
"ObjectName" => "object_name"
"ObjectServer" => "object_server"
"ObjectType" => "object_type"
"HandleId" => "object_access_handle_id"
"PrivilegeList" => "object_privilege_list"
"TransactionId" => "object_access_transaction_id"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"ResourceAttributes" => "object_resource_attributes"
"RestrictedSidCount" => "object_restricted_sid_count"
}
}
}
if [event_id] == 4657 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"ObjectName" => "object_name"
"ObjectValueName" => "object_value_name"
"HandleId" => "object_access_handle_id"
"OperationType" => "object_operation_type"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"OldValueType" => "object_value_old_type"
"OldValue" => "object_value_old"
"NewValueType" => "object_value_new_type"
"NewValue" => "object_value_new"
}
}
}
if [event_id] == 4658 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"ObjectServer" => "object_server"
"HandleId" => "object_access_handle_id"
}
}
}
if [event_id] == 4661 or [event_id] == 4662 or [event_id] == 4663 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4661.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4662.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"Properties" => "object_properties"
"AccessMask" => "object_access_mask_requested"
"HandleId" => "object_access_handle_id"
"ObjectName" => "object_name"
"ObjectServer" => "object_server"
"ObjectType" => "object_type"
"AdditionalInfo2" => "object_additional_info2"
"OperationType" => "object_operation_type"
"AdditionalInfo" => "object_additional_info"
"AccessList" => "object_access_list_requested"
"ResourceAttributes" => "object_resource_attributes"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"AccessReason" => "object_access_reason"
"PrivilegeList" => "object_privilege_list"
"TransactionId" => "object_access_transaction_id"
"RestrictedSidCount" => "object_restricted_sid_count"
}
}
}
if [event_id] == 4670 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4670.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"HandleId" => "object_access_handle_id"
"NewSd" => "object_new_sddl"
"ObjectName" => "object_name"
"ObjectServer" => "object_server"
"ObjectType" => "object_type"
"OldSd" => "object_old_sddl"
}
}
}
if [event_id] == 4672 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4672.md
mutate {
rename => {
"PrivilegeList" => "logon_privileges_assigned"
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
}
}
}
if [event_id] == 4673 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4673.md
mutate {
rename => {
"PrivilegeList" => "service_privilege_list"
"ObjectServer" => "object_server"
"Service" => "service_name"
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
}
}
}
if [event_id] == 4674 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4674.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"AccessMask" => "object_access_mask_requested"
"HandleId" => "object_access_handle_id"
"ObjectName" => "object_name"
"ObjectServer" => "object_server"
"ObjectType" => "object_type"
"PrivilegeList" => "object_privilege_list"
}
}
}
if [event_id] == 4688 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4688.md
grok {
match => { "NewProcessName" => ".*\\%{GREEDYDATA:process_name}" }
tag_on_failure => [ "_NewProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
if [ParentProcessName] {
grok {
match => { "ParentProcessName" => ".*\\%{GREEDYDATA:process_parent_name}" }
tag_on_failure => [ "_ParentProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
}
mutate {
rename => {
"NewProcessId" => "process_id"
"NewProcessName" => "process_path"
"CommandLine" => "command_line"
"ParentProcessName" => "process_parent_path"
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "user_principal_domain"
"TargetUserSid" => "user_principal_sid"
"TargetUserName" => "user_principal_name"
"TargetLogonId" => "user_principal_id"
"MandatoryLabel" => "process_mandatory_level"
"ProcessId" => "process_parent_id"
"TokenElevationType" => "process_token_elevation_type"
}
}
}
if [event_id] == 4689 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4689.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"Status" => "process_status"
}
}
}
if [event_id] == 4690 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4690.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"SourceHandleId" => "process_handle_id"
"SourceProcessId" => "process_id"
"TargetHandleId" => "target_process_handle_id"
"TargetProcessId" => "target_process_id"
}
}
}
if [event_id] == 4697 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4697.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"ServiceAccount" => "service_account_name"
"ServiceFileName" => "service_image_path"
"ServiceName" => "service_name"
"ServiceStartType" => "service_start_type"
"ServiceType" => "service_type"
}
}
}
if [event_id] == 4701 or [event_id] == 4702 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4702.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TaskContentNew" => "task_new_content"
"TaskName" => "task_name"
}
}
}
if [event_id] == 4703 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4703.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "user_target_domain"
"TargetLogonId" => "user_target_logon_id"
"TargetUserSid" => "user_target_sid"
"TargetUserName" => "user_target_name"
"DisabledPrivilegeList" => "user_target_disabled_privilegelist"
"EnabledPrivilegeList" => "user_target_enabled_privilegelist"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
}
}
}
if [event_id] == 4719 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"AuditPolicyChanges" => "policy_changes"
"CategoryId" => "policy_category_id"
"SubcategoryGuid" => "policy_subcategory_guid"
"SubcategoryId" => "policy_subcategory_id"
}
}
}
if [event_id] == 4724 or [event_id] == 4725 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4724.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4725.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "user_target_domain"
"TargetSid" => "user_target_sid"
"TargetUserName" => "user_target_name"
}
}
}
if [event_id] == 4726 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4726.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "user_target_domain"
"TargetSid" => "user_target_sid"
"TargetUserName" => "user_target_name"
"PrivilegeList" => "user_privilege_list"
}
}
}
if [event_id] == 4728 or [event_id] == 4729 {
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "group_domain"
"TargetSid" => "group_sid"
"TargetUserName" => "group_name"
"MemberName" => "group_member_name"
"MemberSid" => "group_member_sid"
"PrivilegeList" => "group_privilege_list"
}
}
}
if [event_id] == 4732 or [event_id] == 4733 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4733.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "group_domain"
"TargetSid" => "group_sid"
"TargetUserName" => "group_name"
"MemberName" => "group_member_name"
"MemberSid" => "group_member_sid"
"PrivilegeList" => "group_privilege_list"
}
}
}
if [event_id] == 4738 or [event_id] == 4720 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4738.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "user_target_domain"
"TargetSid" => "user_target_sid"
"TargetUserName" => "user_target_name"
"AccountExpires" => "user_attribute_account_expires"
"AllowedToDelegateTo" => "user_attribute_allowed_todelegate"
"DisplayName" => "user_attribute_display_name"
"Dummy" => "user_attribute_dummy"
"HomeDirectory" => "user_attribute_home_directory"
"HomePath" => "user_attribute_home_path"
"LogonHours" => "user_attribute_logon_hours"
"NewUacValue" => "user_attribute_new_uacvalue"
"OldUacValue" => "user_attribute_old_uacvalue"
"PasswordLastSet" => "user_attribute_password_lastset"
"PrimaryGroupId" => "[user_attribute_primary_group_id"
"PrivilegeList" => "user_attribute_privilege_list"
"ProfilePath" => "user_attribute_profile_path"
"SamAccountName" => "user_attribute_samaccount_name"
"ScriptPath" => "user_attribute_script_path"
"SidHistory" => "user_attribute_sid_history"
}
}
}
if [event_id] == 4768 or [event_id] == 4769 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md
mutate {
rename => {
"TargetDomainName" => "user_domain"
"TargetUserName" => "user_name"
"IpPort" => "src_port"
"PreAuthType" => "service_ticket_preauthtype"
"LogonGuid" => "user_logon_guid"
"ServiceName" => "service_ticket_name"
"ServiceSid" => "service_ticket_id"
"Status" => "service_ticket_status"
"TicketEncryptionType" => "ticket_encryption_type"
"TicketOptions" => "ticket_options"
"FailureCode" => "ticket_failure_code"
"TransmittedServices" => "service_ticket_requested"
"TargetSid" => "user_sid"
}
}
}
if [event_id] == 4797 {
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "service_enumerated_domain"
"TargetUserName" => "service_enumerated_name"
"Workstation" => "host_name"
}
}
}
if [event_id] == 4798 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4798.md
mutate {
rename => {
"CallerProcessId" => "process_id"
"CallerProcessName" => "process_path"
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "user_domain_enumerated"
"TargetSid" => "user_sid_enumerated"
"TargetUserName" => "user_name_enumerated"
}
}
}
if [event_id] == 4799 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4799.md
mutate {
rename => {
"CallerProcessId" => "process_id"
"CallerProcessName" => "process_path"
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"TargetDomainName" => "group_domain_enumerated"
"TargetSid" => "group_sid_enumerated"
"TargetUserName" => "group_name_enumerated"
}
}
}
if [event_id] == 4800 or [event_id] == 4801 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4800.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4801.md
mutate {
rename => {
"TargetDomainName" => "user_domain"
"TargetUserSid" => "user_sid"
"TargetUserName" => "user_name"
"TargetLogonId" => "user_logon_id"
"SessionId" => "user_session_id"
}
}
}
if [event_id] == 4907 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4907.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"ProcessId" => "process_id"
"ProcessName" => "process_path"
"HandleId" => "object_access_handle_id"
"NewSd" => "object_new_sddl"
"ObjectName" => "object_name"
"ObjectServer" => "object_server"
"ObjectType" => "object_type"
"OldSd" => "object_old_sddl"
}
}
}
if [event_id] == 4957 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4957.md
mutate {
rename => {
"RuleAttr" => "firewall_rule_attr"
"RuleId" => "firewall_rule_id"
"RuleName" => "firewall_rule_name"
}
}
}
if [event_id] == 5058 or [event_id] == 5059 or [event_id] == 5061 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5058.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5059.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5061.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"AlgorithmName" => "key_algorithm_name"
"KeyName" => "key_name"
"KeyType" => "key_type"
"Operation" => "key_operation"
"ProviderName" => "key_provider_name"
"ReturnCode" => "key_return_code"
}
}
}
if [event_id] == 5136 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5136.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"OpCorrelationID" => "dsoperation_correlation_id"
"AppCorrelationID" => "dsoperation_app_correlation_id"
"DSName" => "dsobject_domain"
"DSType" => "dsobject_domain_type"
"ObjectDN" => "dsobject_dn"
"ObjectGUID" => "dsobject_guid"
"ObjectClass" => "dsobject_class"
"AttributeLDAPDisplayName" => "dsobject_attribute_name"
"AttributeSyntaxOID" => "dsobject_attribute_type"
"AttributeValue" => "dsobject_attribute_value"
"OperationType" => "dsoperation_type"
}
}
}
if [event_id] == 5140 or [event_id] == 5145 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5140.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5145.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"AccessList" => "object_access_list_requested"
"AccessMask" => "object_access_mask_requested"
"AccessReason" => "user_access_reason"
"IpPort" => "src_port"
"ObjectType" => "object_type"
"RelativeTargetName" => "share_relative_target_name"
"ShareLocalPath" => "share_local_path"
"ShareName" => "share_name"
}
}
}
if [event_id] == 5152 or [event_id] == 5154 or [event_id] == 5156 or [event_id] == 5158 or [event_id] == 5157 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5152.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5154.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5156.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5157.md
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5158.md
grok {
match => {
"Application" => ".*\\%{GREEDYDATA:process_name}"
}
tag_on_failure => [ "_Application_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
mutate {
rename => {
"Application" => "process_path"
"DestPort" => "dst_port"
"Direction" => "network_direction"
"FilterRTID" => "network_filter_rtid"
"LayerName" => "network_layer_name"
"LayerRTID" => "network_layer_rtid"
"ProcessID" => "process_id"
"Protocol" => "network_protocol"
"RemoteMachineID" => "dst_host_name_id"
"RemoteUserID" => "dst_user_id"
"SourcePort" => "src_port"
"ProcessId" => "process_id"
}
}
}
if [event_id] == 5447 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5447.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"AccessList" => "object_access_list_requested"
"AccessMask" => "object_access_mask_requested"
"AccessReason" => "user_access_reason"
"IpPort" => "src_port"
"ObjectType" => "object_type"
"RelativeTargetName" => "share_relative_target_name"
"ShareLocalPath" => "share_local_path"
"ShareName" => "share_name"
"Action" => "filtering_action"
"CalloutKey" => "filtering_callout_key"
"CalloutName" => "filtering_callout_name"
"ChangeType" => "filtering_change_type"
"Conditions" => "filtering_conditions"
"FilterId" => "filtering_id"
"FilterKey" => "filtering_key"
"FilterName" => "filtering_name"
"FilterType" => "filtering_type"
"LayerId" => "filtering_layer_id"
"LayerKey" => "filtering_layer_key"
"LayerName" => "filtering_layer_name"
"ProcessId" => "process_id"
"ProviderKey" => "filtering_provider_key"
"ProviderName" => "filtering_provider_name"
"UserName" => "user_name"
"UserSid" => "user_sid"
"Weight" => "filtering_weight"
}
}
}
if [event_id] == 6416 {
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-6416.md
mutate {
rename => {
"SubjectDomainName" => "user_domain"
"SubjectLogonId" => "user_logon_id"
"SubjectUserName" => "user_name"
"SubjectUserSid" => "user_sid"
"ClassId" => "device_class_id"
"ClassName" => "device_class_name"
"CompatibleIds" => "device_compatible_ids"
"DeviceDescription" => "device_description"
"DeviceId" => "device_id"
"LocationInformation" => "device_location_information"
"VendorIds" => "device_vendor_ids"
}
}
}
mutate { rename => { "computer_name" => "host_name" } }
}
}

29
helk-logstash/pipeline/13-winevent-system-filter.conf → helk-logstash/pipeline/1533-winevent-system-filter.conf
View File

@ -5,29 +5,32 @@
filter {
if [log_name] == "System" {
mutate { add_field => { "z_logstash_pipeline" => "1533" } }
if [event_id] == 7045 {
# https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for_11.html
mutate {
rename => {
"[event_data][AccountName]" => "service_account_name"
"[event_data][ImagePath]" => "service_image_path"
"[event_data][ServiceName]" => "service_name"
"[event_data][ServiceType]" => "service_type"
"[event_data][StartType]" => "service_start_type"
"AccountName" => "service_account_name"
"ImagePath" => "service_image_path"
"ServiceName" => "service_name"
"ServiceType" => "service_type"
"StartType" => "service_start_type"
}
add_tag => ["new_service"]
remove_field => ["message"]
remove_field => "host"
remove_field => "process_id"
add_tag => [ "new_service" ]
remove_field => [
"message",
"host",
"process_id"
]
}
}
if [event_id] == 16 {
mutate {
rename => {
"[event_data][HiveName]" => "hive_name"
"[event_data][HiveNameLength]" => "hive_name_length"
"[event_data][KeysUpdated]" => "hive_keys_updated"
"[event_data][DirtyPages]" => "hive_dirty_pages"
"HiveName" => "hive_name"
"HiveNameLength" => "hive_name_length"
"KeysUpdated" => "hive_keys_updated"
"DirtyPages" => "hive_dirty_pages"
}
}
}

