mirror of https://github.com/infosecn1nja/HELK.git
Added field mappings
Field mappings required for integration of Windows Sigma rules.keyword-vs-text-changes
Thomas Patzke
parent
0519db370a
commit
e70eafce09
|
|
@ -298,7 +298,7 @@ filter {
|
|||
remove_field => "[event_data][UtcTime]"
|
||||
remove_field => "[event_data][CreationUtcTime]"
|
||||
remove_field => "[event_data][PreviousCreationUtcTime]"
|
||||
remove_field => "[user]"
|
||||
rename => { "[event_data][User]" => "user"}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -79,6 +79,39 @@ filter {
|
|||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4625 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectUserSid]" => "reporter_user_sid"
|
||||
"[event_data][SubjectUserName]" => "reporter_user_name"
|
||||
"[event_data][SubjectDomainName]" => "reporter_user_domain"
|
||||
"[event_data][SubjectLogonId]" => "reporter_logon_id"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][LogonType]" => "logon_type"
|
||||
"[event_data][TargetUserName]" => "user_name"
|
||||
"[event_data][TargetDomainName]" => "user_domain"
|
||||
"[event_data][TargetUserSid]" => "user_sid"
|
||||
"[event_data][WorkstationName]" => "src_host"
|
||||
"[event_data][IpAddress]" => "src_ip"
|
||||
"[event_data][IpPort]" => "src_port_number"
|
||||
"[event_data][LogonProcessName]" => "logon_process_name"
|
||||
"[event_data][AuthenticationPackageName]" => "logon_authentication_package"
|
||||
"[event_data][TransmittedServices]" => "logon_transmitted_services"
|
||||
"[event_data][LmPackageName]" => "logon_package_name"
|
||||
"[event_data][KeyLength]" => "logon_key_length"
|
||||
"[event_data][FailureReason]" => "logon_failure_reason"
|
||||
"[event_data][Status]" => "logon_failure_status"
|
||||
"[event_data][SubStatus]" => "logon_failure_substatus"
|
||||
}
|
||||
}
|
||||
if "logon_elevated_token" == "Yes"{
|
||||
mutate {
|
||||
add_tag => ["elevated_logon"]
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4627 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4627.md
|
||||
mutate {
|
||||
|
|
@ -167,6 +200,27 @@ filter {
|
|||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4657 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][ObjectName]" => "object_name"
|
||||
"[event_data][ObjectValueName]" => "object_value_name"
|
||||
"[event_data][HandleId]" => "object_access_handle_id"
|
||||
"[event_data][OperationType]" => "object_operation_type"
|
||||
"[event_data][ProcessId]" => "process_id"
|
||||
"[event_data][ProcessName]" => "process_path"
|
||||
"[event_data][OldValueType]" => "object_value_old_type"
|
||||
"[event_data][OldValue]" => "object_value_old"
|
||||
"[event_data][NewValueType]" => "object_value_new_type"
|
||||
"[event_data][NewValue]" => "object_value_new"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 4658 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md
|
||||
mutate {
|
||||
|
|
@ -292,6 +346,7 @@ filter {
|
|||
rename => {
|
||||
"[event_data][NewProcessId]" => "process_id"
|
||||
"[event_data][NewProcessName]" => "process_path"
|
||||
"[event_data][CommandLine]" => "command_line"
|
||||
"[event_data][ParentProcessName]" => "process_parent_path"
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
|
|
@ -498,6 +553,7 @@ filter {
|
|||
if [event_id] == 4768 or [event_id] == 4769 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][TargetDomainName]" => "user_domain"
|
||||
|
|
@ -511,6 +567,7 @@ filter {
|
|||
"[event_data][Status]" => "service_ticket_status"
|
||||
"[event_data][TicketEncryptionType]" => "ticket_encryption_type"
|
||||
"[event_data][TicketOptions]" => "ticket_options"
|
||||
"[event_data][FailureCode]" => "ticket_failure_code"
|
||||
"[event_data][TransmittedServices]" => "service_ticket_requested"
|
||||
"[event_data][TargetSid]" => "user_sid"
|
||||
}
|
||||
|
|
@ -623,6 +680,28 @@ filter {
|
|||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5136 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5136.md
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][SubjectDomainName]" => "user_domain"
|
||||
"[event_data][SubjectLogonId]" => "user_logon_id"
|
||||
"[event_data][SubjectUserName]" => "user_name"
|
||||
"[event_data][SubjectUserSid]" => "user_sid"
|
||||
"[event_data][OpCorrelationID]" => "dsoperation_correlation_id"
|
||||
"[event_data][AppCorrelationID]" => "dsoperation_app_correlation_id"
|
||||
"[event_data][DSName]" => "dsobject_domain"
|
||||
"[event_data][DSType]" => "dsobject_domain_type"
|
||||
"[event_data][ObjectDN]" => "dsobject_dn"
|
||||
"[event_data][ObjectGUID]" => "dsobject_guid"
|
||||
"[event_data][ObjectClass]" => "dsobject_class"
|
||||
"[event_data][AttributeLDAPDisplayName]" => "dsobject_attribute_name"
|
||||
"[event_data][AttributeSyntaxOID]" => "dsobject_attribute_type"
|
||||
"[event_data][AttributeValue]" => "dsobject_attribute_value"
|
||||
"[event_data][OperationType]" => "dsoperation_type"
|
||||
}
|
||||
}
|
||||
}
|
||||
if [event_id] == 5140 or [event_id] == 5145 {
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5140.md
|
||||
# https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5145.md
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
# License: BSD 3-Clause
|
||||
|
||||
filter {
|
||||
if [log_name] == "System"{
|
||||
if [log_name] == "System" {
|
||||
if [event_id] == 7045 {
|
||||
# https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for_11.html
|
||||
mutate {
|
||||
|
|
@ -21,6 +21,16 @@ filter {
|
|||
remove_field => "process_id"
|
||||
}
|
||||
}
|
||||
if [event_id] == 16 {
|
||||
mutate {
|
||||
rename => {
|
||||
"[event_data][HiveName]" => "hive_name"
|
||||
"[event_data][HiveNameLength]" => "hive_name_length"
|
||||
"[event_data][KeysUpdated]" => "hive_keys_updated"
|
||||
"[event_data][DirtyPages]" => "hive_dirty_pages"
|
||||
}
|
||||
}
|
||||
}
|
||||
mutate {
|
||||
rename => {
|
||||
"[user][domain]" => "user_domain"
|
||||
|
|
@ -30,6 +40,6 @@ filter {
|
|||
"computer_name" => "host_name"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue