diff --git a/packages/windows/1.12.1/changelog.yml b/packages/windows/1.12.1/changelog.yml new file mode 100755 index 0000000000..929b94b614 --- /dev/null +++ b/packages/windows/1.12.1/changelog.yml @@ -0,0 +1,219 @@ +# newer versions go on top +- version: "1.12.1" + changes: + - description: Drop unset fields in sysmon_operational data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/3283 +- version: "1.12.0" + changes: + - description: Support for Sysmon Registry non-QWORD/DWORD events + type: enhancement + link: https://github.com/elastic/integrations/pull/2962 +- version: "1.11.0" + changes: + - description: Add parent process ID to security event for new process creation. + type: enhancement + link: https://github.com/elastic/integrations/pull/2966 +- version: "1.10.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.10.0" + changes: + - description: Add sysmon event 26 handling + type: enhancement + link: https://github.com/elastic/integrations/pull/2566 + - description: Normalise field order and remove event.ingested + type: enhancement + link: https://github.com/elastic/integrations/pull/2566 +- version: "1.9.0" + changes: + - description: Expose winlog input ignore_older option. + type: enhancement + link: https://github.com/elastic/integrations/pull/2542 + - description: Fix preserve original event option + type: bugfix + link: https://github.com/elastic/integrations/pull/2542 + - description: Make order of options consistent with other winlog based integrations. + type: enhancement + link: https://github.com/elastic/integrations/pull/2542 +- version: "1.8.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2515 +- version: "1.7.0" + changes: + - description: Add provider name check to forwarded/security conditional. + type: enhancement + link: https://github.com/elastic/integrations/pull/2527 +- version: "1.6.0" + changes: + - description: Expose winlog input language option. + type: enhancement + link: https://github.com/elastic/integrations/pull/2344 +- version: "1.5.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.5.0" + changes: + - description: Support Kibana 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2179 +- version: "1.4.0" + changes: + - description: Don't split hyphenated tokens for PowerShell scripts + type: enhancement + link: https://github.com/elastic/integrations/issues/1931 +- version: "1.3.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2080 +- version: "1.3.2" + changes: + - description: Fix processors configuration + type: bugfix + link: https://github.com/elastic/integrations/pull/2113 +- version: "1.3.1" + changes: + - description: Update Splunk input description + type: enhancement + link: https://github.com/elastic/integrations/pull/2067 +- version: "1.3.0" + changes: + - description: Consistently map message field in Windows integrations. + type: bugfix + link: https://github.com/elastic/integrations/pull/2008 +- version: "1.2.3" + changes: + - description: Fix ingest pipeline templating for related.ip + type: bugfix + link: https://github.com/elastic/integrations/pull/1920 +- version: "1.2.2" + changes: + - description: Prevent pipeline script error + type: bugfix + link: https://github.com/elastic/integrations/pull/1872 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1859 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1711 +- version: "1.1.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1511 +- version: '1.1.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1425 +- version: "1.1.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1214 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1214 +- version: "0.9.2" + changes: + - description: Add support for Splunk authorization tokens + type: enhancement + link: https://github.com/elastic/integrations/pull/1147 +- version: "0.9.1" + changes: + - description: Use new `wildcard` type. + type: enhancement + link: https://github.com/elastic/integrations/pull/1161 +- version: "0.9.0" + changes: + - description: Make `event.original` optional and upgrade to ECS 1.10.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/1122 +- version: "0.8.2" + changes: + - description: Add system tests for Splunk http inputs and improve README. + type: enhancement + link: https://github.com/elastic/integrations/pull/1044 + - description: Fix sysmon pipeline when processing `dns.resolved_ip`. + type: bugfix + link: https://github.com/elastic/integrations/pull/1044 +- version: "0.8.1" + changes: + - description: Fix security pipeline to support string event.code. + type: bugfix + link: https://github.com/elastic/integrations/pull/1090 +- version: "0.8.0" + changes: + - description: Use ingest pipelines for forwarded dataset. + type: enhancement + link: https://github.com/elastic/integrations/pull/973 +- version: "0.7.0" + changes: + - description: Move Sysmon edge processing to ingest pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/972 +- version: "0.6.0" + changes: + - description: Move PowerShell edge processing to ingest pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/941 +- version: "0.5.2" + changes: + - description: Change Splunk input to use the decode_xml_wineventlog processor. + type: enhancement + link: https://github.com/elastic/integrations/pull/923 +- version: "0.5.1" + changes: + - description: Add support for Sysmon v13 events. + type: enhancement + link: https://github.com/elastic/integrations/pull/913 +- version: "0.5.0" + changes: + - description: Add Splunk input for Winlog data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/821 +- version: "0.4.3" + changes: + - description: Updating package owner + type: enhancement + link: https://github.com/elastic/integrations/pull/766 + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/877 +- version: "0.4.2" + changes: + - description: Move security data stream + type: bugfix # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/726 +- version: "0.4.1" + changes: + - description: Fix Guards + type: bugfix # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/724 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/91 diff --git a/packages/windows/1.12.1/data_stream/forwarded/agent/stream/httpjson.yml.hbs b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0a82aa6acc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/httpjson.yml.hbs @@ -0,0 +1,101 @@ +config_version: "2" +interval: {{interval}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- decode_json_fields: + fields: message + target: json + add_error_key: true +- drop_event: + when: + not: + has_fields: ['json.result'] +- fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" +- drop_fields: + fields: message +- rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false +- drop_fields: + fields: json +- decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true +{{#if processors.length}} +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/forwarded/agent/stream/winlog.yml.hbs b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/winlog.yml.hbs new file mode 100755 index 0000000000..965be31d60 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/agent/stream/winlog.yml.hbs @@ -0,0 +1,27 @@ +name: ForwardedEvents +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..6a274d1d5a --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,19 @@ +--- +description: Pipeline for Windows forwarded Event Logs +processors: + - pipeline: + name: '{{ IngestPipeline "security" }}' + if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Security" && ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx?.winlog?.provider_name) + - pipeline: + name: '{{ IngestPipeline "powershell" }}' + if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Windows PowerShell" + - pipeline: + name: '{{ IngestPipeline "powershell_operational" }}' + if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-PowerShell/Operational" + - pipeline: + name: '{{ IngestPipeline "sysmon_operational" }}' + if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-Sysmon/Operational" +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml new file mode 100755 index 0000000000..7e9df152b0 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml @@ -0,0 +1,430 @@ +--- +description: Pipeline for Windows Powershell events +processors: + - kv: + description: Split Event 800 event data fields. + field: winlog.event_data.param2 + target_field: winlog.event_data + field_split: "\n\t" + trim_key: "\n\t" + trim_value: "\n\t" + value_split: "=" + if: ctx?.winlog?.event_id == "800" + - kv: + description: Split Events 4xx and 600 event data fields. + field: winlog.event_data.param3 + target_field: winlog.event_data + field_split: "\n\t" + trim_key: "\n\t" + trim_value: "\n\t" + value_split: "=" + if: ctx?.winlog?.event_id != "800" + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: process + - set: + field: event.type + value: start + if: ctx?.event.code == "400" + - set: + field: event.type + value: end + if: ctx?.event.code == "403" + - set: + field: event.type + value: info + if: ctx?.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostId + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostId != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostName != "" + + ## User fields. + + - split: + field: winlog.event_data.UserId + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.UserId != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null + + ## PowerShell fields. + + - rename: + field: winlog.event_data.NewEngineState + target_field: powershell.engine.new_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.NewEngineState != "" + - rename: + field: winlog.event_data.PreviousEngineState + target_field: powershell.engine.previous_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.PreviousEngineState != "" + - rename: + field: winlog.event_data.NewProviderState + target_field: powershell.provider.new_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.NewProviderState != "" + - rename: + field: winlog.event_data.ProviderName + target_field: powershell.provider.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ProviderName != "" + - convert: + field: winlog.event_data.DetailTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DetailTotal != "" + - convert: + field: winlog.event_data.DetailSequence + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DetailSequence != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineId + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipelineId != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandType != "" + + - split: + description: Split Event 800 command invocation details. + field: winlog.event_data.param3 + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "800" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "800" + params: + field: param3 + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx?._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx?.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx?.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - script: + description: Adds file information. + lang: painless + if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptName != "" + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.param1 + - winlog.event_data.param2 + - winlog.event_data.param3 + - winlog.event_data.SequenceNumber + - winlog.event_data.DetailTotal + - winlog.event_data.DetailSequence + - winlog.event_data.UserId + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml new file mode 100755 index 0000000000..16d21d8fe8 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml @@ -0,0 +1,489 @@ +--- +description: Pipeline for Windows Powershell/Operational events +processors: + - kv: + description: Split Event 4103 event data fields. + field: winlog.event_data.ContextInfo + target_field: winlog.event_data + field_split: "\n" + trim_key: " \n\t" + trim_value: " \n\t" + value_split: "=" + if: ctx?.winlog?.event_id == "4103" + - script: + description: Remove spaces from all event_data keys. + lang: painless + if: ctx?.winlog?.event_data != null + source: |- + def newEventData = new HashMap(); + for (entry in ctx.winlog.event_data.entrySet()) { + def newKey = /\s/.matcher(entry.getKey().toString()).replaceAll(""); + newEventData.put(newKey, entry.getValue()); + } + ctx.winlog.event_data = newEventData; + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: process + - set: + field: event.type + value: start + if: ctx?.event.code == "4105" + - set: + field: event.type + value: end + if: ctx?.event.code == "4106" + - set: + field: event.type + value: info + if: ctx?.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostID + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostID != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostName != "" + + ## User fields. + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_failure: true + ignore_empty_value: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null + - split: + field: winlog.event_data.ConnectedUser + target_field: "_temp.connected_user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.ConnectedUser != null + - set: + field: source.user.domain + value: "{{_temp.connected_user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - set: + field: source.user.name + value: "{{_temp.connected_user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - append: + field: related.user + value: "{{source.user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.user?.name != null + - rename: + field: user.domain + target_field: destination.user.domain + ignore_failure: true + ignore_missing: true + if: ctx?.source?.user != null + - rename: + field: user.name + target_field: destination.user.name + ignore_failure: true + ignore_missing: true + if: ctx?.source?.user != null + - set: + field: user.domain + copy_from: source.user.domain + ignore_failure: true + ignore_empty_value: true + if: ctx?.source?.user != null + - set: + field: user.name + copy_from: source.user.name + ignore_failure: true + ignore_empty_value: true + if: ctx?.source?.user != null + + ## PowerShell fields. + + - convert: + field: winlog.event_data.MessageNumber + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.event_data.MessageTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ShellID + target_field: powershell.id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ShellID != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineID + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipelineID != "" + - rename: + field: winlog.event_data.RunspaceID + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceID != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandType != "" + - rename: + field: winlog.event_data.ScriptBlockId + target_field: powershell.file.script_block_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptBlockId != "" + - rename: + field: winlog.event_data.ScriptBlockText + target_field: powershell.file.script_block_text + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptBlockText != "" + + - split: + description: Split Event 800 command invocation details. + field: winlog.event_data.Payload + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "4103" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "4103" + params: + field: Payload + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx?._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx?.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx?.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - rename: + field: winlog.event_data.Path + target_field: winlog.event_data.ScriptName + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.Path != "" + - script: + description: Adds file information. + lang: painless + if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptName != "" + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.SequenceNumber + - winlog.event_data.User + - winlog.event_data.ConnectedUser + - winlog.event_data.ContextInfo + - winlog.event_data.Severity + - winlog.event_data.MessageTotal + - winlog.event_data.MessageNumber + - winlog.event_data.Payload + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml new file mode 100755 index 0000000000..3f42b128e9 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml @@ -0,0 +1,3189 @@ +--- +description: Pipeline for Windows Security events +processors: + - convert: + field: event.code + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: false + tag: Set ECS categorization fields + description: Set ECS categorization fields + params: + "1100": + category: + - process + type: + - end + action: logging-service-shutdown + "1102": + category: + - iam + type: + - admin + - change + action: audit-log-cleared + "1104": + category: + - iam + type: + - admin + action: logging-full + "1105": + category: + - iam + type: + - admin + action: auditlog-archieved + "1108": + category: + - iam + type: + - admin + action: logging-processing-error + "4610": + category: + - configuration + type: + - access + action: authentication-package-loaded + "4611": + category: + - configuration + type: + - change + action: trusted-logon-process-registered + "4614": + category: + - configuration + type: + - access + action: notification-package-loaded + "4616": + category: + - configuration + type: + - change + action: system-time-changed + "4622": + category: + - configuration + type: + - access + action: security-package-loaded + "4624": + category: + - authentication + type: + - start + action: logged-in + "4625": + category: + - authentication + type: + - start + action: logon-failed + "4634": + category: + - authentication + type: + - end + action: logged-out + "4647": + category: + - authentication + type: + - end + action: logged-out + "4648": + category: + - authentication + type: + - start + action: logged-in-explicit + "4657": + category: + - registry + - configuration + type: + - change + action: registry-value-modified + "4670": + category: + - iam + - configuration + type: + - admin + - change + action: permissions-changed + "4672": + category: + - iam + type: + - admin + action: logged-in-special + "4673": + category: + - iam + type: + - admin + action: privileged-service-called + "4674": + category: + - iam + type: + - admin + action: privileged-operation + "4688": + category: + - process + type: + - start + action: created-process + "4689": + category: + - process + type: + - end + action: exited-process + "4697": + category: + - iam + - configuration + type: + - admin + - change + action: service-installed + "4698": + category: + - iam + - configuration + type: + - creation + - admin + action: scheduled-task-created + "4699": + category: + - iam + - configuration + type: + - deletion + - admin + action: scheduled-task-deleted + "4700": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-enabled + "4701": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-disabled + "4702": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-updated + "4706": + category: + - configuration + type: + - creation + action: domain-trust-added + "4707": + category: + - configuration + type: + - deletion + action: domain-trust-removed + "4713": + category: + - configuration + type: + - change + action: kerberos-policy-changed + "4714": + category: + - configuration + type: + - change + action: encrypted-data-recovery-policy-changed + "4715": + category: + - configuration + type: + - change + action: object-audit-policy-changed + "4716": + category: + - configuration + type: + - change + action: trusted-domain-information-changed + "4717": + category: + - iam + - configuration + type: + - admin + - change + action: system-security-access-granted + "4718": + category: + - iam + - configuration + type: + - admin + - deletion + action: system-security-access-removed + "4719": + category: + - iam + - configuration + type: + - admin + - change + action: changed-audit-config + "4720": + category: + - iam + type: + - user + - creation + action: added-user-account + "4722": + category: + - iam + type: + - user + - change + action: enabled-user-account + "4723": + category: + - iam + type: + - user + - change + action: changed-password + "4724": + category: + - iam + type: + - user + - change + action: reset-password + "4725": + category: + - iam + type: + - user + - deletion + action: disabled-user-account + "4726": + category: + - iam + type: + - user + - deletion + action: deleted-user-account + "4727": + category: + - iam + type: + - group + - creation + action: added-group-account + "4728": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4729": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4730": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4731": + category: + - iam + type: + - group + - creation + action: added-group-account + "4732": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4733": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4734": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4735": + category: + - iam + type: + - group + - change + action: modified-group-account + "4737": + category: + - iam + type: + - group + - change + action: modified-group-account + "4738": + category: + - iam + type: + - user + - change + action: modified-user-account + "4739": + category: + - configuration + type: + - change + action: domain-policy-changed + "4740": + category: + - iam + type: + - user + - change + action: locked-out-user-account + "4741": + category: + - iam + type: + - creation + - admin + action: added-computer-account + "4742": + category: + - iam + type: + - change + - admin + action: changed-computer-account + "4743": + category: + - iam + type: + - deletion + - admin + action: deleted-computer-account + "4744": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4745": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4746": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4747": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4748": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4749": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4750": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4751": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4752": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4753": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4754": + category: + - iam + type: + - group + - creation + action: added-group-account + "4755": + category: + - iam + type: + - group + - change + action: modified-group-account + "4756": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4757": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4758": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4759": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4760": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4761": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4762": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4763": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4764": + category: + - iam + type: + - group + - change + action: type-changed-group-account + "4767": + category: + - iam + type: + - user + - change + action: unlocked-user-account + "4768": + category: + - authentication + type: + - start + action: kerberos-authentication-ticket-requested + "4769": + category: + - authentication + type: + - start + action: kerberos-service-ticket-requested + "4770": + category: + - authentication + type: + - start + action: kerberos-service-ticket-renewed + "4771": + category: + - authentication + type: + - start + action: kerberos-preauth-failed + "4776": + category: + - authentication + type: + - start + action: credential-validated + "4778": + category: + - authentication + - session + type: + - start + action: session-reconnected + "4779": + category: + - authentication + - session + type: + - end + action: session-disconnected + "4781": + category: + - iam + type: + - user + - change + action: renamed-user-account + "4798": + category: + - iam + type: + - user + - info + action: group-membership-enumerated + "4799": + category: + - iam + type: + - group + - info + action: user-member-enumerated + "4817": + category: + - iam + - configuration + type: + - admin + - change + action: object-audit-changed + "4902": + category: + - iam + - configuration + type: + - admin + - creation + action: user-audit-policy-created + "4904": + category: + - iam + - configuration + type: + - admin + - change + action: security-event-source-added + "4905": + category: + - iam + - configuration + type: + - admin + - deletion + action: security-event-source-removed + "4906": + category: + - iam + - configuration + type: + - admin + - change + action: crash-on-audit-changed + "4907": + category: + - iam + - configuration + type: + - admin + - change + action: audit-setting-changed + "4908": + category: + - iam + - configuration + type: + - admin + - change + action: special-group-table-changed + "4912": + category: + - iam + - configuration + type: + - admin + - change + action: per-user-audit-policy-changed + "4950": + category: + - configuration + type: + - change + action: windows-firewall-setting-changed + "4954": + category: + - configuration + type: + - change + action: windows-firewall-group-policy-changed + "4964": + category: + - iam + type: + - admin + - group + action: logged-in-special + "5024": + category: + - process + type: + - start + action: windows-firewall-service-started + "5025": + category: + - process + type: + - end + action: windows-firewall-service-stopped + "5033": + category: + - driver + type: + - start + action: windows-firewall-driver-started + "5034": + category: + - driver + type: + - end + action: windows-firewall-driver-stopped + "5037": + category: + - driver + type: + - end + action: windows-firewall-driver-error + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params.get(ctx.event.code)); + hm.forEach((k, v) -> ctx.event[k] = v); + - script: + lang: painless + ignore_failure: false + tag: Set Logon Type + description: Set Logon Type + params: + "2": Interactive + "3": Network + "4": Batch + "5": Service + "7": Unlock + "8": NetworkCleartext + "9": NewCredentials + "10": RemoteInteractive + "11": CachedInteractive + source: |- + if (ctx?.winlog?.event_data?.LogonType == null) { + return; + } + def t = params.get(ctx.winlog.event_data.LogonType); + if (t == null) { + return; + } + if (ctx?.winlog?.logon == null ) { + Map map = new HashMap(); + ctx.winlog.put("logon", map); + } + ctx.winlog.logon.put("type", t) + - script: + lang: painless + ignore_failure: false + tag: Set User Account Control + description: Set User Account Control + params: + "0x00000001": SCRIPT + "0x00000002": ACCOUNTDISABLE + "0x00000008": HOMEDIR_REQUIRED + "0x00000010": LOCKOUT + "0x00000020": PASSWD_NOTREQD + "0x00000040": PASSWD_CANT_CHANGE + "0x00000080": ENCRYPTED_TEXT_PWD_ALLOWED + "0x00000100": TEMP_DUPLICATE_ACCOUNT + "0x00000200": NORMAL_ACCOUNT + "0x00000800": INTERDOMAIN_TRUST_ACCOUNT + "0x00001000": WORKSTATION_TRUST_ACCOUNT + "0x00002000": SERVER_TRUST_ACCOUNT + "0x00010000": DONT_EXPIRE_PASSWORD + "0x00020000": MNS_LOGON_ACCOUNT + "0x00040000": SMARTCARD_REQUIRED + "0x00080000": TRUSTED_FOR_DELEGATION + "0x00100000": NOT_DELEGATED + "0x00200000": USE_DES_KEY_ONLY + "0x00400000": DONT_REQ_PREAUTH + "0x00800000": PASSWORD_EXPIRED + "0x01000000": TRUSTED_TO_AUTH_FOR_DELEGATION + "0x04000000": PARTIAL_SECRETS_ACCOUNT + source: |- + if (ctx?.winlog?.event_data?.NewUacValue == null) { + return; + } + Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); + ArrayList uacResult = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { + uacResult.add(entry.getValue()); + } + } + if (uacResult.length == 0) { + return; + } + ctx.winlog.event_data.put("NewUACList", uacResult); + if (ctx?.winlog?.event_data?.UserAccountControl == null) { + return; + } + ArrayList uac_array = new ArrayList(); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken("%%")) { + if (elem.trim().length() > 0) { + uac_array.add(elem.trim()); + } + } + ctx.winlog.event_data.UserAccountControl = uac_array; + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Options + description: Set Kerberos Ticket Options + params: + "0x40000000": Forwardable + "0x20000000": Forwarded + "0x10000000": Proxiable + "0x08000000": Proxy + "0x04000000": Allow-postdate + "0x02000000": Postdated + "0x01000000": Invalid + "0x00800000": Renewable + "0x00400000": Initial + "0x00200000": Pre-authent + "0x00100000": Opt-hardware-auth + "0x00080000": Transited-policy-checked + "0x00040000": Ok-as-delegate + "0x00020000": Request-anonymous + "0x00010000": Name-canonicalize + "0x00000020": Disable-transited-check + "0x00000010": Renewable-ok + "0x00000008": Enc-tkt-in-skey + "0x00000002": Renew + "0x00000001": Validate + source: |- + if (ctx?.winlog?.event_data?.TicketOptions == null) { + return; + } + Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); + ArrayList tDescs = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { + tDescs.add(entry.getValue()); + } + } + if (tDescs.length == 0) { + return; + } + ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Encryption Types + description: Set Kerberos Encryption Types + params: + "0x1": DES-CBC-CRC + "0x3": DES-CBC-MD5 + "0x11": AES128-CTS-HMAC-SHA1-96 + "0x12": AES256-CTS-HMAC-SHA1-96 + "0x17": RC4-HMAC + "0x18": RC4-HMAC-EXP + "0xffffffff": FAIL + source: |- + if (ctx?.winlog?.event_data?.TicketEncryptionType == null) { + return; + } + ctx.winlog.event_data.put("TicketEncryptionTypeDescription", + params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Status Codes + description: Set Kerberos Ticket Status Codes + params: + "0x0": KDC_ERR_NONE + "0x1": KDC_ERR_NAME_EXP + "0x2": KDC_ERR_SERVICE_EXP + "0x3": KDC_ERR_BAD_PVNO + "0x4": KDC_ERR_C_OLD_MAST_KVNO + "0x5": KDC_ERR_S_OLD_MAST_KVNO + "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN + "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN + "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE + "0x9": KDC_ERR_NULL_KEY + "0xA": KDC_ERR_CANNOT_POSTDATE + "0xB": KDC_ERR_NEVER_VALID + "0xC": KDC_ERR_POLICY + "0xD": KDC_ERR_BADOPTION + "0xE": KDC_ERR_ETYPE_NOTSUPP + "0xF": KDC_ERR_SUMTYPE_NOSUPP + "0x10": KDC_ERR_PADATA_TYPE_NOSUPP + "0x11": KDC_ERR_TRTYPE_NO_SUPP + "0x12": KDC_ERR_CLIENT_REVOKED + "0x13": KDC_ERR_SERVICE_REVOKED + "0x14": KDC_ERR_TGT_REVOKED + "0x15": KDC_ERR_CLIENT_NOTYET + "0x16": KDC_ERR_SERVICE_NOTYET + "0x17": KDC_ERR_KEY_EXPIRED + "0x18": KDC_ERR_PREAUTH_FAILED + "0x19": KDC_ERR_PREAUTH_REQUIRED + "0x1A": KDC_ERR_SERVER_NOMATCH + "0x1B": KDC_ERR_MUST_USE_USER2USER + "0x1F": KRB_AP_ERR_BAD_INTEGRITY + "0x20": KRB_AP_ERR_TKT_EXPIRED + "0x21": KRB_AP_ERR_TKT_NYV + "0x22": KRB_AP_ERR_REPEAT + "0x23": KRB_AP_ERR_NOT_US + "0x24": KRB_AP_ERR_BADMATCH + "0x25": KRB_AP_ERR_SKEW + "0x26": KRB_AP_ERR_BADADDR + "0x27": KRB_AP_ERR_BADVERSION + "0x28": KRB_AP_ERR_MSG_TYPE + "0x29": KRB_AP_ERR_MODIFIED + "0x2A": KRB_AP_ERR_BADORDER + "0x2C": KRB_AP_ERR_BADKEYVER + "0x2D": KRB_AP_ERR_NOKEY + "0x2E": KRB_AP_ERR_MUT_FAIL + "0x2F": KRB_AP_ERR_BADDIRECTION + "0x30": KRB_AP_ERR_METHOD + "0x31": KRB_AP_ERR_BADSEQ + "0x32": KRB_AP_ERR_INAPP_CKSUM + "0x33": KRB_AP_PATH_NOT_ACCEPTED + "0x34": KRB_ERR_RESPONSE_TOO_BIG + "0x3C": KRB_ERR_GENERIC + "0x3D": KRB_ERR_FIELD_TOOLONG + "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED + "0x3F": KDC_ERR_KDC_NOT_TRUSTED + "0x40": KDC_ERR_INVALID_SIG + "0x41": KDC_ERR_KEY_TOO_WEAK + "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED + "0x43": KRB_AP_ERR_NO_TGT + "0x44": KDC_ERR_WRONG_REALM + source: |- + if (ctx?.winlog?.event_data?.Status == null || + ctx?.event?.code == null || + !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { + return; + } + ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); + - script: + lang: painless + ignore_failure: false + tag: Set Service Type and Name + description: Set Service Type and Name + params: + "0x1": Kernel Driver + "0x2": File System Driver + "0x8": Recognizer Driver + "0x10": Win32 Own Process + "0x20": Win32 Share Process + "0x110": Interactive Own Process + "0x120": Interactive Share Process + source: |- + if (ctx?.winlog?.event_data?.ServiceName != null) { + if (ctx?.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("name", ctx.winlog.event_data.ServiceName); + } + if (ctx?.winlog.event_data?.ServiceType != null) { + if (ctx?.