11
helk-logstash/pipeline/14-winevent-application-filter.conf → helk-logstash/pipeline/1534-winevent-application-filter.conf
View File

@ -6,19 +6,16 @@
filter {
if [log_name] == "Application"{
if [source_name] == "Microsoft-Windows-Security-SPP"{
mutate { add_field => { "z_logstash_pipeline" => "1534" } }
if [event_id] == 16384 {
mutate {
rename => {
"[event_data][param1]" => "spp_restart_scheduled"
"[event_data][param2]" => "spp_restart_reason"
"param1" => "spp_restart_scheduled"
"param2" => "spp_restart_reason"
}
}
}
}
mutate {
rename => {
"computer_name" => "host_name"
}
}
mutate { rename => { "computer_name" => "host_name" } }
}
}

13
helk-logstash/pipeline/15-winevent-wmiactivity-filter.conf → helk-logstash/pipeline/1535-winevent-wmiactivity-filter.conf
View File

@ -5,6 +5,7 @@
filter {
if [log_name] == "Microsoft-Windows-WMI-Activity/Operational"{
mutate { add_field => { "z_logstash_pipeline" => "1535" } }
mutate {
rename => {
"[user][domain]" => "user_reporter_domain"
@ -14,10 +15,10 @@ filter {
"computer_name" => "host_name"
}
}
if [event_data][User] {
if [User] {
grok {
match => { "[event_data][User]" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" }
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" }
tag_on_failure => [ "_User_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
}
}
@ -236,11 +237,7 @@ filter {
}
# Common to all events
mutate {
convert => {
"process_id" => "integer"
}
}
mutate { convert => { "process_id" => "integer" } }
}
}

42
helk-logstash/pipeline/1543-winevent-conversions-process-cli-filter.conf Normal file
View File

@ -0,0 +1,42 @@
filter {
if [event_id] {
if [user_logon_id] {
mutate { add_field => { "z_logstash_pipeline" => "1543_1" } }
mutate { gsub => [ "user_logon_id", "0x", "" ]}
ruby {
code => "event.set('user_logon_id', event.get('user_logon_id').to_s.hex)"
tag_on_exception => "_rubyexception_1543_1"
}
}
if [process_id] {
mutate { add_field => { "z_logstash_pipeline" => "1543_2" } }
mutate { gsub => [ "process_id", "0x", "" ]}
ruby {
code => "event.set('process_id', event.get('process_id').to_s.hex)"
tag_on_exception => "_rubyexception_1543_2"
}
}
if [process_parent_id] {
mutate { add_field => { "z_logstash_pipeline" => "1543_3" } }
mutate { gsub => [ "process_parent_id", "0x", "" ]}
ruby {
code => "event.set('process_parent_id', event.get('process_parent_id').to_s.hex)"
tag_on_exception => "_rubyexception_1543_3"
}
}
if [target_process_id] {
mutate { add_field => { "z_logstash_pipeline" => "1543_4" } }
mutate { gsub => [ "target_process_id", "0x", "" ]}
ruby {
code => "event.set('target_process_id', event.get('target_process_id').to_s.hex)"
tag_on_exception => "_rubyexception_1543_4"
}
}
if [ProdessName] {
mutate { rename => { "ProdessName" => "ProcessName" } }
}
}
}

8
helk-logstash/pipeline/1544-winevent-cleanup-other.conf Normal file
View File

@ -0,0 +1,8 @@
filter {
if [event_id] {
if [user_logon_guid] {
mutate { add_field => { "z_logstash_pipeline" => "1544" } }
mutate { gsub => [ "user_logon_guid", "[{}]", "" ] }
}
}
}

207
helk-logstash/pipeline/2511-winevent-powershell-filter.conf Normal file
View File

@ -0,0 +1,207 @@
# HELK powershell filter conf file
# HELK build Stage: Alpha
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: GPL-3.0
# Reference:
# Nate Guagenti (@neu5ron) https://gist.github.com/neu5ron/450289373db61d5c8d7378e79455ef07#file-511-windows-event-powershell-operational-conf
filter {
if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell" {
if [event_id] == 4103 {
mutate { add_field => { "z_logstash_pipeline" => "2511_1" } }
mutate {
add_field => {
"PayloadInvocation" => "%{Payload}"
"PayloadParams" => "%{Payload}"
}
gsub => [
"ContextInfo", " ", "",
"ContextInfo", " = ", "="
]
}
kv {
source => "ContextInfo"
field_split => "\r\n"
value_split => "="
remove_char_key => " "
allow_duplicate_values => false
include_keys => [
"Severity",
"HostName",
"HostVersion",
"HostID",
"HostApplication",
"EngineVersion",
"RunspaceID",
"PipelineID",
"CommandName",
"CommandType",
"ScriptName",
"CommandPath",
"SequenceNumber",
"ConnectedUser",
"ShellID"
]
}
mutate {
gsub => [
"PayloadInvocation", "CommandInvocation\(.*\)", "CommandInvocation",
"PayloadInvocation", "ParameterBinding.*\r\n", "",
"PayloadParams", "CommandInvocation.*\r\n", "",
"PayloadParams", "ParameterBinding\(\S+\): ", "|||SPLITMEHEHE|||",
"Payload", "CommandInvocation.*\r\n", "",
"Payload", "ParameterBinding.*\r\n", ""
]
}
kv {
source => "PayloadInvocation"
field_split => "\n"
value_split => ":"
allow_duplicate_values => false
target => "[powershell]"
include_keys => [ "CommandInvocation" ]
}
ruby {
code => "
params_split = event.get('PayloadParams').split('|||SPLITMEHEHE|||')
params_split = params_split.drop(1)
params_split_length = params_split.length
all_names = Array.new
all_values = Array.new
all_values_non_alphanumeric = Array.new
all_contains_net = Array.new
all_ascii_only = Array.new
for param in params_split
slice_and_dice = param.index('; value=')
param_name = param.slice(6..slice_and_dice-2)
param_value = param.slice(param.index('value=')..-1)[6..-1]
param_value = param_value.strip
param_value[0] = ''
param_value[-1] = ''
value_non_alphanumeric = param_value.gsub(/[A-Za-z0-9\s]+/i, '')
value_lowercased = param_value.downcase
if !param_value.nil?
all_values.push(param_value)
all_values_non_alphanumeric.push(value_non_alphanumeric)
end
if !param_name.nil?
all_names.push(param_name)
end
end
all_names = all_names.uniq
all_values = all_values.uniq
all_values_non_alphanumeric = all_values_non_alphanumeric.uniq
event.set('[powershell][param][name]', all_names)
event.set('[powershell][param][value]', all_values)
event.set('[powershell][param][value_nonalphanumeric]', all_values_non_alphanumeric)
"
tag_on_exception => "_rubyexception_2511_1"
}
prune { blacklist_values => [ "Payload", "^$" ] }
mutate {
rename => {
"CommandName" => "[powershell][command][name]"
"CommandPath" => "[powershell][command][path]"
"CommandType" => "[powershell][command][type]"
"ConnectedUser" => "[powershell][connected_user]"
"EngineVersion" => "[powershell][engine_version]"
"HostApplication" => "[powershell][host][application]"
"HostID" => "[powershell][host][id]"
"HostName" => "[powershell][host][name]"
"HostVersion" => "[powershell][host][version]"
"PipelineID" => "[powershell][pipeline_id]"
"RunspaceID" => "[powershell][runspace_id]"
"Scriptname" => "[powershell][script][name]"
"SequenceNumber" => "[powershell][sequence_number]"
"ShellID" => "[powershell][shell_id]"
"Payload" => "[powershell][remaining_payload]"
}
remove_field => [
"Severity",
"EventType",
"Keywords",
"message",
"Opcode",
"PayloadInvocation",
"PayloadParams",
"Payload",
"ContextInfo"
]
convert => {
"[powershell][pipeline_id]" => "integer"
"[powershell][sequence_number]" => "integer"
}
}
}
if [event_id] == 4104 {
mutate { add_field => { "z_logstash_pipeline" => "2511_2" } }
if [ScriptBlockText] {
mutate { remove_field => [ "message" ] }
}
else {
# Lets use GSUB to make sure we can get things to split on / make it easier more efficient to split on
grok {
match => {
"message" => "^Creating Scriptblock text \(%{INT:MessageNumber} of %{INT:MessageTotal}\):\r\n%{GREEDYDATA:ScriptBlockText}\r\n\r\nScriptBlock ID: %{UUID:ScriptBlockId}\r\nPath: %{DATA:Path}$"
}
break_on_match => true
keep_empty_captures => false
named_captures_only => true
# Sometimes the ScriptBlockText literally could be empty, so you may see this in _grokparesfailure and would then cause a ruby failure below.
tag_on_failure => [ "_grokparsefailure", "_parsefailure" ]
tag_on_timeout => "_groktimeout"
# Timeout 1.5 seconds
timeout_millis => 1500
remove_field => [ "message" ]
}
}
mutate {
rename => {
"MessageNumber" => "[powershell][scriptblock][message_number]"
"MessageTotal" => "[powershell][scriptblock][message_total]"
"ScriptBlockId" => "[powershell][scriptblock][id]"
"ScriptBlockText" => "[powershell][scriptblock][text]"
"Path" => "[powershell][script][path]"
}
}
}
if [event_id] == 400 or [event_id] == 600 {
kv {
source => "param3"
field_split => "\n"
value_split => "="
trim_key => "\t"
allow_duplicate_values => false
}
mutate {
rename => {
"ProviderName" => "[powershell][providername]"
"NewProviderState" => "[powershell][newproviderstate]"
"SequenceNumber" => "[powershell][sequence_number]"
"HostName" => "[powershell][host][name]"
"HostVersion" => "[powershell][host][version]"
"HostId" => "[powershell][host][id]"
"HostApplication" => "[powershell][host][application]"
"EngineVersion" => "[powershell][engine_version]"
"RunspaceId" => "[powershell][runspace_id]"
"PipelineId" => "[powershell][pipeline_id]"
"CommandName" => "[powershell][command][name]"
"CommandType" => "[powershell][command][type]"
"ScriptName" => "[powershell][script][name]"
"CommandPath" => "[powershell][command][path]"
"CommandLine" => "[powershell][command][line]"
"NewEngineState" => "[powershell][newengine_state]"
"PreviousEngineState" => "[powershell][previousengine_state]"
}
remove_field => [
"message",
"param1",
"param2",
"param3"
]
}
}
}
}