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); + } + - script: + lang: painless + ignore_failure: false + tag: Set Audit Information + description: Set Audit Information + params: + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] + source: |- + if (ctx?.winlog?.event_data?.SubcategoryGuid == null) { + return; + } + def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); + if (!params.containsKey(subCatGuid)) { + return; + } + ctx.winlog.event_data.put("Category", params[subCatGuid][1]); + ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); + - script: + lang: painless + ignore_failure: false + tag: Decode message table + description: Decode message table + params: + "279": "Undefined Access (no effect) Bit 7" + "1536": "Unused message ID" + "1537": "DELETE" + "1538": "READ_CONTROL" + "1539": "WRITE_DAC" + "1540": "WRITE_OWNER" + "1541": "SYNCHRONIZE" + "1542": "ACCESS_SYS_SEC" + "1543": "MAX_ALLOWED" + "1552": "Unknown specific access (bit 0)" + "1553": "Unknown specific access (bit 1)" + "1554": "Unknown specific access (bit 2)" + "1555": "Unknown specific access (bit 3)" + "1556": "Unknown specific access (bit 4)" + "1557": "Unknown specific access (bit 5)" + "1558": "Unknown specific access (bit 6)" + "1559": "Unknown specific access (bit 7)" + "1560": "Unknown specific access (bit 8)" + "1561": "Unknown specific access (bit 9)" + "1562": "Unknown specific access (bit 10)" + "1563": "Unknown specific access (bit 11)" + "1564": "Unknown specific access (bit 12)" + "1565": "Unknown specific access (bit 13)" + "1566": "Unknown specific access (bit 14)" + "1567": "Unknown specific access (bit 15)" + "1601": "Not used" + "1603": "Assign Primary Token Privilege" + "1604": "Lock Memory Privilege" + "1605": "Increase Memory Quota Privilege" + "1606": "Unsolicited Input Privilege" + "1607": "Trusted Computer Base Privilege" + "1608": "Security Privilege" + "1609": "Take Ownership Privilege" + "1610": "Load/Unload Driver Privilege" + "1611": "Profile System Privilege" + "1612": "Set System Time Privilege" + "1613": "Profile Single Process Privilege" + "1614": "Increment Base Priority Privilege" + "1615": "Create Pagefile Privilege" + "1616": "Create Permanent Object Privilege" + "1617": "Backup Privilege" + "1618": "Restore From Backup Privilege" + "1619": "Shutdown System Privilege" + "1620": "Debug Privilege" + "1621": "View or Change Audit Log Privilege" + "1622": "Change Hardware Environment Privilege" + "1623": "Change Notify (and Traverse) Privilege" + "1624": "Remotely Shut System Down Privilege" + "1792": "" + "1794": "" + "1795": "Enabled" + "1796": "Disabled" + "1797": "All" + "1798": "None" + "1799": "Audit Policy query/set API Operation" + "1800": "" + "1801": "Granted by" + "1802": "Denied by" + "1803": "Denied by Integrity Policy check" + "1804": "Granted by Ownership" + "1805": "Not granted" + "1806": "Granted by NULL DACL" + "1807": "Denied by Empty DACL" + "1808": "Granted by NULL Security Descriptor" + "1809": "Unknown or unchecked" + "1810": "Not granted due to missing" + "1811": "Granted by ACE on parent folder" + "1812": "Denied by ACE on parent folder" + "1813": "Granted by Central Access Rule" + "1814": "NOT Granted by Central Access Rule" + "1815": "Granted by parent folder's Central Access Rule" + "1816": "NOT Granted by parent folder's Central Access Rule" + "1817": "Unknown Type" + "1818": "String" + "1819": "Unsigned 64-bit Integer" + "1820": "64-bit Integer" + "1821": "FQBN" + "1822": "Blob" + "1823": "Sid" + "1824": "Boolean" + "1825": "TRUE" + "1826": "FALSE" + "1827": "Invalid" + "1828": "an ACE too long to display" + "1829": "a Security Descriptor too long to display" + "1830": "Not granted to AppContainers" + "1831": "..." + "1832": "Identification" + "1833": "Impersonation" + "1840": "Delegation" + "1841": "Denied by Process Trust Label ACE" + "1842": "Yes" + "1843": "No" + "1844": "System" + "1845": "Not Available" + "1846": "Default" + "1847": "DisallowMmConfig" + "1848": "Off" + "1849": "Auto" + "1872": "REG_NONE" + "1873": "REG_SZ" + "1874": "REG_EXPAND_SZ" + "1875": "REG_BINARY" + "1876": "REG_DWORD" + "1877": "REG_DWORD_BIG_ENDIAN" + "1878": "REG_LINK" + "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" + "1880": "REG_RESOURCE_LIST" + "1881": "REG_FULL_RESOURCE_DESCRIPTOR" + "1882": "REG_RESOURCE_REQUIREMENTS_LIST" + "1883": "REG_QWORD" + "1904": "New registry value created" + "1905": "Existing registry value modified" + "1906": "Registry value deleted" + "1920": "Sunday" + "1921": "Monday" + "1922": "Tuesday" + "1923": "Wednesday" + "1924": "Thursday" + "1925": "Friday" + "1926": "Saturday" + "1936": "TokenElevationTypeDefault (1)" + "1937": "TokenElevationTypeFull (2)" + "1938": "TokenElevationTypeLimited (3)" + "2048": "Account Enabled" + "2049": "Home Directory Required' - Disabled" + "2050": "Password Not Required' - Disabled" + "2051": "Temp Duplicate Account' - Disabled" + "2052": "Normal Account' - Disabled" + "2053": "MNS Logon Account' - Disabled" + "2054": "Interdomain Trust Account' - Disabled" + "2055": "Workstation Trust Account' - Disabled" + "2056": "Server Trust Account' - Disabled" + "2057": "Don't Expire Password' - Disabled" + "2058": "Account Unlocked" + "2059": "Encrypted Text Password Allowed' - Disabled" + "2060": "Smartcard Required' - Disabled" + "2061": "Trusted For Delegation' - Disabled" + "2062": "Not Delegated' - Disabled" + "2063": "Use DES Key Only' - Disabled" + "2064": "Don't Require Preauth' - Disabled" + "2065": "Password Expired' - Disabled" + "2066": "Trusted To Authenticate For Delegation' - Disabled" + "2067": "Exclude Authorization Information' - Disabled" + "2068": "Undefined UserAccountControl Bit 20' - Disabled" + "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" + "2070": "Undefined UserAccountControl Bit 22' - Disabled" + "2071": "Undefined UserAccountControl Bit 23' - Disabled" + "2072": "Undefined UserAccountControl Bit 24' - Disabled" + "2073": "Undefined UserAccountControl Bit 25' - Disabled" + "2074": "Undefined UserAccountControl Bit 26' - Disabled" + "2075": "Undefined UserAccountControl Bit 27' - Disabled" + "2076": "Undefined UserAccountControl Bit 28' - Disabled" + "2077": "Undefined UserAccountControl Bit 29' - Disabled" + "2078": "Undefined UserAccountControl Bit 30' - Disabled" + "2079": "Undefined UserAccountControl Bit 31' - Disabled" + "2080": "Account Disabled" + "2081": "Home Directory Required' - Enabled" + "2082": "Password Not Required' - Enabled" + "2083": "Temp Duplicate Account' - Enabled" + "2084": "Normal Account' - Enabled" + "2085": "MNS Logon Account' - Enabled" + "2086": "Interdomain Trust Account' - Enabled" + "2087": "Workstation Trust Account' - Enabled" + "2088": "Server Trust Account' - Enabled" + "2089": "Don't Expire Password' - Enabled" + "2090": "Account Locked" + "2091": "Encrypted Text Password Allowed' - Enabled" + "2092": "Smartcard Required' - Enabled" + "2093": "Trusted For Delegation' - Enabled" + "2094": "Not Delegated' - Enabled" + "2095": "Use DES Key Only' - Enabled" + "2096": "Don't Require Preauth' - Enabled" + "2097": "Password Expired' - Enabled" + "2098": "Trusted To Authenticate For Delegation' - Enabled" + "2099": "Exclude Authorization Information' - Enabled" + "2100": "Undefined UserAccountControl Bit 20' - Enabled" + "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" + "2102": "Undefined UserAccountControl Bit 22' - Enabled" + "2103": "Undefined UserAccountControl Bit 23' - Enabled" + "2104": "Undefined UserAccountControl Bit 24' - Enabled" + "2105": "Undefined UserAccountControl Bit 25' - Enabled" + "2106": "Undefined UserAccountControl Bit 26' - Enabled" + "2107": "Undefined UserAccountControl Bit 27' - Enabled" + "2108": "Undefined UserAccountControl Bit 28' - Enabled" + "2109": "Undefined UserAccountControl Bit 29' - Enabled" + "2110": "Undefined UserAccountControl Bit 30' - Enabled" + "2111": "Undefined UserAccountControl Bit 31' - Enabled" + "2304": "An Error occured during Logon." + "2305": "The specified user account has expired." + "2306": "The NetLogon component is not active." + "2307": "Account locked out." + "2308": "The user has not been granted the requested logon type at this machine." + "2309": "The specified account's password has expired." + "2310": "Account currently disabled." + "2311": "Account logon time restriction violation." + "2312": "User not allowed to logon at this computer." + "2313": "Unknown user name or bad password." + "2314": "Domain sid inconsistent." + "2315": "Smartcard logon is required and was not used." + "2432": "Not Available." + "2436": "Random number generator failure." + "2437": "Random number generation failed FIPS-140 pre-hash check." + "2438": "Failed to zero secret data." + "2439": "Key failed pair wise consistency check." + "2448": "Failed to unprotect persistent cryptographic key." + "2449": "Key export checks failed." + "2450": "Validation of public key failed." + "2451": "Signature verification failed." + "2456": "Open key file." + "2457": "Delete key file." + "2458": "Read persisted key from file." + "2459": "Write persisted key to file." + "2464": "Export of persistent cryptographic key." + "2465": "Import of persistent cryptographic key." + "2480": "Open Key." + "2481": "Create Key." + "2482": "Delete Key." + "2483": "Encrypt." + "2484": "Decrypt." + "2485": "Sign hash." + "2486": "Secret agreement." + "2487": "Domain settings" + "2488": "Local settings" + "2489": "Add provider." + "2490": "Remove provider." + "2491": "Add context." + "2492": "Remove context." + "2493": "Add function." + "2494": "Remove function." + "2495": "Add function provider." + "2496": "Remove function provider." + "2497": "Add function property." + "2498": "Remove function property." + "2499": "Machine key." + "2500": "User key." + "2501": "Key Derivation." + "4352": "Device Access Bit 0" + "4353": "Device Access Bit 1" + "4354": "Device Access Bit 2" + "4355": "Device Access Bit 3" + "4356": "Device Access Bit 4" + "4357": "Device Access Bit 5" + "4358": "Device Access Bit 6" + "4359": "Device Access Bit 7" + "4360": "Device Access Bit 8" + "4361": "Undefined Access (no effect) Bit 9" + "4362": "Undefined Access (no effect) Bit 10" + "4363": "Undefined Access (no effect) Bit 11" + "4364": "Undefined Access (no effect) Bit 12" + "4365": "Undefined Access (no effect) Bit 13" + "4366": "Undefined Access (no effect) Bit 14" + "4367": "Undefined Access (no effect) Bit 15" + "4368": "Query directory" + "4369": "Traverse" + "4370": "Create object in directory" + "4371": "Create sub-directory" + "4372": "Undefined Access (no effect) Bit 4" + "4373": "Undefined Access (no effect) Bit 5" + "4374": "Undefined Access (no effect) Bit 6" + "4375": "Undefined Access (no effect) Bit 7" + "4376": "Undefined Access (no effect) Bit 8" + "4377": "Undefined Access (no effect) Bit 9" + "4378": "Undefined Access (no effect) Bit 10" + "4379": "Undefined Access (no effect) Bit 11" + "4380": "Undefined Access (no effect) Bit 12" + "4381": "Undefined Access (no effect) Bit 13" + "4382": "Undefined Access (no effect) Bit 14" + "4383": "Undefined Access (no effect) Bit 15" + "4384": "Query event state" + "4385": "Modify event state" + "4386": "Undefined Access (no effect) Bit 2" + "4387": "Undefined Access (no effect) Bit 3" + "4388": "Undefined Access (no effect) Bit 4" + "4389": "Undefined Access (no effect) Bit 5" + "4390": "Undefined Access (no effect) Bit 6" + "4391": "Undefined Access (no effect) Bit 7" + "4392": "Undefined Access (no effect) Bit 8" + "4393": "Undefined Access (no effect) Bit 9" + "4394": "Undefined Access (no effect) Bit 10" + "4395": "Undefined Access (no effect) Bit 11" + "4396": "Undefined Access (no effect) Bit 12" + "4397": "Undefined Access (no effect) Bit 13" + "4398": "Undefined Access (no effect) Bit 14" + "4399": "Undefined Access (no effect) Bit 15" + "4416": "ReadData (or ListDirectory)" + "4417": "WriteData (or AddFile)" + "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" + "4419": "ReadEA" + "4420": "WriteEA" + "4421": "Execute/Traverse" + "4422": "DeleteChild" + "4423": "ReadAttributes" + "4424": "WriteAttributes" + "4425": "Undefined Access (no effect) Bit 9" + "4426": "Undefined Access (no effect) Bit 10" + "4427": "Undefined Access (no effect) Bit 11" + "4428": "Undefined Access (no effect) Bit 12" + "4429": "Undefined Access (no effect) Bit 13" + "4430": "Undefined Access (no effect) Bit 14" + "4431": "Undefined Access (no effect) Bit 15" + "4432": "Query key value" + "4433": "Set key value" + "4434": "Create sub-key" + "4435": "Enumerate sub-keys" + "4436": "Notify about changes to keys" + "4437": "Create Link" + "4438": "Undefined Access (no effect) Bit 6" + "4439": "Undefined Access (no effect) Bit 7" + "4440": "Enable 64(or 32) bit application to open 64 bit key" + "4441": "Enable 64(or 32) bit application to open 32 bit key" + "4442": "Undefined Access (no effect) Bit 10" + "4443": "Undefined Access (no effect) Bit 11" + "4444": "Undefined Access (no effect) Bit 12" + "4445": "Undefined Access (no effect) Bit 13" + "4446": "Undefined Access (no effect) Bit 14" + "4447": "Undefined Access (no effect) Bit 15" + "4448": "Query mutant state" + "4449": "Undefined Access (no effect) Bit 1" + "4450": "Undefined Access (no effect) Bit 2" + "4451": "Undefined Access (no effect) Bit 3" + "4452": "Undefined Access (no effect) Bit 4" + "4453": "Undefined Access (no effect) Bit 5" + "4454": "Undefined Access (no effect) Bit 6" + "4455": "Undefined Access (no effect) Bit 7" + "4456": "Undefined Access (no effect) Bit 8" + "4457": "Undefined Access (no effect) Bit 9" + "4458": "Undefined Access (no effect) Bit 10" + "4459": "Undefined Access (no effect) Bit 11" + "4460": "Undefined Access (no effect) Bit 12" + "4461": "Undefined Access (no effect) Bit 13" + "4462": "Undefined Access (no effect) Bit 14" + "4463": "Undefined Access (no effect) Bit 15" + "4464": "Communicate using port" + "4465": "Undefined Access (no effect) Bit 1" + "4466": "Undefined Access (no effect) Bit 2" + "4467": "Undefined Access (no effect) Bit 3" + "4468": "Undefined Access (no effect) Bit 4" + "4469": "Undefined Access (no effect) Bit 5" + "4470": "Undefined Access (no effect) Bit 6" + "4471": "Undefined Access (no effect) Bit 7" + "4472": "Undefined Access (no effect) Bit 8" + "4473": "Undefined Access (no effect) Bit 9" + "4474": "Undefined Access (no effect) Bit 10" + "4475": "Undefined Access (no effect) Bit 11" + "4476": "Undefined Access (no effect) Bit 12" + "4477": "Undefined Access (no effect) Bit 13" + "4478": "Undefined Access (no effect) Bit 14" + "4479": "Undefined Access (no effect) Bit 15" + "4480": "Force process termination" + "4481": "Create new thread in process" + "4482": "Set process session ID" + "4483": "Perform virtual memory operation" + "4484": "Read from process memory" + "4485": "Write to process memory" + "4486": "Duplicate handle into or out of process" + "4487": "Create a subprocess of process" + "4488": "Set process quotas" + "4489": "Set process information" + "4490": "Query process information" + "4491": "Set process termination port" + "4492": "Undefined Access (no effect) Bit 12" + "4493": "Undefined Access (no effect) Bit 13" + "4494": "Undefined Access (no effect) Bit 14" + "4495": "Undefined Access (no effect) Bit 15" + "4496": "Control profile" + "4497": "Undefined Access (no effect) Bit 1" + "4498": "Undefined Access (no effect) Bit 2" + "4499": "Undefined Access (no effect) Bit 3" + "4500": "Undefined Access (no effect) Bit 4" + "4501": "Undefined Access (no effect) Bit 5" + "4502": "Undefined Access (no effect) Bit 6" + "4503": "Undefined Access (no effect) Bit 7" + "4504": "Undefined Access (no effect) Bit 8" + "4505": "Undefined Access (no effect) Bit 9" + "4506": "Undefined Access (no effect) Bit 10" + "4507": "Undefined Access (no effect) Bit 11" + "4508": "Undefined Access (no effect) Bit 12" + "4509": "Undefined Access (no effect) Bit 13" + "4510": "Undefined Access (no effect) Bit 14" + "4511": "Undefined Access (no effect) Bit 15" + "4512": "Query section state" + "4513": "Map section for write" + "4514": "Map section for read" + "4515": "Map section for execute" + "4516": "Extend size" + "4517": "Undefined Access (no effect) Bit 5" + "4518": "Undefined Access (no effect) Bit 6" + "4519": "Undefined Access (no effect) Bit 7" + "4520": "Undefined Access (no effect) Bit 8" + "4521": "Undefined Access (no effect) Bit 9" + "4522": "Undefined Access (no effect) Bit 10" + "4523": "Undefined Access (no effect) Bit 11" + "4524": "Undefined Access (no effect) Bit 12" + "4525": "Undefined Access (no effect) Bit 13" + "4526": "Undefined Access (no effect) Bit 14" + "4527": "Undefined Access (no effect) Bit 15" + "4528": "Query semaphore state" + "4529": "Modify semaphore state" + "4530": "Undefined Access (no effect) Bit 2" + "4531": "Undefined Access (no effect) Bit 3" + "4532": "Undefined Access (no effect) Bit 4" + "4533": "Undefined Access (no effect) Bit 5" + "4534": "Undefined Access (no effect) Bit 6" + "4535": "Undefined Access (no effect) Bit 7" + "4536": "Undefined Access (no effect) Bit 8" + "4537": "Undefined Access (no effect) Bit 9" + "4538": "Undefined Access (no effect) Bit 10" + "4539": "Undefined Access (no effect) Bit 11" + "4540": "Undefined Access (no effect) Bit 12" + "4541": "Undefined Access (no effect) Bit 13" + "4542": "Undefined Access (no effect) Bit 14" + "4543": "Undefined Access (no effect) Bit 15" + "4544": "Use symbolic link" + "4545": "Undefined Access (no effect) Bit 1" + "4546": "Undefined Access (no effect) Bit 2" + "4547": "Undefined Access (no effect) Bit 3" + "4548": "Undefined Access (no effect) Bit 4" + "4549": "Undefined Access (no effect) Bit 5" + "4550": "Undefined Access (no effect) Bit 6" + "4551": "Undefined Access (no effect) Bit 7" + "4552": "Undefined Access (no effect) Bit 8" + "4553": "Undefined Access (no effect) Bit 9" + "4554": "Undefined Access (no effect) Bit 10" + "4555": "Undefined Access (no effect) Bit 11" + "4556": "Undefined Access (no effect) Bit 12" + "4557": "Undefined Access (no effect) Bit 13" + "4558": "Undefined Access (no effect) Bit 14" + "4559": "Undefined Access (no effect) Bit 15" + "4560": "Force thread termination" + "4561": "Suspend or resume thread" + "4562": "Send an alert to thread" + "4563": "Get thread context" + "4564": "Set thread context" + "4565": "Set thread information" + "4566": "Query thread information" + "4567": "Assign a token to the thread" + "4568": "Cause thread to directly impersonate another thread" + "4569": "Directly impersonate this thread" + "4570": "Undefined Access (no effect) Bit 10" + "4571": "Undefined Access (no effect) Bit 11" + "4572": "Undefined Access (no effect) Bit 12" + "4573": "Undefined Access (no effect) Bit 13" + "4574": "Undefined Access (no effect) Bit 14" + "4575": "Undefined Access (no effect) Bit 15" + "4576": "Query timer state" + "4577": "Modify timer state" + "4578": "Undefined Access (no effect) Bit 2" + "4579": "Undefined Access (no effect) Bit 3" + "4580": "Undefined Access (no effect) Bit 4" + "4581": "Undefined Access (no effect) Bit 5" + "4582": "Undefined Access (no effect) Bit 6" + "4584": "Undefined Access (no effect) Bit 8" + "4585": "Undefined Access (no effect) Bit 9" + "4586": "Undefined Access (no effect) Bit 10" + "4587": "Undefined Access (no effect) Bit 11" + "4588": "Undefined Access (no effect) Bit 12" + "4589": "Undefined Access (no effect) Bit 13" + "4590": "Undefined Access (no effect) Bit 14" + "4591": "Undefined Access (no effect) Bit 15" + "4592": "AssignAsPrimary" + "4593": "Duplicate" + "4594": "Impersonate" + "4595": "Query" + "4596": "QuerySource" + "4597": "AdjustPrivileges" + "4598": "AdjustGroups" + "4599": "AdjustDefaultDacl" + "4600": "AdjustSessionID" + "4601": "Undefined Access (no effect) Bit 9" + "4602": "Undefined Access (no effect) Bit 10" + "4603": "Undefined Access (no effect) Bit 11" + "4604": "Undefined Access (no effect) Bit 12" + "4605": "Undefined Access (no effect) Bit 13" + "4606": "Undefined Access (no effect) Bit 14" + "4607": "Undefined Access (no effect) Bit 15" + "4608": "Create instance of object type" + "4609": "Undefined Access (no effect) Bit 1" + "4610": "Undefined Access (no effect) Bit 2" + "4611": "Undefined Access (no effect) Bit 3" + "4612": "Undefined Access (no effect) Bit 4" + "4613": "Undefined Access (no effect) Bit 5" + "4614": "Undefined Access (no effect) Bit 6" + "4615": "Undefined Access (no effect) Bit 7" + "4616": "Undefined Access (no effect) Bit 8" + "4617": "Undefined Access (no effect) Bit 9" + "4618": "Undefined Access (no effect) Bit 10" + "4619": "Undefined Access (no effect) Bit 11" + "4620": "Undefined Access (no effect) Bit 12" + "4621": "Undefined Access (no effect) Bit 13" + "4622": "Undefined Access (no effect) Bit 14" + "4623": "Undefined Access (no effect) Bit 15" + "4864": "Query State" + "4865": "Modify State" + "5120": "Channel read message" + "5121": "Channel write message" + "5122": "Channel query information" + "5123": "Channel set information" + "5124": "Undefined Access (no effect) Bit 4" + "5125": "Undefined Access (no effect) Bit 5" + "5126": "Undefined Access (no effect) Bit 6" + "5127": "Undefined Access (no effect) Bit 7" + "5128": "Undefined Access (no effect) Bit 8" + "5129": "Undefined Access (no effect) Bit 9" + "5130": "Undefined Access (no effect) Bit 10" + "5131": "Undefined Access (no effect) Bit 11" + "5132": "Undefined Access (no effect) Bit 12" + "5133": "Undefined Access (no effect) Bit 13" + "5134": "Undefined Access (no effect) Bit 14" + "5135": "Undefined Access (no effect) Bit 15" + "5136": "Assign process" + "5137": "Set Attributes" + "5138": "Query Attributes" + "5139": "Terminate Job" + "5140": "Set Security Attributes" + "5141": "Undefined Access (no effect) Bit 5" + "5142": "Undefined Access (no effect) Bit 6" + "5143": "Undefined Access (no effect) Bit 7" + "5144": "Undefined Access (no effect) Bit 8" + "5145": "Undefined Access (no effect) Bit 9" + "5146": "Undefined Access (no effect) Bit 10" + "5147": "Undefined Access (no effect) Bit 11" + "5148": "Undefined Access (no effect) Bit 12" + "5149": "Undefined Access (no effect) Bit 13" + "5150": "Undefined Access (no effect) Bit 14" + "5151": "Undefined Access (no effect) Bit 15" + "5376": "ConnectToServer" + "5377": "ShutdownServer" + "5378": "InitializeServer" + "5379": "CreateDomain" + "5380": "EnumerateDomains" + "5381": "LookupDomain" + "5382": "Undefined Access (no effect) Bit 6" + "5383": "Undefined Access (no effect) Bit 7" + "5384": "Undefined Access (no effect) Bit 8" + "5385": "Undefined Access (no effect) Bit 9" + "5386": "Undefined Access (no effect) Bit 10" + "5387": "Undefined Access (no effect) Bit 11" + "5388": "Undefined Access (no effect) Bit 12" + "5389": "Undefined Access (no effect) Bit 13" + "5390": "Undefined Access (no effect) Bit 14" + "5391": "Undefined Access (no effect) Bit 15" + "5392": "ReadPasswordParameters" + "5393": "WritePasswordParameters" + "5394": "ReadOtherParameters" + "5395": "WriteOtherParameters" + "5396": "CreateUser" + "5397": "CreateGlobalGroup" + "5398": "CreateLocalGroup" + "5399": "GetLocalGroupMembership" + "5400": "ListAccounts" + "5401": "LookupIDs" + "5402": "AdministerServer" + "5403": "Undefined Access (no effect) Bit 11" + "5404": "Undefined Access (no effect) Bit 12" + "5405": "Undefined Access (no effect) Bit 13" + "5406": "Undefined Access (no effect) Bit 14" + "5407": "Undefined Access (no effect) Bit 15" + "5408": "ReadInformation" + "5409": "WriteAccount" + "5410": "AddMember" + "5411": "RemoveMember" + "5412": "ListMembers" + "5413": "Undefined Access (no effect) Bit 5" + "5414": "Undefined Access (no effect) Bit 6" + "5415": "Undefined Access (no effect) Bit 7" + "5416": "Undefined Access (no effect) Bit 8" + "5417": "Undefined Access (no effect) Bit 9" + "5418": "Undefined Access (no effect) Bit 10" + "5419": "Undefined Access (no effect) Bit 11" + "5420": "Undefined Access (no effect) Bit 12" + "5421": "Undefined Access (no effect) Bit 13" + "5422": "Undefined Access (no effect) Bit 14" + "5423": "Undefined Access (no effect) Bit 15" + "5424": "AddMember" + "5425": "RemoveMember" + "5426": "ListMembers" + "5427": "ReadInformation" + "5428": "WriteAccount" + "5429": "Undefined Access (no effect) Bit 5" + "5430": "Undefined Access (no effect) Bit 6" + "5431": "Undefined Access (no effect) Bit 7" + "5432": "Undefined Access (no effect) Bit 8" + "5433": "Undefined Access (no effect) Bit 9" + "5434": "Undefined Access (no effect) Bit 10" + "5435": "Undefined Access (no effect) Bit 11" + "5436": "Undefined Access (no effect) Bit 12" + "5437": "Undefined Access (no effect) Bit 13" + "5438": "Undefined Access (no effect) Bit 14" + "5439": "Undefined Access (no effect) Bit 15" + "5440": "ReadGeneralInformation" + "5441": "ReadPreferences" + "5442": "WritePreferences" + "5443": "ReadLogon" + "5444": "ReadAccount" + "5445": "WriteAccount" + "5446": "ChangePassword (with knowledge of old password)" + "5447": "SetPassword (without knowledge of old password)" + "5448": "ListGroups" + "5449": "ReadGroupMembership" + "5450": "ChangeGroupMembership" + "5451": "Undefined Access (no effect) Bit 11" + "5452": "Undefined Access (no effect) Bit 12" + "5453": "Undefined Access (no effect) Bit 13" + "5454": "Undefined Access (no effect) Bit 14" + "5455": "Undefined Access (no effect) Bit 15" + "5632": "View non-sensitive policy information" + "5633": "View system audit requirements" + "5634": "Get sensitive policy information" + "5635": "Modify domain trust relationships" + "5636": "Create special accounts (for assignment of user rights)" + "5637": "Create a secret object" + "5638": "Create a privilege" + "5639": "Set default quota limits" + "5640": "Change system audit requirements" + "5641": "Administer audit log attributes" + "5642": "Enable/Disable LSA" + "5643": "Lookup Names/SIDs" + "5648": "Change secret value" + "5649": "Query secret value" + "5650": "Undefined Access (no effect) Bit 2" + "5651": "Undefined Access (no effect) Bit 3" + "5652": "Undefined Access (no effect) Bit 4" + "5653": "Undefined Access (no effect) Bit 5" + "5654": "Undefined Access (no effect) Bit 6" + "5655": "Undefined Access (no effect) Bit 7" + "5656": "Undefined Access (no effect) Bit 8" + "5657": "Undefined Access (no effect) Bit 9" + "5658": "Undefined Access (no effect) Bit 10" + "5659": "Undefined Access (no effect) Bit 11" + "5660": "Undefined Access (no effect) Bit 12" + "5661": "Undefined Access (no effect) Bit 13" + "5662": "Undefined Access (no effect) Bit 14" + "5663": "Undefined Access (no effect) Bit 15" + "5664": "Query trusted domain name/SID" + "5665": "Retrieve the controllers in the trusted domain" + "5666": "Change the controllers in the trusted domain" + "5667": "Query the Posix ID offset assigned to the trusted domain" + "5668": "Change the Posix ID offset assigned to the trusted domain" + "5669": "Undefined Access (no effect) Bit 5" + "5670": "Undefined Access (no effect) Bit 6" + "5671": "Undefined Access (no effect) Bit 7" + "5672": "Undefined Access (no effect) Bit 8" + "5673": "Undefined Access (no effect) Bit 9" + "5674": "Undefined Access (no effect) Bit 10" + "5675": "Undefined Access (no effect) Bit 11" + "5676": "Undefined Access (no effect) Bit 12" + "5677": "Undefined Access (no effect) Bit 13" + "5678": "Undefined Access (no effect) Bit 14" + "5679": "Undefined Access (no effect) Bit 15" + "5680": "Query account information" + "5681": "Change privileges assigned to account" + "5682": "Change quotas assigned to account" + "5683": "Change logon capabilities assigned to account" + "5684": "Change the Posix ID offset assigned to the accounted domain" + "5685": "Undefined Access (no effect) Bit 5" + "5686": "Undefined Access (no effect) Bit 6" + "5687": "Undefined Access (no effect) Bit 7" + "5688": "Undefined Access (no effect) Bit 8" + "5689": "Undefined Access (no effect) Bit 9" + "5690": "Undefined Access (no effect) Bit 10" + "5691": "Undefined Access (no effect) Bit 11" + "5692": "Undefined Access (no effect) Bit 12" + "5693": "Undefined Access (no effect) Bit 13" + "5694": "Undefined Access (no effect) Bit 14" + "5695": "Undefined Access (no effect) Bit 15" + "5696": "KeyedEvent Wait" + "5697": "KeyedEvent Wake" + "5698": "Undefined Access (no effect) Bit 2" + "5699": "Undefined Access (no effect) Bit 3" + "5700": "Undefined Access (no effect) Bit 4" + "5701": "Undefined Access (no effect) Bit 5" + "5702": "Undefined Access (no effect) Bit 6" + "5703": "Undefined Access (no effect) Bit 7" + "5704": "Undefined Access (no effect) Bit 8" + "5705": "Undefined Access (no effect) Bit 9" + "5706": "Undefined Access (no effect) Bit 10" + "5707": "Undefined Access (no effect) Bit 11" + "5708": "Undefined Access (no effect) Bit 12" + "5709": "Undefined Access (no effect) Bit 13" + "5710": "Undefined Access (no effect) Bit 14" + "5711": "Undefined Access (no effect) Bit 15" + "6656": "Enumerate desktops" + "6657": "Read attributes" + "6658": "Access Clipboard" + "6659": "Create desktop" + "6660": "Write attributes" + "6661": "Access global atoms" + "6662": "Exit windows" + "6663": "Unused Access Flag" + "6664": "Include this windowstation in enumerations" + "6665": "Read screen" + "6672": "Read Objects" + "6673": "Create window" + "6674": "Create menu" + "6675": "Hook control" + "6676": "Journal (record)" + "6677": "Journal (playback)" + "6678": "Include this desktop in enumerations" + "6679": "Write objects" + "6680": "Switch to this desktop" + "6912": "Administer print server" + "6913": "Enumerate printers" + "6930": "Full Control" + "6931": "Print" + "6948": "Administer Document" + "7168": "Connect to service controller" + "7169": "Create a new service" + "7170": "Enumerate services" + "7171": "Lock service database for exclusive access" + "7172": "Query service database lock state" + "7173": "Set last-known-good state of service database" + "7184": "Query service configuration information" + "7185": "Set service configuration information" + "7186": "Query status of service" + "7187": "Enumerate dependencies of service" + "7188": "Start the service" + "7189": "Stop the service" + "7190": "Pause or continue the service" + "7191": "Query information from service" + "7192": "Issue service-specific control commands" + "7424": "DDE Share Read" + "7425": "DDE Share Write" + "7426": "DDE Share Initiate Static" + "7427": "DDE Share Initiate Link" + "7428": "DDE Share Request" + "7429": "DDE Share Advise" + "7430": "DDE Share Poke" + "7431": "DDE Share Execute" + "7432": "DDE Share Add Items" + "7433": "DDE Share List Items" + "7680": "Create Child" + "7681": "Delete Child" + "7682": "List Contents" + "7683": "Write Self" + "7684": "Read Property" + "7685": "Write Property" + "7686": "Delete Tree" + "7687": "List Object" + "7688": "Control Access" + "7689": "Undefined Access (no effect) Bit 9" + "7690": "Undefined Access (no effect) Bit 10" + "7691": "Undefined Access (no effect) Bit 11" + "7692": "Undefined Access (no effect) Bit 12" + "7693": "Undefined Access (no effect) Bit 13" + "7694": "Undefined Access (no effect) Bit 14" + "7695": "Undefined Access (no effect) Bit 15" + "7936": "Audit Set System Policy" + "7937": "Audit Query System Policy" + "7938": "Audit Set Per User Policy" + "7939": "Audit Query Per User Policy" + "7940": "Audit Enumerate Users" + "7941": "Audit Set Options" + "7942": "Audit Query Options" + "8064": "Port sharing (read)" + "8065": "Port sharing (write)" + "8096": "Default credentials" + "8097": "Credentials manager" + "8098": "Fresh credentials" + "8192": "Kerberos" + "8193": "Preshared key" + "8194": "Unknown authentication" + "8195": "DES" + "8196": "3DES" + "8197": "MD5" + "8198": "SHA1" + "8199": "Local computer" + "8200": "Remote computer" + "8201": "No state" + "8202": "Sent first (SA) payload" + "8203": "Sent second (KE) payload" + "8204": "Sent third (ID) payload" + "8205": "Initiator" + "8206": "Responder" + "8207": "No state" + "8208": "Sent first (SA) payload" + "8209": "Sent final payload" + "8210": "Complete" + "8211": "Unknown" + "8212": "Transport" + "8213": "Tunnel" + "8214": "IKE/AuthIP DoS prevention mode started" + "8215": "IKE/AuthIP DoS prevention mode stopped" + "8216": "Enabled" + "8217": "Not enabled" + "8218": "No state" + "8219": "Sent first (EM attributes) payload" + "8220": "Sent second (SSPI) payload" + "8221": "Sent third (hash) payload" + "8222": "IKEv1" + "8223": "AuthIP" + "8224": "Anonymous" + "8225": "NTLM V2" + "8226": "CGA" + "8227": "Certificate" + "8228": "SSL" + "8229": "None" + "8230": "DH group 1" + "8231": "DH group 2" + "8232": "DH group 14" + "8233": "DH group ECP 256" + "8234": "DH group ECP 384" + "8235": "AES-128" + "8236": "AES-192" + "8237": "AES-256" + "8238": "Certificate ECDSA P256" + "8239": "Certificate ECDSA P384" + "8240": "SSL ECDSA P256" + "8241": "SSL ECDSA P384" + "8242": "SHA 256" + "8243": "SHA 384" + "8244": "IKEv2" + "8245": "EAP payload sent" + "8246": "Authentication payload sent" + "8247": "EAP" + "8248": "DH group 24" + "8272": "System" + "8273": "Logon/Logoff" + "8274": "Object Access" + "8275": "Privilege Use" + "8276": "Detailed Tracking" + "8277": "Policy Change" + "8278": "Account Management" + "8279": "DS Access" + "8280": "Account Logon" + "8448": "Success removed" + "8449": "Success Added" + "8450": "Failure removed" + "8451": "Failure Added" + "8452": "Success include removed" + "8453": "Success include added" + "8454": "Success exclude removed" + "8455": "Success exclude added" + "8456": "Failure include removed" + "8457": "Failure include added" + "8458": "Failure exclude removed" + "8459": "Failure exclude added" + "12288": "Security State Change" + "12289": "Security System Extension" + "12290": "System Integrity" + "12291": "IPsec Driver" + "12292": "Other System Events" + "12544": "Logon" + "12545": "Logoff" + "12546": "Account Lockout" + "12547": "IPsec Main Mode" + "12548": "Special Logon" + "12549": "IPsec Quick Mode" + "12550": "IPsec Extended Mode" + "12551": "Other Logon/Logoff Events" + "12552": "Network Policy Server" + "12553": "User / Device Claims" + "12554": "Group Membership" + "12800": "File System" + "12801": "Registry" + "12802": "Kernel Object" + "12803": "SAM" + "12804": "Other Object Access Events" + "12805": "Certification Services" + "12806": "Application Generated" + "12807": "Handle Manipulation" + "12808": "File Share" + "12809": "Filtering Platform Packet Drop" + "12810": "Filtering Platform Connection" + "12811": "Detailed File Share" + "12812": "Removable Storage" + "12813": "Central Policy Staging" + "13056": "Sensitive Privilege Use" + "13057": "Non Sensitive Privilege Use" + "13058": "Other Privilege Use Events" + "13312": "Process Creation" + "13313": "Process Termination" + "13314": "DPAPI Activity" + "13315": "RPC Events" + "13316": "Plug and Play Events" + "13317": "Token Right Adjusted Events" + "13568": "Audit Policy Change" + "13569": "Authentication Policy Change" + "13570": "Authorization Policy