2
helk-logstash/pipeline/16-winevent-security-schtasks-filter.conf → helk-logstash/pipeline/2512-winevent-security-schtasks-filter.conf
View File

@ -6,7 +6,7 @@ filter {
if [log_name] == "Security" {
# event_id 4698 for Created Scheduled Task
if [event_id] == 4698 {
mutate { add_field => { "z_logstash_pipeline" => "0511" } }
mutate { add_field => { "z_logstash_pipeline" => "2512" } }
# Copy Message field incase we bork/mess it up
mutate { copy => { "Message" => "deleteme" } }
# #TONOTE: encoding is UTF-16

81
helk-logstash/pipeline/8012-dst-ip-cleanups-filter.conf Normal file
View File

@ -0,0 +1,81 @@
filter {
#TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security"
if [dst_ip_addr] {
# Add pipeline field
mutate { add_field => { "z_logstash_pipeline" => "8012" } }
ruby {
code => "
temp_ip_addresses = event.get('dst_ip_addr')
ip_addresses = Array.new
# Determine if the IP field is an array if not make it an array
if temp_ip_addresses.is_a? Enumerable
ip_addresses = temp_ip_addresses.uniq
else
ip_addresses.push(temp_ip_addresses)
end
clean_ip_addresses_v4 = Array.new
clean_ip_addresses_v6 = Array.new
not_ip_addresses = Array.new
ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/
for ip_address in ip_addresses
#### General Cleanup
# Remove ending '.'
ip_address = ip_address.chomp
# Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster
ip_address = ip_address.reverse.chomp('.').reverse
# Remove ending or beginning whitespace
ip_address = ip_address.lstrip.rstrip
# Remove things that would make an IP a share but we want the IP :)
ip_address = ip_address.gsub(/^\\:?/, '')
# Downcase/lowercase for checking if possible ipv6
ip_address = ip_address.downcase
# Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7
ip_address_length = ip_address.length
if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only?
# Remove any preceeding zeroes in each octet
temp_ip = Array.new
ip_address.split('.').each do |octet|
octet = octet.to_i.to_s
temp_ip.push(octet)
end
ip_address = temp_ip.join('.')
clean_ip_addresses_v4.push(ip_address)
# Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2
elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only?
if ipv6_regex === ip_address
clean_ip_addresses_v6.push(ip_address)
else
not_ip_addresses.push(ip_address)
end
else
not_ip_addresses.push(ip_address)
end
end
# Set the new IP addresses
if !clean_ip_addresses_v4.empty?
event.set('dst_ip_addr', clean_ip_addresses_v4)
# Set the number of ip addresses so we can use array or non array later in pipeline
event.set('temp_number_of_ipv4_dst_addresses', clean_ip_addresses_v4.length)
else
event.remove('dst_ip_addr')
end
if !clean_ip_addresses_v6.empty?
event.set('ipv6_dst_addr', clean_ip_addresses_v6)
#TODO:eventually set ipv6 number of ip addresses
end
if !not_ip_addresses.empty?
event.set('not_ip_dst', not_ip_addresses)
end
"
tag_on_exception => "_rubyexception_8012"
}
}
}