Change" + "13571": "MPSSVC Rule-Level Policy Change" + "13572": "Filtering Platform Policy Change" + "13573": "Other Policy Change Events" + "13824": "User Account Management" + "13825": "Computer Account Management" + "13826": "Security Group Management" + "13827": "Distribution Group Management" + "13828": "Application Group Management" + "13829": "Other Account Management Events" + "14080": "Directory Service Access" + "14081": "Directory Service Changes" + "14082": "Directory Service Replication" + "14083": "Detailed Directory Service Replication" + "14336": "Credential Validation" + "14337": "Kerberos Service Ticket Operations" + "14338": "Other Account Logon Events" + "14339": "Kerberos Authentication Service" + "14592": "Inbound" + "14593": "Outbound" + "14594": "Forward" + "14595": "Bidirectional" + "14596": "IP Packet" + "14597": "Transport" + "14598": "Forward" + "14599": "Stream" + "14600": "Datagram Data" + "14601": "ICMP Error" + "14602": "MAC 802.3" + "14603": "MAC Native" + "14604": "vSwitch" + "14608": "Resource Assignment" + "14609": "Listen" + "14610": "Receive/Accept" + "14611": "Connect" + "14612": "Flow Established" + "14614": "Resource Release" + "14615": "Endpoint Closure" + "14616": "Connect Redirect" + "14617": "Bind Redirect" + "14624": "Stream Packet" + "14640": "ICMP Echo-Request" + "14641": "vSwitch Ingress" + "14642": "vSwitch Egress" + "14672": "" + "14673": "[NULL]" + "14674": "Value Added" + "14675": "Value Deleted" + "14676": "Active Directory Domain Services" + "14677": "Active Directory Lightweight Directory Services" + "14678": "Yes" + "14679": "No" + "14680": "Value Added With Expiration Time" + "14681": "Value Deleted With Expiration Time" + "14688": "Value Auto Deleted With Expiration Time" + "16384": "Add" + "16385": "Delete" + "16386": "Boot-time" + "16387": "Persistent" + "16388": "Not persistent" + "16389": "Block" + "16390": "Permit" + "16391": "Callout" + "16392": "MD5" + "16393": "SHA-1" + "16394": "SHA-256" + "16395": "AES-GCM 128" + "16396": "AES-GCM 192" + "16397": "AES-GCM 256" + "16398": "DES" + "16399": "3DES" + "16400": "AES-128" + "16401": "AES-192" + "16402": "AES-256" + "16403": "Transport" + "16404": "Tunnel" + "16405": "Responder" + "16406": "Initiator" + "16407": "AES-GMAC 128" + "16408": "AES-GMAC 192" + "16409": "AES-GMAC 256" + "16416": "AuthNoEncap Transport" + "16896": "Enable WMI Account" + "16897": "Execute Method" + "16898": "Full Write" + "16899": "Partial Write" + "16900": "Provider Write" + "16901": "Remote Access" + "16902": "Subscribe" + "16903": "Publish" + source: |- + if (ctx?.winlog?.event_data?.FailureReason != null) { + def code = ctx.winlog.event_data.FailureReason.replace("%%",""); + if (params.containsKey(code)) { + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("reason", params[code]); + } + } + if (ctx?.winlog?.event_data?.AuditPolicyChanges != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { + def code = elem.replace("%%","").trim(); + if (params.containsKey(code)) { + results.add(params[code]); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); + } + } + if (ctx?.winlog?.event_data?.AccessMask != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AccessMask) { + def code = elem.replace("%%","").trim(); + if (params.containsKey(code)) { + results.add(params[code]); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessMaskDescription", results); + } + } + - script: + lang: painless + ignore_failure: false + tag: 4625 and 4776 Set Status and SubStatus + description: 4625 and 4776 Set Status and SubStatus + params: + "0xc000005e": "There are currently no logon servers available to service the logon request." + "0xc0000064": "User logon with misspelled or bad user account" + "0xc000006a": "User logon with misspelled or bad password" + "0xc000006d": "This is either due to a bad username or authentication information" + "0xc000006e": "Unknown user name or bad password." + "0xc000006f": "User logon outside authorized hours" + "0xc0000070": "User logon from unauthorized workstation" + "0xc0000071": "User logon with expired password" + "0xc0000072": "User logon to account disabled by administrator" + "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." + "0xc0000133": "Clocks between DC and other computer too far out of sync" + "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" + "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." + "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." + "0xc0000193": "User logon with expired account" + "0xc0000224": "User is required to change password at next logon" + "0xc0000225": "Evidently a bug in Windows and not a risk" + "0xc0000234": "User logon with account locked" + "0xc00002ee": "Failure Reason: An Error occurred during Logon" + "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." + "0xc0000371": "The local account store does not contain secret material for the specified account" + "0x0": "Status OK." + source: |- + if (ctx?.winlog?.event_data?.Status == null || + ctx?.event?.code == null || + !["4625", "4776"].contains(ctx.event.code)) { + return; + } + if (params.containsKey(ctx.winlog.event_data.Status)) { + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); + } + if (ctx?.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { + return; + } + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Type + description: Set Trust Type + params: + "1": "TRUST_TYPE_DOWNLEVEL" + "2": "TRUST_TYPE_UPLEVEL" + "3": "TRUST_TYPE_MIT" + "4": "TRUST_TYPE_DCE" + source: |- + if (ctx?.winlog?.event_data?.TdoType == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoType)) { + return; + } + ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Direction + description: Set Trust Direction + params: + "0": "TRUST_DIRECTION_DISABLED" + "1": "TRUST_DIRECTION_INBOUND" + "2": "TRUST_DIRECTION_OUTBOUND" + "3": "TRUST_DIRECTION_BIDIRECTIONAL" + source: |- + if (ctx?.winlog?.event_data?.TdoDirection == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { + return; + } + ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Attributes + description: Set Trust Attributes + params: + "0": "UNDEFINED" + "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" + "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" + "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" + "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" + "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" + "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" + "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" + "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" + "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" + "1024": "TRUST_ATTRIBUTE_PIM_TRUST" + source: |- + if (ctx?.winlog?.event_data?.TdoAttributes == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { + return; + } + ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); + - script: + lang: painless + ignore_failure: false + tag: Add Session Events + description: Add Session Events + source: |- + if (ctx?.event?.code == null || + !["4778", "4779"].contains(ctx.event.code)) { + return; + } + //AccountName to user.name and related.user + if (ctx?.winlog?.event_data?.AccountName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.AccountName); + if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { + ctx.related.user.add(ctx.winlog.event_data.AccountName); + } + } + + //AccountDomain to user.domain + if (ctx?.winlog?.event_data?.AccountDomain != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); + } + + //ClientAddress to source.ip and related.ip + if (ctx?.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.ip == null) { + ArrayList al = new ArrayList(); + ctx.related.put("ip", al); + } + ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); + if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { + ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); + } + } + + //ClientName to source.domain + if (ctx?.winlog?.event_data?.ClientName != null) { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.ClientName); + } + + //LogonID to winlog.logon.id + if (ctx?.winlog?.event_data?.LogonID != null) { + if (ctx?.winlog?.logon == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User + description: Copy Target User + source: |- + if (ctx?.event?.code == null || + !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", + "4771", "4776", "4964"].contains(ctx.event.code)) { + return; + } + + //TargetUserSid to user.id or user.target.id + if (ctx?.winlog?.event_data?.TargetUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.id == null) { + ctx.user.put("id", ctx.winlog.event_data.TargetUserSid); + } else { + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("id", ctx.winlog.event_data.TargetUserSid); + } + } + //TargetUserName to related.user and user.name or user.target.name + if (ctx?.winlog?.event_data?.TargetUserName != null) { + def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.name == null) { + ctx.user.put("name", tun[0]); + } else { + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", tun[0]); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(tun[0])) { + ctx.related.user.add(tun[0]); + } + } + //TargetUserDomain to user.domain or user.target.domain + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.domain == null) { + ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); + } else { + if (ctx?.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); + } + } + - script: + lang: painless + ignore_failure: false + tag: Copy MemberName to User and User to Group + description: Copy MemberName to User and User to Group + source: |- + if (ctx?.event?.code == null || + !["4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", + "4737", "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751", + "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", "4760", + "4761", "4762", "4763", "4764", "4799"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.MemberName != null) { + def memberNameParts = ctx.winlog.event_data.MemberName.splitOnToken(","); + def memberName = memberNameParts[0].replace("CN=","").replace("cn=",""); + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", memberName); + if (!ctx.related.user.contains(memberName)) { + ctx.related.user.add(memberName); + } + } + if (ctx?.winlog?.event_data?.TargetUserSid != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); + } + if (ctx?.winlog?.event_data?.TargetSid != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx?.winlog?.event_data?.TargetUserName != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("domain", ctx.winlog.event_data.TargetDomainName); + } + if (ctx?.user?.target != null) { + if (ctx?.user?.target?.group == null) { + HashMap hm = new HashMap(); + ctx.user.target.put("group", hm); + } + if (ctx?.group?.id != null) { + ctx.user.target.group.put("id", ctx.group.id); + } + if (ctx?.group?.name != null) { + ctx.user.target.group.put("name", ctx.group.name); + } + if (ctx?.group?.domain != null) { + ctx.user.target.group.put("domain", ctx.group.domain); + } + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Computer Object + description: Copy Target User to Computer Object + source: |- + if (ctx?.event?.code == null || + !["4741", "4742", "4743"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.TargetSid != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx?.winlog?.event_data?.TargetUserName != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.TargetLogonId + ignore_failure: false + if: ctx?.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from Event Data + description: Copy Subject User from Event Data + source: |- + if (ctx?.event?.code == null || + !["4657", "4670", "4672", "4673", "4674", "4688", "4689", "4697", + "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", + "4716", "4717", "4718", "4719", "4720", "4722", "4723", "4724", + "4725", "4726", "4727", "4728", "4729", "4730", "4731", "4732", + "4733", "4734", "4735", "4737", "4738", "4739", "4740", "4741", + "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", + "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", + "4758", "4759", "4760", "4761", "4762", "4763", "4764", "4767", + "4781", "4798", "4799", "4817", "4904", "4905", "4907", "4912"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.SubjectUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); + } + if (ctx?.winlog?.event_data?.SubjectUserName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); + } + } + if (ctx?.winlog?.event_data?.SubjectDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from user_data + description: Copy Subject User from user_data + source: |- + if (ctx?.event?.code == null || + !["1102"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.user_data?.SubjectUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); + } + if (ctx?.winlog?.user_data?.SubjectUserName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); + } + } + if (ctx?.winlog?.user_data?.SubjectDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.SubjectLogonId + ignore_failure: true + + - set: + field: winlog.logon.id + copy_from: winlog.user_data.SubjectLogonId + ignore_failure: true + if: |- + ctx?.event?.code != null && + ["1102"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Rename Common Auth Fields + description: Rename Common Auth Fields + source: |- + if (ctx?.event?.code == null || + !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", + "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", + "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", + "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", + "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", + "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", + "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", + "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", + "4904", "4905", "4907", "4912"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.ProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.ProcessId); + } + ctx.winlog.event_data.remove("ProcessId"); + } + if (ctx?.winlog?.event_data?.ProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.ProcessName); + ctx.winlog.event_data.remove("ProcessName"); + } + if (ctx?.winlog?.event_data?.IpAddress != null && + ctx.winlog.event_data.IpAddress != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("ip", ctx.winlog.event_data.IpAddress); + ctx.winlog.event_data.remove("IpAddress"); + } + if (ctx?.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); + ctx.winlog.event_data.remove("IpPort"); + } + if (ctx?.winlog?.event_data?.WorkstationName != null) { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); + ctx.winlog.event_data.remove("WorkstationName"); + } + if (ctx?.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); + ctx.winlog.event_data.remove("ClientAddress"); + } + if (ctx?.process?.name == null && ctx?.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + + - script: + lang: painless + ignore_failure: false + tag: Process Event 4688 + description: Process Event 4688 + source: |- + if (ctx?.event?.code == null || + !["4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.NewProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.NewProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); + } + ctx.winlog.event_data.remove("NewProcessId"); + } + if (ctx?.winlog?.event_data?.NewProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); + ctx.winlog.event_data.remove("NewProcessName"); + } + if (ctx?.winlog?.event_data?.ParentProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx?.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); + ctx.winlog.event_data.remove("ParentProcessName"); + } + if (ctx?.process?.name == null && ctx?.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + if (ctx?.process?.parent?.name == null && ctx?.process?.parent?.executable != null) { + def parts = ctx.process.parent.executable.splitOnToken("\\"); + ctx.process.parent.put("name", parts[-1]); + } + if (ctx?.winlog?.event_data?.ProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx?.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.parent.put("pid", pid.longValue()); + } else { + ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); + } + } + if (ctx?.winlog?.event_data?.CommandLine != null) { + int start = 0; + int end = 0; + boolean in_quote = false; + ArrayList al = new ArrayList(); + for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { + end = i; + if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { + if (in_quote) { + in_quote = false; + } else { + in_quote = true; + } + } + if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); + start = i + 1; + } + if (i == ctx.winlog.event_data.CommandLine.length() - 1) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); + } + } + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("args", al); + ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + } + if ((ctx?.winlog?.event_data?.TargetUserName != null) && + (!ctx.winlog.event_data.TargetUserName.equals("-"))) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { + ctx.related.user.add(ctx.winlog.event_data.TargetUserName); + } + } + + - append: + field: related.user + value: '{{winlog.event_data.SubjectUserName}}' + allow_duplicates: false + if: |- + ctx?.event?.code != null && + ["4624", "4648"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.SubjectUserName != null && + ctx.winlog.event_data.SubjectUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.TargetUserName}}' + allow_duplicates: false + if: |- + ctx?.event?.code != null && + ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", + "4740", "4767", "4798"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.TargetUserName != null && + ctx.winlog.event_data.TargetUserName != "-" + + - split: + field: winlog.event_data.PrivilegeList + separator: "\\s+" + if: |- + ctx?.event?.code != null && + ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.PrivilegeList != null + + - append: + field: related.user + value: '{{winlog.event_data.NewTargetUserName}}' + allow_duplicates: false + if: |- + ctx?.winlog?.event_data?.NewTargetUserName != null && + ctx.winlog.event_data.NewTargetUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.OldTargetUserName}}' + allow_duplicates: false + if: |- + ctx?.winlog?.event_data?.OldTargetUserName != null && + ctx.winlog.event_data.OldTargetUserName != "-" + + - gsub: + field: source.ip + pattern: "::ffff:" + replacement: "" + ignore_missing: true + + - append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: |- + ctx?.source?.ip != null && + ctx.source.ip != "-" + + - script: + lang: painless + ignore_failure: false + tag: Object Policy Change and SidListDesc + description: Object Policy Change and SidListDesc + params: + AccountSIDDescription: + AO: Account operators + RU: Alias to allow previous Windows 2000 + AN: Anonymous logon + AU: Authenticated users + BA: Built-in administrators + BG: Built-in guests + BO: Backup operators + BU: Built-in users + CA: Certificate server administrators + CG: Creator group + CO: Creator owner + DA: Domain administrators + DC: Domain computers + DD: Domain controllers + DG: Domain guests + DU: Domain users + EA: Enterprise administrators + ED: Enterprise domain controllers + WD: Everyone + PA: Group Policy administrators + IU: Interactively logged-on user + LA: Local administrator + LG: Local guest + LS: Local service account + SY: Local system + NU: Network logon user + NO: Network configuration operators + NS: Network service account + PO: Printer operators + PS: Personal self + PU: Power users + RS: RAS servers group + RD: Terminal server users + RE: Replicator + RC: Restricted code + SA: Schema administrators + SO: Server operators + SU: Service logon user + S-1-0: Null Authority + S-1-0-0: Nobody + S-1-1: World Authority + S-1-1-0: Everyone + S-1-16-0: Untrusted Mandatory Level + S-1-16-12288: High Mandatory Level + S-1-16-16384: System Mandatory Level + S-1-16-20480: Protected Process Mandatory Level + S-1-16-28672: Secure Process Mandatory Level + S-1-16-4096: Low Mandatory Level + S-1-16-8192: Medium Mandatory Level + S-1-16-8448: Medium Plus Mandatory Level + S-1-2: Local Authority + S-1-2-0: Local + S-1-2-1: Console Logon + S-1-3: Creator Authority + S-1-3-0: Creator Owner + S-1-3-1: Creator Group + S-1-3-2: Creator Owner Server + S-1-3-3: Creator Group Server + S-1-3-4: Owner Rights + S-1-4: Non-unique Authority + S-1-5: NT Authority + S-1-5-1: Dialup + S-1-5-10: Principal Self + S-1-5-11: Authenticated Users + S-1-5-12: Restricted Code + S-1-5-13: Terminal Server Users + S-1-5-14: Remote Interactive Logon + S-1-5-15: This Organization + S-1-5-17: This Organization + S-1-5-18: Local System + S-1-5-19: NT Authority + S-1-5-2: Network + S-1-5-20: NT Authority + S-1-5-3: Batch + S-1-5-32-544: Administrators + S-1-5-32-545: Users + S-1-5-32-546: Guests + S-1-5-32-547: Power Users + S-1-5-32-548: Account Operators + S-1-5-32-549: Server Operators + S-1-5-32-550: Print Operators + S-1-5-32-551: Backup Operators + S-1-5-32-552: Replicators + S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access + S-1-5-32-555: Builtin\Remote Desktop Users + S-1-5-32-556: Builtin\Network Configuration Operators + S-1-5-32-557: Builtin\Incoming Forest Trust Builders + S-1-5-32-558: Builtin\Performance Monitor Users + S-1-5-32-559: Builtin\Performance Log Users + S-1-5-32-560: Builtin\Windows Authorization Access Group + S-1-5-32-561: Builtin\Terminal Server License Servers + S-1-5-32-562: Builtin\Distributed COM Users + S-1-5-32-569: Builtin\Cryptographic Operators + S-1-5-32-573: Builtin\Event Log Readers + S-1-5-32-574: Builtin\Certificate Service DCOM Access + S-1-5-32-575: Builtin\RDS Remote Access Servers + S-1-5-32-576: Builtin\RDS Endpoint Servers + S-1-5-32-577: Builtin\RDS Management Servers + S-1-5-32-578: Builtin\Hyper-V Administrators + S-1-5-32-579: Builtin\Access Control Assistance Operators + S-1-5-32-580: Builtin\Remote Management Users + S-1-5-32-582: Storage Replica Administrators + S-1-5-4: Interactive + S-1-5-5-X-Y: Logon Session + S-1-5-6: Service + S-1-5-64-10: NTLM Authentication + S-1-5-64-14: SChannel Authentication + S-1-5-64-21: Digest Authentication + S-1-5-7: Anonymous + S-1-5-8: Proxy + S-1-5-80: NT Service + S-1-5-80-0: All Services + S-1-5-83-0: NT Virtual Machine\Virtual Machines + S-1-5-9: Enterprise Domain Controllers + S-1-5-90-0: Windows Manager\Windows Manager Group + AceTypes: + A: Access Allowed + D: Access Denied + OA: Object Access Allowed + OD: Object Access Denied + AU: System Audit + AL: System Alarm + OU: System Object Audit + OL: System Object Alarm + ML: System Mandatory Label + SP: Central Policy ID + DomainSpecificSID: + "498": Enterprise Read-only Domain Controllers + "500": Administrator + "501": Guest + "502": KRBTGT + "512": Domain Admins + "513": Domain Users + "514": Domain Guests + "515": Domain Computers + "516": Domain Controllers + "517": Cert Publishers + "518": Schema Admins + "519": Enterprise Admins + "520": Group Policy Creator Owners + "521": Read-only Domain Controllers + "522": Cloneable Domain Controllers + "526": Key Admins + "527": Enterprise Key Admins + "553": RAS and IAS Servers + "571": Allowed RODC Password Replication Group + "572": Denied RODC Password Replication Group + PermissionDescription: + GA: Generic All + GR: Generic Read + GW: Generic Write + GX: Generic Execute + RC: Read Permissions + SD: Delete + WD: Modify Permissions + WO: Modify Owner + RP: Read All Properties + WP: Write All Properties + CC: Create All Child Objects + DC: Delete All Child Objects + LC: List Contents + SW: All Validated + LO: List Object + DT: Delete Subtree + CR: All Extended Rights + FA: File All Access + FR: File Generic Read + FX: FILE GENERIC EXECUTE + FW: FILE GENERIC WRITE + KA: KEY ALL ACCESS + KR: KEY READ + KW: KEY WRITE + KX: KEY EXECUTE + PermsFlags: + "0x80000000": 'Generic Read' + "0x4000000": 'Generic Write' + "0x20000000": 'Generic Execute' + "0x10000000": 'Generic All' + "0x02000000": 'Maximum Allowed' + "0x01000000": 'Access System Security' + "0x00100000": 'Syncronize' + "0x00080000": 'Write Owner' + "0x00040000": 'Write DACL' + "0x00020000": 'Read Control' + "0x00010000": 'Delete' + source: |- + ArrayList translatePermissionMask(def mask, def params) { + ArrayList al = new ArrayList(); + Long permCode = Long.decode(mask); + for (entry in params.PermsFlags.entrySet()) { + Long permFlag = Long.decode(entry.getKey()); + if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { + al.add(entry.getValue()); + } + } + if (al.length == 0) { + al.add(mask); + } + return al; + } + + HashMap translateACL(def dacl, def params) { + def aceArray = dacl.splitOnToken(";"); + HashMap hm = new HashMap(); + + if (aceArray.length >= 6 ) { + hm.put("grantee", translateSID(aceArray[5], params)); + } + + if (aceArray.length >= 1) { + hm.put("type", params.AceTypes[aceArray[0]]); + } + + if (aceArray.length >= 3) { + if (aceArray[2].startsWith("0x")) { + hm.put("perms", translatePermissionMask(aceArray[2], params)); + } else { + ArrayList al = new ArrayList(); + Pattern permPattern = /.{1,2}/; + Matcher permMatcher = permPattern.matcher(aceArray[2]); + while (permMatcher.find()) { + al.add(params.PermissionDescription[permMatcher.group(0)]); + } + hm.put("perms", al); + } + } + return hm; + } + String translateSID(def sid, def params) { + if (!params.AccountSIDDescription.containsKey(sid)) { + if (sid.startsWith("S-1-5-21")) { + Pattern uidPattern = /[0-9]{1,5}$/; + Matcher uidMatcher = uidPattern.matcher(sid); + if (uidMatcher.find()) { + return params.DomainSpecificSID[uidMatcher.group(0)]; + } + return sid; + } + return sid; + } + return params.AccountSIDDescription[sid]; + } + + + void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { + Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; + Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); + if (sdOwnerMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); + } + + Pattern sdGroupPattern = /^G\:[A-Z]{2}/; + Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); + if (sdGroupMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); + } + + Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; + Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); + if (sdDaclMatcher.find()) { + Pattern dacListPattern = /\([^*\)]*\)/; + Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); + for (def i = 0; dacListMatcher.find(); i++) { + def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newDacl['grantee'])) { + ctx.related.user.add(newDacl['grantee']); + } + } + } + } + + Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; + Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); + if (sdSaclMatcher.find()) { + Pattern sacListPattern = /\([^*\)]*\)/; + Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); + for (def i = 0; sacListMatcher.find(); i++) { + def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newSacl['grantee'])) { + ctx.related.user.add(newSacl['grantee']); + } + } + } + } + } + + void splitSidList(def sids, def params, def ctx) { + ArrayList al = new ArrayList(); + def sidList = sids.splitOnToken(" "); + ctx.winlog.event_data.put("SidList", sidList); + for (def i = 0; i < sidList.length; i++ ) { + al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); + } + ctx.winlog.event_data.put("SidListDesc", al); + } + + if (ctx?.event?.code == null || + !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.OldSd != null) { + enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); + } + if (ctx?.winlog?.event_data?.NewSd != null) { + enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); + } + if (ctx?.winlog?.event_data?.SidList != null) { + splitSidList(ctx.winlog.event_data.SidList, params, ctx); + } + + - convert: + field: winlog.record_id + type: string + ignore_missing: true + + - convert: + field: winlog.event_id + type: string + ignore_missing: true + + - set: + field: ecs.version + value: '8.0.0' + + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml new file mode 100755 index 0000000000..0a999ecaef --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml @@ -0,0 +1,1254 @@ +--- +description: Pipeline for Windows Sysmon Event Logs +processors: +## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - rename: + field: winlog.level + target_field: log.level + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + target_field: event.created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + - date: + field: winlog.event_data.UtcTime + formats: + - yyyy-MM-dd HH:mm:ss.SSS + timezone: UTC + ignore_failure: true + if: ctx?.winlog?.event_data?.UtcTime != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + + - script: + description: Set event category and type for all event types. + lang: painless + params: + "1": + category: + - process + type: + - start + "2": + category: + - file + type: + - change + "3": + category: + - network + type: + - start + - connection + - protocol + "4": + category: + - process + type: + - change + "5": + category: + - process + type: + - end + "6": + category: + - driver + type: + - start + "7": + category: + - process + type: + - change + "10": + category: + - process + type: + - access + "11": + category: + - file + type: + - creation + "12": + category: + - configuration + - registry + type: + - change + "13": + category: + - configuration + - registry + type: + - change + "14": + category: + - configuration + - registry + type: + - change + "15": + category: + - file + type: + - access + "16": + category: + - configuration + type: + - change + "17": + category: + - file + type: + - creation + "18": + category: + - file + type: + - access + "22": + category: + - network + type: + - connection + - protocol + - info + "23": + category: + - file + type: + - deletion + "24": + type: + - change + "25": + category: + - process + type: + - change + "26": + category: + - file + type: + - deletion + tag: Set ECS categorization fields + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params[ctx.event.code]); + hm.forEach((k, v) -> ctx.event[k] = v); + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + - rename: + field: winlog.event_data.ID + target_field: error.code + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "255" && ctx.winlog?.event_data?.ID != null && ctx.winlog?.event_data?.ID != "" + + - rename: + field: winlog.event_data.RuleName + target_field: rule.name + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RuleName != null && ctx?.winlog?.event_data?.RuleName != "" && ctx?.winlog?.event_data?.RuleName != "-" + + + - rename: + field: winlog.event_data.Type + target_field: message + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "25" && ctx?.winlog?.event_data?.Type != null && ctx?.winlog?.event_data?.Type != "" + + - rename: + field: winlog.event_data.Hash + target_field: winlog.event_data.Hashes + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Hash != null && ctx?.winlog?.event_data?.Hash != "" + - kv: + field: winlog.event_data.Hashes + target_field: _temp.hashes + field_split: "," + value_split: "=" + ignore_failure: true + if: ctx?.winlog?.event_data?.Hashes != null + - script: + lang: painless + if: ctx?._temp?.hashes != null + source: |- + def hashIsEmpty(String hash) { + if (hash == "") { + return true; + } + + Pattern emptyHashRegex = /^0*$/; + def matcher = emptyHashRegex.matcher(hash); + + return matcher.matches(); + } + + def hashes = new HashMap(); + def related = [ + "hash": new ArrayList() + ]; + for (entry in ctx._temp.hashes.entrySet()) { + def key = entry.getKey().toString().toLowerCase(); + def value = entry.getValue().toString().toLowerCase(); + + if (hashIsEmpty(value)) { + continue; + } + + hashes[key] = value; + related.hash.add(value); + } + + ctx._temp.hashes = hashes; + if (related.hash.length > 0) { + ctx.related = related; + } + +## Process fields + + - rename: + field: _temp.hashes + target_field: process.hash + if: |- + ctx?._temp?.hashes != null && + ["1", "23", "24", "25", "26"].contains(ctx.event.code) + - rename: + field: process.hash.imphash + target_field: process.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ProcessGuid != null && ctx?.winlog?.event_data?.ProcessGuid != "" + - convert: + field: winlog.event_data.ProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ProcessId != null && ctx?.winlog?.event_data?.ProcessId != "" + - rename: + field: winlog.event_data.Image + target_field: process.executable + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Image != null && ctx?.winlog?.event_data?.Image != "" + - rename: + field: winlog.event_data.SourceProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.SourceProcessGuid != null && ctx?.winlog?.event_data?.SourceProcessGuid != "" + - rename: + field: winlog.event_data.SourceProcessGUID + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.SourceProcessGUID != null && ctx?.winlog?.event_data?.SourceProcessGUID != "" + - convert: + field: winlog.event_data.SourceProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.SourceProcessId != null && ctx?.winlog?.event_data?.SourceProcessId != "" + - convert: + field: winlog.event_data.SourceThreadId + target_field: process.thread.id + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.SourceThreadId != null && ctx?.winlog?.event_data?.SourceThreadId != "" + - rename: + field: winlog.event_data.SourceImage + target_field: process.executable + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.SourceImage != null && ctx?.winlog?.event_data?.SourceImage != "" + - rename: + field: winlog.event_data.Destination + target_field: process.executable + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Destination != null && ctx?.winlog?.event_data?.Destination != "" + - rename: + field: winlog.event_data.CommandLine + target_field: process.command_line + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.CommandLine != null && ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CurrentDirectory + target_field: process.working_directory + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.CurrentDirectory != null && ctx?.winlog?.event_data?.CurrentDirectory != "" + - rename: + field: winlog.event_data.ParentProcessGuid + target_field: process.parent.entity_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ParentProcessGuid != null && ctx?.winlog?.event_data?.ParentProcessGuid != "" + - convert: + field: winlog.event_data.ParentProcessId + target_field: process.parent.pid + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ParentProcessId != null && ctx?.winlog?.event_data?.ParentProcessId != "" + - rename: + field: winlog.event_data.ParentImage + target_field: process.parent.executable + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ParentImage != null && ctx?.winlog?.event_data?.ParentImage != "" + - rename: + field: winlog.event_data.ParentCommandLine + target_field: process.parent.command_line + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ParentCommandLine != null && ctx?.winlog?.event_data?.ParentCommandLine != "" + - rename: + field: winlog.event_data.OriginalFileName + target_field: process.