81
helk-logstash/pipeline/8013-src-ip-cleanups-filter.conf Normal file
View File

@ -0,0 +1,81 @@
filter {
#TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security"
if [src_ip_addr] {
# Add pipeline field
mutate { add_field => { "z_logstash_pipeline" => "8013" } }
ruby {
code => "
temp_ip_addresses = event.get('src_ip_addr')
ip_addresses = Array.new
# Determine if the IP field is an array if not make it an array
if temp_ip_addresses.is_a? Enumerable
ip_addresses = temp_ip_addresses.uniq
else
ip_addresses.push(temp_ip_addresses)
end
clean_ip_addresses_v4 = Array.new
clean_ip_addresses_v6 = Array.new
not_ip_addresses = Array.new
ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/
for ip_address in ip_addresses
#### General Cleanup
# Remove ending '.'
ip_address = ip_address.chomp
# Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster
ip_address = ip_address.reverse.chomp('.').reverse
# Remove ending or beginning whitespace
ip_address = ip_address.lstrip.rstrip
# Remove things that would make an IP a share but we want the IP :)
ip_address = ip_address.gsub(/^\\:?/, '')
# Downcase/lowercase for checking if possible ipv6
ip_address = ip_address.downcase
# Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7
ip_address_length = ip_address.length
if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only?
# Remove any preceeding zeroes in each octet
temp_ip = Array.new
ip_address.split('.').each do |octet|
octet = octet.to_i.to_s
temp_ip.push(octet)
end
ip_address = temp_ip.join('.')
clean_ip_addresses_v4.push(ip_address)
# Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2
elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only?
if ipv6_regex === ip_address
clean_ip_addresses_v6.push(ip_address)
else
not_ip_addresses.push(ip_address)
end
else
not_ip_addresses.push(ip_address)
end
end
# Set the new IP addresses
if !clean_ip_addresses_v4.empty?
event.set('src_ip_addr', clean_ip_addresses_v4)
# Set the number of ip addresses so we can use array or non array later in pipeline
event.set('temp_number_of_ipv4_src_addresses', clean_ip_addresses_v4.length)
else
event.remove('src_ip_addr')
end
if !clean_ip_addresses_v6.empty?
event.set('ipv6_src_addr', clean_ip_addresses_v6)
#TODO:eventually set ipv6 number of ip addresses
end
if !not_ip_addresses.empty?
event.set('not_ip_src', not_ip_addresses)
end
"
tag_on_exception => "_rubyexception_8013"
}
}
}

81
helk-logstash/pipeline/8014-dst-nat-ip-cleanups-filter.conf Normal file
View File

@ -0,0 +1,81 @@
filter {
#TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security"
if [dst_nat_ip_addr] {
# Add pipeline field
mutate { add_field => { "z_logstash_pipeline" => "8014" } }
ruby {
code => "
temp_ip_addresses = event.get('dst_nat_ip_addr')
ip_addresses = Array.new
# Determine if the IP field is an array if not make it an array
if temp_ip_addresses.is_a? Enumerable
ip_addresses = temp_ip_addresses.uniq
else
ip_addresses.push(temp_ip_addresses)
end
clean_ip_addresses_v4 = Array.new
clean_ip_addresses_v6 = Array.new
not_ip_addresses = Array.new
ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/
for ip_address in ip_addresses
#### General Cleanup
# Remove ending '.'
ip_address = ip_address.chomp
# Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster
ip_address = ip_address.reverse.chomp('.').reverse
# Remove ending or beginning whitespace
ip_address = ip_address.lstrip.rstrip
# Remove things that would make an IP a share but we want the IP :)
ip_address = ip_address.gsub(/^\\:?/, '')
# Downcase/lowercase for checking if possible ipv6
ip_address = ip_address.downcase
# Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7
ip_address_length = ip_address.length
if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only?
# Remove any preceeding zeroes in each octet
temp_ip = Array.new
ip_address.split('.').each do |octet|
octet = octet.to_i.to_s
temp_ip.push(octet)
end
ip_address = temp_ip.join('.')
clean_ip_addresses_v4.push(ip_address)
# Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2
elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only?
if ipv6_regex === ip_address
clean_ip_addresses_v6.push(ip_address)
else
not_ip_addresses.push(ip_address)
end
else
not_ip_addresses.push(ip_address)
end
end
# Set the new IP addresses
if !clean_ip_addresses_v4.empty?
event.set('dst_nat_ip_addr', clean_ip_addresses_v4)
# Set the number of ip addresses so we can use array or non array later in pipeline
event.set('temp_number_of_ipv4_dst_nat_addresses', clean_ip_addresses_v4.length)
else
event.remove('dst_nat_ip_addr')
end
if !clean_ip_addresses_v6.empty?
event.set('ipv6_dst_nat_addr', clean_ip_addresses_v6)
#TODO:eventually set ipv6 number of ip addresses
end
if !not_ip_addresses.empty?
event.set('not_ip_dst_nat', not_ip_addresses)
end
"
tag_on_exception => "_rubyexception_8014"
}
}
}

81
helk-logstash/pipeline/8015-src-nat-ip-cleanups-filter.conf Normal file
View File

@ -0,0 +1,81 @@
filter {
#TONOTE: On all IPs below, even though we have determined that it is IPv4 and IPv6 and will alter rename the field if it is an IPv6 address differently than IPv4 -- We still need to keep it as that single field for this configuration -- because sometimes a single IP type can already have both IPv6 and IPv4 from before -- examples are Cisco ASA Logs and Windows EventID "4769" in Channel "Security"
if [src_nat_ip_addr] {
# Add pipeline field
mutate { add_field => { "z_logstash_pipeline" => "8015" } }
ruby {
code => "
temp_ip_addresses = event.get('src_nat_ip_addr')
ip_addresses = Array.new
# Determine if the IP field is an array if not make it an array
if temp_ip_addresses.is_a? Enumerable
ip_addresses = temp_ip_addresses.uniq
else
ip_addresses.push(temp_ip_addresses)
end
clean_ip_addresses_v4 = Array.new
clean_ip_addresses_v6 = Array.new
not_ip_addresses = Array.new
ipv6_regex = /((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?/
for ip_address in ip_addresses
#### General Cleanup
# Remove ending '.'
ip_address = ip_address.chomp
# Remove preceeding '.'# Don't ask.. reverse + chomp + reverse up to 16 times faster
ip_address = ip_address.reverse.chomp('.').reverse
# Remove ending or beginning whitespace
ip_address = ip_address.lstrip.rstrip
# Remove things that would make an IP a share but we want the IP :)
ip_address = ip_address.gsub(/^\\:?/, '')
# Downcase/lowercase for checking if possible ipv6
ip_address = ip_address.downcase
# Likely IPv4 #Check if at most 15 characters (a fully represented IPv4 address with periods\.) and minimum of 7
ip_address_length = ip_address.length
if !ip_address.include?(':') && !( /[a-z]/ === ip_address ) && ip_address_length <= 15 && ip_address_length >= 7 && ip_address.ascii_only?
# Remove any preceeding zeroes in each octet
temp_ip = Array.new
ip_address.split('.').each do |octet|
octet = octet.to_i.to_s
temp_ip.push(octet)
end
ip_address = temp_ip.join('.')
clean_ip_addresses_v4.push(ip_address)
# Likely IPv6 #Check if at most 39 characters (a fully represented IPv6 address with colons\:) and minimum of 2
elsif ip_address_length <= 39 && ip_address_length >= 2 && ip_address.ascii_only?
if ipv6_regex === ip_address
clean_ip_addresses_v6.push(ip_address)
else
not_ip_addresses.push(ip_address)
end
else
not_ip_addresses.push(ip_address)
end
end
# Set the new IP addresses
if !clean_ip_addresses_v4.empty?
event.set('src_nat_ip_addr', clean_ip_addresses_v4)
# Set the number of ip addresses so we can use array or non array later in pipeline
event.set('temp_number_of_ipv4_src_nat_addresses', clean_ip_addresses_v4.length)
else
event.remove('src_nat_ip_addr')
end
if !clean_ip_addresses_v6.empty?
event.set('ipv6_src_nat_addr', clean_ip_addresses_v6)
#TODO:eventually set ipv6 number of ip addresses
end
if !not_ip_addresses.empty?
event.set('not_ip_src_nat', not_ip_addresses)
end
"
tag_on_exception => "_rubyexception_8015"
}
}
}

131
helk-logstash/pipeline/8112-dst-ip-filter.conf Normal file
View File

@ -0,0 +1,131 @@
filter {
# If dst_ip_addr field exists from previous config settings
if [dst_ip_addr] {
mutate { add_field => { "z_logstash_pipeline" => "8112" } }
#TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff.
ruby {
code => "
# Get the ip address from the event
ip_addresses = event.get('dst_ip_addr')
ip_addresses_public = Array.new
ip_addresses_type = Array.new
for ip_address in ip_addresses
# Set IP type and public for now so easier checking later
ip_public = true
ip_type = 'public'
# Private/RFC1918
if ip_address.start_with?( '10.', '192.168.' )
ip_public = false
ip_type = 'private'
# (Local)link-local RFC3927
elsif ip_address.start_with?( '169.254.' )
ip_public = false
ip_type = 'local'
# Loopback RFC1122-3.2.1.3
elsif ip_address.start_with?( '127.' )
ip_public = false
ip_type = 'loopback'
# RFC 1122
elsif ip_address.start_with?('0.')
ip_public = false
ip_type = 'this_rfc1122'
# IPv6 to IP4 anycast RFC3068
elsif ip_address.start_with?( '192.88.99.' )
ip_public = false
ip_type = '6to4'
# Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737
elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' )
ip_public = false
ip_type = 'reserved'
# Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255
elsif ip_address.start_with?( '172.' )
# Check if 2nd octet is in range(between) 16 to 31
if ip_address.split('.')[1].to_i.between?(16,31)
ip_public = false
ip_type = 'private'
end
# Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254
elsif ip_address.start_with?( '100.' )
# Check if 2nd octet is in range(between) 64 to 127
if ip_address.split('.')[1].to_i.between?(64,127)
ip_public = false
ip_type = 'private'
end
# The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast
elsif ip_address.start_with?( '2' )
# Broadcast
if ip_address == '255.255.255.255'
ip_public = false
ip_type = 'broadcast'
# Multicast
# Check if 1st octet is in range(between) 224 to 255
elsif ip_address.split('.')[0].to_i.between?(224,255)
ip_public = false
ip_type = 'multicast'
end
end
# set parameters for array
ip_addresses_public.push(ip_public)
ip_addresses_type.push(ip_type)
end
# Use to make array versus non array
# and then Set event parameters accordingly
if event.get('temp_number_of_ipv4_src_addresses') == 1
event.set('dst_ip_addr', ip_addresses[0])
event.set('dst_ip_public', ip_addresses_public[0])
event.set('dst_ip_type', ip_addresses_type[0])
else
event.set('dst_ip_public', ip_addresses_public)
event.set('dst_ip_type', ip_addresses_type)
# ip is already array so no need to set accordingly
end
"
tag_on_exception => "_rubyexception_8112"
remove_field => [ "temp_number_of_ipv4_dst_addresses" ]
}
# Perform GeoIP enrichment if is public / internet routable
if [dst_ip_public] {
# Geo Location
geoip {
source => "dst_ip_addr"
target => "meta_dst_ip_geo"
default_database_type => "City"
# database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb"
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
cache_size => 90000
remove_field => [ "[meta_dst_ip_geo][ip]", "[meta_dst_ip_geo][real_region_name]" ]
#tag_on_failure => [ "_geoip_ip_dst_failure", "_geoip_ip_dst_location_lookup_failure", "_geoip_lookup_failure" ]
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
tag_on_failure => [ ]
}
#QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg==
# Geo ASName and ASNumber / BGP AS Info
geoip {
source => "dst_ip_addr"
target => "meta_dst_ip_geo"
default_database_type => "ASN"
# database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb"
remove_field => [ "[meta_dst_ip_geo][ip]" ]
# tag_on_failure => [ "_geoip_ip_dst_failure", "_geoip_ip_dst_as_lookup_failure", "_geoip_lookup_failure" ]
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
tag_on_failure => [ ]
}
}
}
}

130
helk-logstash/pipeline/8113-src-ip-filter.conf Normal file
View File

@ -0,0 +1,130 @@
filter {
# If src_ip_addr field exists from previous config settings
if [src_ip_addr] {
mutate { add_field => { "z_logstash_pipeline" => "8113" } }
#TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff.
ruby {
code => "
# Get the ip address from the event
ip_addresses = event.get('src_ip_addr')
ip_addresses_public = Array.new
ip_addresses_type = Array.new
for ip_address in ip_addresses
# Set IP type and public for now so easier checking later
ip_public = true
ip_type = 'public'
# Private/RFC1918
if ip_address.start_with?( '10.', '192.168.' )
ip_public = false
ip_type = 'private'
# (Local)link-local RFC3927
elsif ip_address.start_with?( '169.254.' )
ip_public = false
ip_type = 'local'
# Loopback RFC1122-3.2.1.3
elsif ip_address.start_with?( '127.' )
ip_public = false
ip_type = 'loopback'
# RFC 1122
elsif ip_address.start_with?('0.')
ip_public = false
ip_type = 'this_rfc1122'
# IPv6 to IP4 anycast RFC3068
elsif ip_address.start_with?( '192.88.99.' )
ip_public = false
ip_type = '6to4'
# Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737
elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' )
ip_public = false
ip_type = 'reserved'
# Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255
elsif ip_address.start_with?( '172.' )
# Check if 2nd octet is in range(between) 16 to 31
if ip_address.split('.')[1].to_i.between?(16,31)
ip_public = false
ip_type = 'private'
end
# Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254
elsif ip_address.start_with?( '100.' )
# Check if 2nd octet is in range(between) 64 to 127
if ip_address.split('.')[1].to_i.between?(64,127)
ip_public = false
ip_type = 'private'
end
# The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast
elsif ip_address.start_with?( '2' )
# Broadcast
if ip_address == '255.255.255.255'
ip_public = false
ip_type = 'broadcast'
# Multicast
# Check if 1st octet is in range(between) 224 to 255
elsif ip_address.split('.')[0].to_i.between?(224,255)
ip_public = false
ip_type = 'multicast'
end
end
# set parameters for array
ip_addresses_public.push(ip_public)
ip_addresses_type.push(ip_type)
end
# Use to make array versus non array
# and then Set event parameters accordingly
if event.get('temp_number_of_ipv4_src_addresses') == 1
event.set('src_ip_addr', ip_addresses[0])
event.set('src_ip_public', ip_addresses_public[0])
event.set('src_ip_type', ip_addresses_type[0])
else
event.set('src_ip_public', ip_addresses_public)
event.set('src_ip_type', ip_addresses_type)
# ip is already array so no need to set accordingly
end
"
tag_on_exception => "_rubyexception_8113"
}
# Perform GeoIP enrichment if is public / internet routable
if [src_ip_public] {
# Geo Location
geoip {
source => "src_ip_addr"
target => "meta_src_ip_geo"
default_database_type => "City"
# database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb"
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
cache_size => 90000
remove_field => [ "[meta_src_ip_geo][ip]", "[meta_src_ip_geo][real_region_name]" ]
# tag_on_failure => [ "_geoip_ip_src_location_lookup_failure", "_geoip_lookup_failure" ]
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
tag_on_failure => [ ]
}
#QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg==
# Geo ASName and ASNumber / BGP AS Info
geoip {
source => "src_ip_addr"
target => "meta_src_ip_geo"
default_database_type => "ASN"
# database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb"
remove_field => [ "[meta_src_ip_geo][ip]" ]
# tag_on_failure => [ "_geoip_ip_src_as_lookup_failure", "_geoip_lookup_failure" ]
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
tag_on_failure => [ ]
}
}
}
}

131
helk-logstash/pipeline/8114-dst-nat-ip-filter.conf Normal file
View File

@ -0,0 +1,131 @@
filter {
# If dst_nat_ip_addr field exists from previous config settings
if [dst_nat_ip_addr] {
mutate { add_field => { "z_logstash_pipeline" => "8114" } }
#TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff.
ruby {
code => "
# Get the ip address from the event
ip_addresses = event.get('dst_nat_ip_addr')
ip_addresses_public = Array.new
ip_addresses_type = Array.new
for ip_address in ip_addresses
# Set IP type and public for now so easier checking later
ip_public = true
ip_type = 'public'
# Private/RFC1918
if ip_address.start_with?( '10.', '192.168.' )
ip_public = false
ip_type = 'private'
# (Local)link-local RFC3927
elsif ip_address.start_with?( '169.254.' )
ip_public = false
ip_type = 'local'
# Loopback RFC1122-3.2.1.3
elsif ip_address.start_with?( '127.' )
ip_public = false
ip_type = 'loopback'
# RFC 1122
elsif ip_address.start_with?('0.')
ip_public = false
ip_type = 'this_rfc1122'
# IPv6 to IP4 anycast RFC3068
elsif ip_address.start_with?( '192.88.99.' )
ip_public = false
ip_type = '6to4'
# Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737
elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' )
ip_public = false
ip_type = 'reserved'
# Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255
elsif ip_address.start_with?( '172.' )
# Check if 2nd octet is in range(between) 16 to 31
if ip_address.split('.')[1].to_i.between?(16,31)
ip_public = false
ip_type = 'private'
end
# Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254
elsif ip_address.start_with?( '100.' )
# Check if 2nd octet is in range(between) 64 to 127
if ip_address.split('.')[1].to_i.between?(64,127)
ip_public = false
ip_type = 'private'
end
# The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast
elsif ip_address.start_with?( '2' )
# Broadcast
if ip_address == '255.255.255.255'
ip_public = false
ip_type = 'broadcast'
# Multicast
# Check if 1st octet is in range(between) 224 to 255
elsif ip_address.split('.')[0].to_i.between?(224,255)
ip_public = false
ip_type = 'multicast'
end
end
# set parameters for array
ip_addresses_public.push(ip_public)
ip_addresses_type.push(ip_type)
end
# Use to make array versus non array
# and then Set event parameters accordingly
if event.get('temp_number_of_ipv4_dst_nat_addresses') == 1
event.set('dst_nat_ip_addr', ip_addresses[0])
event.set('dst_nat_ip_public', ip_addresses_public[0])
event.set('dst_nat_ip_type', ip_addresses_type[0])
else
event.set('dst_nat_ip_public', ip_addresses_public)
event.set('dst_nat_ip_type', ip_addresses_type)
# ip is already array so no need to set accordingly
end
"
tag_on_exception => "_rubyexception_8114"
remove_field => [ "temp_number_of_ipv4_dst_nat_addresses" ]
}
# Perform GeoIP enrichment if is public / internet routable
if [dst_nat_ip_public] {
# Geo Location
geoip {
source => "dst_nat_ip_addr"
target => "meta_dst_nat_ip_geo"
default_database_type => "City"
# database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb"
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
cache_size => 90000
remove_field => [ "[meta_dst_nat_ip_geo][ip]", "[meta_dst_nat_ip_geo][real_region_name]" ]
# tag_on_failure => [ "_geo_ip_dst_nat_location_lookup_failure", "_geoip_lookup_failure" ]
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
tag_on_failure => [ ]
}
#QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg==
# Geo ASName and ASNumber / BGP AS Info
geoip {
source => "dst_nat_ip_addr"
target => "meta_dst_nat_ip_geo"
default_database_type => "ASN"
# database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb"
remove_field => [ "[meta_dst_nat_ip_geo][ip]" ]
# tag_on_failure => [ "_geo_ip_dst_nat_as_lookup_failure", "_geoip_lookup_failure" ]
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
tag_on_failure => [ ]
}
}
}
}

131
helk-logstash/pipeline/8115-src-nat-ip-filter.conf Normal file
View File

@ -0,0 +1,131 @@
filter {
# If src_nat_ip_addr field exists from previous config settings
if [src_nat_ip_addr] {
mutate { add_field => { "z_logstash_pipeline" => "8115" } }
#TODO:could eventually make even faster by doing a if not begins/regex-starts with 0,1,2 then just immediatly set as ip is public else check the rest of stuff.
ruby {
code => "
# Get the ip address from the event
ip_addresses = event.get('src_nat_ip_addr')
ip_addresses_public = Array.new
ip_addresses_type = Array.new
for ip_address in ip_addresses
# Set IP type and public for now so easier checking later
ip_public = true
ip_type = 'public'
# Private/RFC1918
if ip_address.start_with?( '10.', '192.168.' )
ip_public = false
ip_type = 'private'
# (Local)link-local RFC3927
elsif ip_address.start_with?( '169.254.' )
ip_public = false
ip_type = 'local'
# Loopback RFC1122-3.2.1.3
elsif ip_address.start_with?( '127.' )
ip_public = false
ip_type = 'loopback'
# RFC 1122
elsif ip_address.start_with?('0.')
ip_public = false
ip_type = 'this_rfc1122'
# IPv6 to IP4 anycast RFC3068
elsif ip_address.start_with?( '192.88.99.' )
ip_public = false
ip_type = '6to4'
# Reserved RFC5736, RFC1122-3.2.1.3, RFC2544, RFC5737
elsif ip_address.start_with?( '0.', '192.0.0.', '192.0.1.', '192.0.2.', '192.18.', '192.19.', '198.51.100.', '203.0.113.' )
ip_public = false
ip_type = 'reserved'
# Private/RFC-1918 -- continued -- 172.16.0.0-17.31.255.255
elsif ip_address.start_with?( '172.' )
# Check if 2nd octet is in range(between) 16 to 31
if ip_address.split('.')[1].to_i.between?(16,31)
ip_public = false
ip_type = 'private'
end
# Private/RFC-1918 -- continued -- 100.64.0.1 - 100.127.255.254
elsif ip_address.start_with?( '100.' )
# Check if 2nd octet is in range(between) 64 to 127
if ip_address.split('.')[1].to_i.between?(64,127)
ip_public = false
ip_type = 'private'
end
# The remaining possible NON public/routable IPs begin with 2 and are either multicast or broadcast
elsif ip_address.start_with?( '2' )
# Broadcast
if ip_address == '255.255.255.255'
ip_public = false
ip_type = 'broadcast'
# Multicast
# Check if 1st octet is in range(between) 224 to 255
elsif ip_address.split('.')[0].to_i.between?(224,255)
ip_public = false
ip_type = 'multicast'
end
end
# set parameters for array
ip_addresses_public.push(ip_public)
ip_addresses_type.push(ip_type)
end
# Use to make array versus non array
# and then Set event parameters accordingly
if event.get('temp_number_of_ipv4_src_nat_addresses') == 1
event.set('src_nat_ip_addr', ip_addresses[0])
event.set('src_nat_ip_public', ip_addresses_public[0])
event.set('src_nat_ip_type', ip_addresses_type[0])
else
event.set('src_nat_ip_public', ip_addresses_public)
event.set('src_nat_ip_type', ip_addresses_type)
# ip is already array so no need to set accordingly
end
"
tag_on_exception => "_rubyexception_8115"
remove_field => [ "temp_number_of_ipv4_src_nat_addresses" ]
}
# Perform GeoIP enrichment if is public / internet routable
if [src_nat_ip_public] {
# Geo Location
geoip {
source => "src_nat_ip_addr"
target => "meta_src_nat_ip_geo"
default_database_type => "City"
# database => "/usr/share/logstash/GeoIP/GeoLite2-City.mmdb"
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
cache_size => 90000
remove_field => [ "[meta_src_nat_ip_geo][ip]", "[meta_src_nat_ip_geo][real_region_name]" ]
# tag_on_failure => [ "_geo_ip_src_nat_location_lookup_failure", "_geoip_lookup_failure" ]
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
tag_on_failure => [ ]
}
#QnVpbHQgYnkgTmF0ZSBHdWFnZW50aSBAbmV1NXJvbg==
# Geo ASName and ASNumber / BGP AS Info
geoip {
source => "src_nat_ip_addr"
target => "meta_src_nat_ip_geo"
default_database_type => "ASN"
# database => "/usr/share/logstash/GeoIP/GeoLite2-ASN.mmdb"
remove_field => [ "[meta_src_nat_ip_geo][ip]" ]
# tag_on_failure => [ "_geo_ip_src_nat_as_lookup_failure", "_geoip_lookup_failure" ]
# Do not tag, so we can use tags (if they only just even exist, versus each tag within) as a method to determine parsing failure(s) (much) easier.
tag_on_failure => [ ]
}
}
}
}

4
helk-logstash/pipeline/50-winevent-sysmon-output.conf → helk-logstash/pipeline/9950-winevent-sysmon-output.conf
View File

@ -8,10 +8,8 @@ output {
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "logs-endpoint-winevent-sysmon-%{+YYYY.MM.dd}"
template => "/usr/share/logstash/output_templates/winevent-sysmon-template.json"
template_name => "logs-endpoint-winevent-sysmon"
template_overwrite => true
document_id => "%{[@metadata][log_hash]}"
document_type => "_doc"
}
kafka {
bootstrap_servers => "helk-kafka-broker:9092"

4
helk-logstash/pipeline/51-winevent-security-output.conf → helk-logstash/pipeline/9951-winevent-security-output.conf
View File

@ -8,10 +8,8 @@ output {
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "logs-endpoint-winevent-security-%{+YYYY.MM.dd}"
template => "/usr/share/logstash/output_templates/winevent-security-template.json"
template_name => "logs-endpoint-winevent-security"
template_overwrite => true
document_id => "%{[@metadata][log_hash]}"
document_type => "_doc"
}
kafka {
bootstrap_servers => "helk-kafka-broker:9092"

4
helk-logstash/pipeline/52-winevent-system-output.conf → helk-logstash/pipeline/9952-winevent-system-output.conf
View File

@ -8,10 +8,8 @@ output {
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "logs-endpoint-winevent-system-%{+YYYY.MM.dd}"
template => "/usr/share/logstash/output_templates/winevent-system-template.json"
template_name => "logs-endpoint-winevent-system"
template_overwrite => true
document_id => "%{[@metadata][log_hash]}"
document_type => "_doc"
}
}
}

4
helk-logstash/pipeline/53-winevent-application-output.conf → helk-logstash/pipeline/9953-winevent-application-output.conf
View File

@ -8,10 +8,8 @@ output {
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "logs-endpoint-winevent-application-%{+YYYY.MM.dd}"
template => "/usr/share/logstash/output_templates/winevent-application-template.json"
template_name => "logs-endpoint-winevent-application"
template_overwrite => true
document_id => "%{[@metadata][log_hash]}"
document_type => "_doc"
}
}
}

2
helk-logstash/pipeline/54-winevent-powershell-output.conf → helk-logstash/pipeline/9954-winevent-powershell-output.conf
View File

@ -7,9 +7,9 @@ output {
if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell"{
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
manage_template => false
index => "logs-endpoint-winevent-powershell-%{+YYYY.MM.dd}"
document_id => "%{[@metadata][log_hash]}"
document_type => "_doc"
}
}
}

4
helk-logstash/pipeline/55-winevent-wmiactivity-output.conf → helk-logstash/pipeline/9955-winevent-wmiactivity-output.conf
View File

@ -8,10 +8,8 @@ output {
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "logs-endpoint-winevent-wmiactivity-%{+YYYY.MM.dd}"
template => "/usr/share/logstash/output_templates/winevent-wmiactivity-template.json"
template_name => "logs-endpoint-winevent-wmiactivity"
template_overwrite => true
document_id => "%{[@metadata][log_hash]}"
document_type => "_doc"
}
}
}

3
helk-logstash/pipeline/56-attack-output.conf → helk-logstash/pipeline/9956-attack-output.conf
View File

@ -9,6 +9,7 @@ output {
elasticsearch {
hosts => ["helk-elasticsearch:9200"]
index => "mitre-attack-%{+YYYY.MM.dd}"
document_type => "_doc"
}
}
}
}

103
helk-nginx/default
View File

@ -1,15 +1,91 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name 127.0.0.1;
return 301 https://$host$request_uri;
}
server {
## Log location ##
#access_log /var/log/nginx/kibana.access.log;
#error_log /var/log/nginx/kibana.error.log;
## End ##
## (Web) Server Configuration ##
listen 443 ssl;
ssl_certificate_key /etc/ssl/private/HELK_Nginx.key;
ssl_certificate /etc/ssl/certs/HELK_Nginx.crt;
ssl_session_cache shared:SSL:10m;
## End ##
## Hide Version ##
server_tokens off;
## End ##
## Local Authentication ##
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
## End ##
## Some Hardening/Security ##
# Web Server Attack (ie: XSS, Clickjacking)
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
# BufferOverflow Hardening
client_body_buffer_size 100K;
client_header_buffer_size 1k;
client_max_body_size 150k;
# TLS/SSL
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# HTTP Methods
# DELETE is required for some index management
if ($request_method !~ ^(GET|PUT|POST|DELETE)$ ) {
return 444;
}
## End ##
## Timeout definitions ##
proxy_connect_timeout 900;
proxy_send_timeout 600;
proxy_read_timeout 600;
listen 80;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10 10;
send_timeout 10;
## End ##
server_name 127.0.0.1;
## Performance Tuning ##
gzip on;
gzip_comp_level 1;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
## End ##
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
## Kibana Settings / Kibana Proxy ##
# Kibana generates really long URI's so need to set this
large_client_header_buffers 4 16k;
# Cache static resources that are regularly requested
location ~ \.(jpg|png|ico|svg|woff2)$ {
proxy_pass http://helk-kibana:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_cache kibana_cache;
add_header Cache-Control "public";
expires 12h;
}
# Proxy forward to elasticsearch
location / {
proxy_pass http://helk-kibana:5601;
proxy_http_version 1.1;
@ -18,4 +94,21 @@ server {
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
## End ##
## Jupyter Proxy ##
location /jupyter/ {
if ($scheme = 'http') {
#Insecure, lets go to https
rewrite ^/(.*)$ https://$host/$1 redirect;
}
proxy_pass http://helk-jupyter:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# websocket headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
## End ##
}