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "7" && ctx?.winlog?.event_data?.OriginalFileName != null && ctx?.winlog?.event_data?.OriginalFileName != "" + - set: + field: process.pe.company + copy_from: winlog.event_data.Company + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.description + copy_from: winlog.event_data.Description + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.product + copy_from: winlog.event_data.Product + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: |- + (ctx?.process?.command_line != null && ctx.process.command_line != "") || + (ctx?.process?.parent?.command_line != null && ctx.process.parent.command_line != "") + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + def cmd = ctx?.process?.command_line; + if (cmd != null && cmd != "") { + ctx.process.args = commandLineToArgv(cmd); + ctx.process.args_count = ctx.process.args.length; + } + + def parentCmd = ctx?.process?.parent?.command_line; + if (parentCmd != null && parentCmd != "") { + ctx.process.parent.args = commandLineToArgv(parentCmd); + ctx.process.parent.args_count = ctx.process.parent.args.length; + } + + - script: + description: Adds process name information. + lang: painless + if: |- + (ctx?.process?.executable != null && ctx.process.executable.length() > 1) || + (ctx?.process?.parent?.executable != null && ctx.process.parent.executable.length() > 1) + source: |- + def getProcessName(def path) { + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + return path.substring(idx+1); + } + return ""; + } + + def cmd = ctx?.process?.executable; + if (cmd != null && cmd != "" && ctx?.process?.name == null) { + def name = getProcessName(cmd); + if (name != "") { + ctx.process.name = name; + } + } + + def parentCmd = ctx?.process?.parent?.executable; + if (parentCmd != null && parentCmd != "" && ctx?.process?.parent?.name == null) { + def name = getProcessName(parentCmd); + if (name != "") { + ctx.process.parent.name = name; + } + } + +## File fields + + - rename: + field: _temp.hashes + target_field: file.hash + if: |- + ctx?._temp?.hashes != null && + ["6", "7", "15"].contains(ctx.event.code) + - rename: + field: file.hash.imphash + target_field: file.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.TargetFilename + target_field: file.path + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.TargetFilename != null && ctx?.winlog?.event_data?.TargetFilename != "" + - rename: + field: winlog.event_data.Device + target_field: file.path + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Device != null && ctx?.winlog?.event_data?.Device != "" + - rename: + field: winlog.event_data.PipeName + target_field: file.name + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipeName != null && ctx?.winlog?.event_data?.PipeName != "" + - rename: + field: winlog.event_data.ImageLoaded + target_field: file.path + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.ImageLoaded != null && ctx?.winlog?.event_data?.ImageLoaded != "" + - set: + field: file.code_signature.subject_name + copy_from: winlog.event_data.Signature + ignore_failure: true + ignore_empty_value: true + - set: + field: file.code_signature.status + copy_from: winlog.event_data.SignatureStatus + ignore_failure: true + ignore_empty_value: true + - rename: + field: winlog.event_data.OriginalFileName + target_field: file.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "7" && ctx?.winlog?.event_data?.OriginalFileName != null && ctx?.winlog?.event_data?.OriginalFileName != "" + - set: + field: file.pe.company + copy_from: winlog.event_data.Company + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.description + copy_from: winlog.event_data.Description + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.product + copy_from: winlog.event_data.Product + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.code_signature.signed + value: true + if: ctx?.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed == true + - set: + field: file.code_signature.valid + value: true + if: ctx?.winlog?.event_data?.SignatureStatus != null && ctx?.winlog?.event_data?.SignatureStatus == "Valid" + + - script: + description: Adds file information. + lang: painless + if: ctx?.file?.path != null && ctx.file.path.length() > 1 + source: |- + def path = ctx.file.path; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + +## Network, Destination, and Source fields + + - rename: + field: winlog.event_data.Protocol + target_field: network.transport + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Protocol != null && ctx?.winlog?.event_data?.Protocol != "" + - rename: + field: winlog.event_data.DestinationPortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" && ctx?.winlog?.event_data?.DestinationPortName != null && ctx?.winlog?.event_data?.DestinationPortName != "" + - rename: + field: winlog.event_data.SourcePortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" && ctx?.winlog?.event_data?.SourcePortName != null && ctx?.winlog?.event_data?.SourcePortName != "" + - set: + field: network.protocol + value: dns + if: ctx.event.code == "22" + - convert: + field: winlog.event_data.SourceIp + target_field: source.ip + type: ip + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.SourceIp != null && ctx?.winlog?.event_data?.SourceIp != "" + - rename: + field: winlog.event_data.SourceHostname + target_field: source.domain + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.SourceHostname != null && ctx?.winlog?.event_data?.SourceHostname != "" + - convert: + field: winlog.event_data.SourcePort + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.SourcePort != null && ctx?.winlog?.event_data?.SourcePort != "" + - convert: + field: winlog.event_data.DestinationIp + target_field: destination.ip + type: ip + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DestinationIp != null && ctx?.winlog?.event_data?.DestinationIp != "" + - rename: + field: winlog.event_data.DestinationHostname + target_field: destination.domain + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.DestinationHostname != null && ctx?.winlog?.event_data?.DestinationHostname != "" + - convert: + field: winlog.event_data.DestinationPort + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DestinationPort != null && ctx?.winlog?.event_data?.DestinationPort != "" + - rename: + field: winlog.event_data.QueryName + target_field: dns.question.name + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.QueryName != null && ctx?.winlog?.event_data?.QueryName != "" + - set: + field: network.direction + value: egress + if: ctx?.winlog?.event_data?.Initiated != null && ctx?.winlog?.event_data?.Initiated == "true" + - set: + field: network.direction + value: ingress + if: ctx?.winlog?.event_data?.Initiated != null && ctx?.winlog?.event_data?.Initiated == "false" + - set: + field: network.type + value: ipv4 + if: ctx?.winlog?.event_data?.SourceIsIpv6 != null && ctx?.winlog?.event_data?.SourceIsIpv6 == "false" + - set: + field: network.type + value: ipv6 + if: ctx?.winlog?.event_data?.SourceIsIpv6 != null && ctx?.winlog?.event_data?.SourceIsIpv6 == "true" + - script: + description: | + Splits the QueryResults field that contains the DNS responses. + Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" + lang: painless + if: ctx?.winlog?.event_data?.QueryResults != null && ctx?.winlog?.event_data?.QueryResults != "" + params: + "1": "A" + "2": "NS" + "3": "MD" + "4": "MF" + "5": "CNAME" + "6": "SOA" + "7": "MB" + "8": "MG" + "9": "MR" + "10": "NULL" + "11": "WKS" + "12": "PTR" + "13": "HINFO" + "14": "MINFO" + "15": "MX" + "16": "TXT" + "17": "RP" + "18": "AFSDB" + "19": "X25" + "20": "ISDN" + "21": "RT" + "22": "NSAP" + "23": "NSAPPTR" + "24": "SIG" + "25": "KEY" + "26": "PX" + "27": "GPOS" + "28": "AAAA" + "29": "LOC" + "30": "NXT" + "31": "EID" + "32": "NIMLOC" + "33": "SRV" + "34": "ATMA" + "35": "NAPTR" + "36": "KX" + "37": "CERT" + "38": "A6" + "39": "DNAME" + "40": "SINK" + "41": "OPT" + "43": "DS" + "46": "RRSIG" + "47": "NSEC" + "48": "DNSKEY" + "49": "DHCID" + "100": "UINFO" + "101": "UID" + "102": "GID" + "103": "UNSPEC" + "248": "ADDRS" + "249": "TKEY" + "250": "TSIG" + "251": "IXFR" + "252": "AXFR" + "253": "MAILB" + "254": "MAILA" + "255": "ANY" + "65281": "WINS" + "65282": "WINSR" + source: |- + def results = /;/.split(ctx.winlog.event_data.QueryResults); + def answers = new ArrayList(); + def ips = new ArrayList(); + def relatedHosts = new ArrayList(); + for (def i = 0; i < results.length; i++) { + def answer = results[i]; + if (answer == "") { + continue; + } + + if (answer.startsWith("type:")) { + def parts = /\s+/.split(answer); + if (parts.length != 3) { + throw new Exception("unexpected QueryResult format"); + } + + answers.add([ + "type": params[parts[1]], + "data": parts[2] + ]); + relatedHosts.add(parts[2]); + } else { + answer = answer.replace("::ffff:", ""); + ips.add(answer); + } + } + + if (answers.length > 0) { + ctx.dns.answers = answers; + } + if (ips.length > 0) { + ctx.dns.resolved_ip = ips; + } + if (relatedHosts.length > 0) { + if (ctx?.related == null) { + ctx.related = new HashMap(); + } + ctx.related.hosts = relatedHosts; + } + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + convert: + field: _ingest._value + type: ip + on_failure: + - remove: + field: _ingest._value + - script: + description: Convert V4MAPPED addresses. + lang: painless + if: ctx?.dns?.resolved_ip != null + source: |- + if (ctx.dns.answers == null) { + ctx.dns.answers = new ArrayList(); + } + for (def i = 0; i < ctx.dns.resolved_ip.length; i++) { + def ip = ctx.dns.resolved_ip[i]; + if (ip == null) { + ctx.dns.resolved_ip.remove(i); + continue; + } + + // Synthesize record type based on IP address type. + def type = "A"; + if (ip.indexOf(":") != -1) { + type = "AAAA"; + } + ctx.dns.answers.add([ + "type": type, + "data": ip + ]); + } + - registered_domain: + field: dns.question.name + target_field: dns.question + ignore_failure: true + ignore_missing: true + - append: + field: related.hosts + value: "{{dns.question.name}}" + allow_duplicates: false + if: ctx?.dns?.question?.name != null && ctx?.dns?.question?.name != "" + - remove: + description: Remove dns.question.domain because it is not part of ECS and is redundant with dns.question.name. + field: dns.question.domain + ignore_missing: true + ignore_failure: true + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + append: + field: related.ip + value: "{{_ingest._value}}" + allow_duplicates: false + - community_id: + ignore_failure: true + ignore_missing: false + +## User fields + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_empty_value: true + ignore_failure: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + +## Sysmon fields + + - rename: + field: winlog.event_data.QueryStatus + target_field: sysmon.dns.status + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.QueryStatus != null && ctx?.winlog?.event_data?.QueryStatus != "" + - script: + description: Translate DNS Query status. + lang: painless + params: + "5": "ERROR_ACCESS_DENIED" + "0": "SUCCESS" + "8": "ERROR_NOT_ENOUGH_MEMORY" + "13": "ERROR_INVALID_DATA" + "14": "ERROR_OUTOFMEMORY" + "123": "ERROR_INVALID_NAME" + "1214": "ERROR_INVALID_NETNAME" + "1223": "ERROR_CANCELLED" + "1460": "ERROR_TIMEOUT" + "4312": "ERROR_OBJECT_NOT_FOUND" + "9001": "DNS_ERROR_RCODE_FORMAT_ERROR" + "9002": "DNS_ERROR_RCODE_SERVER_FAILURE" + "9003": "DNS_ERROR_RCODE_NAME_ERROR" + "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED" + "9005": "DNS_ERROR_RCODE_REFUSED" + "9006": "DNS_ERROR_RCODE_YXDOMAIN" + "9007": "DNS_ERROR_RCODE_YXRRSET" + "9008": "DNS_ERROR_RCODE_NXRRSET" + "9009": "DNS_ERROR_RCODE_NOTAUTH" + "9010": "DNS_ERROR_RCODE_NOTZONE" + "9016": "DNS_ERROR_RCODE_BADSIG" + "9017": "DNS_ERROR_RCODE_BADKEY" + "9018": "DNS_ERROR_RCODE_BADTIME" + "9101": "DNS_ERROR_KEYMASTER_REQUIRED" + "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE" + "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1" + "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS" + "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM" + "9106": "DNS_ERROR_INVALID_KEY_SIZE" + "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE" + "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION" + "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR" + "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR" + "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION" + "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE" + "9113": "DNS_ERROR_TOO_MANY_SKDS" + "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD" + "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET" + "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS" + "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT" + "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK" + "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD" + "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED" + "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE" + "9122": "DNS_ERROR_BAD_KEYMASTER" + "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD" + "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT" + "9125": "DNS_ERROR_DNSSEC_IS_DISABLED" + "9126": "DNS_ERROR_INVALID_XML" + "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS" + "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE" + "9129": "DNS_ERROR_NSEC3_NAME_COLLISION" + "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1" + "9501": "DNS_INFO_NO_RECORDS" + "9502": "DNS_ERROR_BAD_PACKET" + "9503": "DNS_ERROR_NO_PACKET" + "9504": "DNS_ERROR_RCODE" + "9505": "DNS_ERROR_UNSECURE_PACKET" + "9506": "DNS_REQUEST_PENDING" + "9551": "DNS_ERROR_INVALID_TYPE" + "9552": "DNS_ERROR_INVALID_IP_ADDRESS" + "9553": "DNS_ERROR_INVALID_PROPERTY" + "9554": "DNS_ERROR_TRY_AGAIN_LATER" + "9555": "DNS_ERROR_NOT_UNIQUE" + "9556": "DNS_ERROR_NON_RFC_NAME" + "9557": "DNS_STATUS_FQDN" + "9558": "DNS_STATUS_DOTTED_NAME" + "9559": "DNS_STATUS_SINGLE_PART_NAME" + "9560": "DNS_ERROR_INVALID_NAME_CHAR" + "9561": "DNS_ERROR_NUMERIC_NAME" + "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER" + "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION" + "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS" + "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS" + "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL" + "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE" + "9568": "DNS_ERROR_BACKGROUND_LOADING" + "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC" + "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME" + "9571": "DNS_ERROR_DELEGATION_REQUIRED" + "9572": "DNS_ERROR_INVALID_POLICY_TABLE" + "9573": "DNS_ERROR_ADDRESS_REQUIRED" + "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST" + "9602": "DNS_ERROR_NO_ZONE_INFO" + "9603": "DNS_ERROR_INVALID_ZONE_OPERATION" + "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR" + "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD" + "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS" + "9607": "DNS_ERROR_ZONE_LOCKED" + "9608": "DNS_ERROR_ZONE_CREATION_FAILED" + "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS" + "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS" + "9611": "DNS_ERROR_INVALID_ZONE_TYPE" + "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP" + "9613": "DNS_ERROR_ZONE_NOT_SECONDARY" + "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES" + "9615": "DNS_ERROR_WINS_INIT_FAILED" + "9616": "DNS_ERROR_NEED_WINS_SERVERS" + "9617": "DNS_ERROR_NBSTAT_INIT_FAILED" + "9618": "DNS_ERROR_SOA_DELETE_INVALID" + "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS" + "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP" + "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN" + "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING" + "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE" + "9652": "DNS_ERROR_INVALID_DATAFILE_NAME" + "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE" + "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED" + "9655": "DNS_ERROR_DATAFILE_PARSING" + "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + "9702": "DNS_ERROR_RECORD_FORMAT" + "9703": "DNS_ERROR_NODE_CREATION_FAILED" + "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE" + "9705": "DNS_ERROR_RECORD_TIMED_OUT" + "9706": "DNS_ERROR_NAME_NOT_IN_ZONE" + "9707": "DNS_ERROR_CNAME_LOOP" + "9708": "DNS_ERROR_NODE_IS_CNAME" + "9709": "DNS_ERROR_CNAME_COLLISION" + "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT" + "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS" + "9712": "DNS_ERROR_SECONDARY_DATA" + "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA" + "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST" + "9715": "DNS_WARNING_PTR_CREATE_FAILED" + "9716": "DNS_WARNING_DOMAIN_UNDELETED" + "9717": "DNS_ERROR_DS_UNAVAILABLE" + "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS" + "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE" + "9720": "DNS_ERROR_NODE_IS_DNAME" + "9721": "DNS_ERROR_DNAME_COLLISION" + "9722": "DNS_ERROR_ALIAS_LOOP" + "9751": "DNS_INFO_AXFR_COMPLETE" + "9752": "DNS_ERROR_AXFR" + "9753": "DNS_INFO_ADDED_LOCAL_WINS" + "9801": "DNS_STATUS_CONTINUE_NEEDED" + "9851": "DNS_ERROR_NO_TCPIP" + "9852": "DNS_ERROR_NO_DNS_SERVERS" + "9901": "DNS_ERROR_DP_DOES_NOT_EXIST" + "9902": "DNS_ERROR_DP_ALREADY_EXISTS" + "9903": "DNS_ERROR_DP_NOT_ENLISTED" + "9904": "DNS_ERROR_DP_ALREADY_ENLISTED" + "9905": "DNS_ERROR_DP_NOT_AVAILABLE" + "9906": "DNS_ERROR_DP_FSMO_ERROR" + "9911": "DNS_ERROR_RRL_NOT_ENABLED" + "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE" + "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX" + "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX" + "9915": "DNS_ERROR_RRL_INVALID_TC_RATE" + "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE" + "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE" + "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS" + "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST" + "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED" + "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME" + "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE" + "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS" + "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST" + "9953": "DNS_ERROR_DEFAULT_ZONESCOPE" + "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME" + "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES" + "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED" + "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED" + "9958": "DNS_ERROR_INVALID_SCOPE_NAME" + "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST" + "9960": "DNS_ERROR_DEFAULT_SCOPE" + "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION" + "9962": "DNS_ERROR_SCOPE_LOCKED" + "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS" + "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS" + "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST" + "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA" + "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS" + "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED" + "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST" + "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS" + "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST" + "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS" + "9980": "DNS_ERROR_POLICY_LOCKED" + "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT" + "9982": "DNS_ERROR_POLICY_INVALID_NAME" + "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA" + "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME" + "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID" + "9986": "DNS_ERROR_POLICY_SCOPE_MISSING" + "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED" + "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED" + "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED" + "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET" + "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL" + "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL" + "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE" + "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN" + "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE" + "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY" + "10054": "WSAECONNRESET" + "10055": "WSAENOBUFS" + "10060": "WSAETIMEDOUT" + if: ctx?.sysmon?.dns?.status != null && ctx?.sysmon?.dns?.status != "" + source: |- + def status = params[ctx.sysmon.dns.status]; + if (status != null) { + ctx.sysmon.dns.status = status; + } + - convert: + field: winlog.event_data.Archived + target_field: sysmon.file.archived + type: boolean + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.Archived != null && ctx?.winlog?.event_data?.Archived != "" + - convert: + field: winlog.event_data.IsExecutable + target_field: sysmon.file.is_executable + type: boolean + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.IsExecutable != null && ctx?.winlog?.event_data?.IsExecutable != "" + +## Related fields + + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null && ctx.user.name != "" + - append: + field: related.ip + value: "{{source.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.ip != null && ctx.source.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx.destination.ip != "" + +## Registry fields + + - script: + description: Set registry fields. + lang: painless + if: |- + ctx?.winlog?.event_data?.TargetObject != null && ctx?.winlog?.event_data?.TargetObject != "" && + ["12", "13", "14"].contains(ctx.event.code) + params: + HKEY_CLASSES_ROOT: "HKCR" + HKCR: "HKCR" + HKEY_CURRENT_CONFIG: "HKCC" + HKCC: "HKCC" + HKEY_CURRENT_USER: "HKCU" + HKCU: "HKCU" + HKEY_DYN_DATA: "HKDD" + HKDD: "HKDD" + HKEY_LOCAL_MACHINE: "HKLM" + HKLM: "HKLM" + HKEY_PERFORMANCE_DATA: "HKPD" + HKPD: "HKPD" + HKEY_USERS: "HKU" + HKU: "HKU" + source: |- + ctx.registry = new HashMap(); + Pattern qwordRegex = /(?i)QWORD \(((0x\d{8})-(0x\d{8}))\)/; + Pattern dwordRegex = /(?i)DWORD \((0x\d{8})\)/; + + def path = ctx.winlog.event_data.TargetObject; + ctx.registry.path = path; + + def pathTokens = Arrays.asList(/\\/.split(path)); + def hive = params[pathTokens[0]]; + if (hive != null) { + ctx.registry.hive = hive; + if (pathTokens.length > 1) { + ctx.registry.key = pathTokens.subList(1, pathTokens.length).join("\\"); + } + } + + def value = pathTokens[pathTokens.length - 1]; + ctx.registry.value = value; + + def data = ctx?.winlog?.event_data?.Details; + if (data != null && data != "") { + def prefixLen = 2; // to remove 0x prefix + def dataValue = ""; + def dataType = ""; + def matcher = qwordRegex.matcher(data); + if (matcher.matches()) { + def parsedHighByte = Long.parseLong(matcher.group(2).substring(prefixLen), 16); + def parsedLowByte = Long.parseLong(matcher.group(3).substring(prefixLen), 16); + if (!Double.isNaN(parsedHighByte) && !Double.isNaN(parsedLowByte)) { + dataType = "SZ_QWORD"; + dataValue = Long.toString(((parsedHighByte << 8) + parsedLowByte)); + } + } else { + matcher = dwordRegex.matcher(data); + if (matcher.matches()) { + def parsedValue = Long.parseLong(matcher.group(1).substring(prefixLen), 16); + if (!Double.isNaN(parsedValue)) { + dataType = "SZ_DWORD"; + dataValue = matcher.group(1); + } + } + } + + if (dataType != "") { + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; + } + } + +## Cleanup + + - remove: + field: + - _temp + - winlog.event_data.ProcessId + - winlog.event_data.ParentProcessId + - winlog.event_data.SourceProcessId + - winlog.event_data.SourceThreadId + - winlog.event_data.SourceIp + - winlog.event_data.SourcePort + - winlog.event_data.SourcePortName + - winlog.event_data.DestinationIp + - winlog.event_data.DestinationPort + - winlog.event_data.DestinationPortName + - winlog.event_data.RuleName + - winlog.event_data.User + - winlog.event_data.Initiated + - winlog.event_data.SourceIsIpv6 + - winlog.event_data.DestinationIsIpv6 + - winlog.event_data.QueryStatus + - winlog.event_data.Archived + - winlog.event_data.IsExecutable + - winlog.event_data.QueryResults + - winlog.event_data.UtcTime + - winlog.event_data.Hash + - winlog.event_data.Hashes + - winlog.event_data.TargetObject + - winlog.event_data.Details + - winlog.time_created + - winlog.level + ignore_failure: true + ignore_missing: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || entry.getValue().equals("-")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/agent.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/base-fields.yml new file mode 100755 index 0000000000..a04d6e06c9 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/base-fields.yml @@ -0,0 +1,34 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.forwarded +- name: '@timestamp' + type: date + description: Event timestamp. +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/beats.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/beats.yml new file mode 100755 index 0000000000..3c48f1f224 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/ecs.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/ecs.yml new file mode 100755 index 0000000000..ebb7c8a3ff --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/ecs.yml @@ -0,0 +1,588 @@ +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + Array of 2 letter DNS header flags. + Expected values are: AA, TC, RD, RA, AD, CD, DO. + name: dns.header_flags + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + name: dns.op_code + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Boolean to capture if a signature is present. + name: file.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: file.code_signature.status + type: keyword +- description: Subject name of the code signer + name: file.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: file.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: file.code_signature.valid + type: boolean +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: CPU architecture target for the file. + name: file.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: file.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: file.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: file.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: file.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: file.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: file.pe.product + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.parent.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.parent.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.parent.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.parent.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.parent.executable + type: keyword +- description: MD5 hash. + name: process.parent.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.parent.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.parent.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.parent.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: CPU architecture target for the file. + name: process.parent.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.parent.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.parent.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.parent.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.parent.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.parent.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.parent.pe.product + type: keyword +- description: Process id. + name: process.parent.pid + type: long +- description: The time the process started. + name: process.parent.start + type: date +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: CPU architecture target for the file. + name: process.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.pe.product + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + Content when writing string types. + Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + name: registry.data.strings + type: wildcard +- description: Standard registry type for encoding contents + name: registry.data.type + type: keyword +- description: Abbreviated name for the hive. + name: registry.hive + type: keyword +- description: Hive-relative path of keys. + name: registry.key + type: keyword +- description: Full path, including hive, key and value + name: registry.path + type: keyword +- description: Name of the value written. + name: registry.value + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/fields.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/fields.yml new file mode 100755 index 0000000000..08a58df583 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/fields.yml @@ -0,0 +1,172 @@ +- name: sysmon.dns.status + type: keyword + description: Windows status code returned for the DNS query. +- name: sysmon.file.archived + type: boolean + description: Indicates if the deleted file was archived. +- name: sysmon.file.is_executable + type: boolean + description: Indicates if the deleted file was an executable. +- name: winlog.logon + type: group + description: Data related to a Windows logon. + fields: + - name: type + type: keyword + description: > + Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. + + example: RemoteInteractive + - name: id + type: keyword + description: > + Logon ID that can be used to associate this logon with other events related to the same logon session. + + - name: failure.reason + type: keyword + description: > + The reason the logon failed. + + - name: failure.status + type: keyword + description: > + The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. + + - name: failure.sub_status + type: keyword + description: > + Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. + +- name: powershell.id + type: keyword + description: Shell Id. + example: Microsoft Powershell +- name: powershell.pipeline_id + type: keyword + description: Pipeline id. + example: "1" +- name: powershell.runspace_id + type: keyword + description: Runspace id. + example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" +- name: powershell.sequence + type: long + description: Sequence number of the powershell execution. + example: 1 +- name: powershell.total + type: long + description: Total number of messages in the sequence. + example: 10 +- name: powershell.command + type: group + description: Data related to the executed command. + fields: + - name: path + type: keyword + description: Path of the executed command. + example: "C:\\Windows\\system32\\cmd.exe" + - name: name + type: keyword + description: Name of the executed command. + example: "cmd.exe" + - name: type + type: keyword + description: Type of the executed command. + example: Application + - name: value + type: text + description: The invoked command. + example: Import-LocalizedData LocalizedData -filename ArchiveResources + - name: invocation_details + type: array + description: > + An array of objects containing detailed information of the executed command. + + - name: invocation_details.type + type: keyword + description: The type of detail. + example: CommandInvocation + - name: invocation_details.related_command + type: keyword + description: The command to which the detail is related to. + example: Add-Type + - name: invocation_details.name + type: keyword + description: > + Only used for ParameterBinding detail type. Indicates the parameter name. + + example: AssemblyName + - name: invocation_details.value + type: text + description: > + The value of the detail. The meaning of it will depend on the detail type. + + example: System.IO.Compression.FileSystem +- name: powershell.connected_user + type: group + description: Data related to the connected user executing the command. + fields: + - name: domain + type: keyword + description: User domain. + example: VAGRANT + - name: name + type: keyword + description: User name. + example: vagrant +- name: powershell.engine + type: group + description: Data related to the PowerShell engine. + fields: + - name: version + type: keyword + description: Version of the PowerShell engine version used to execute the command. + example: "5.1.17763.1007" + - name: previous_state + type: keyword + description: > + Previous state of the PowerShell engine. + + example: Available + - name: new_state + type: keyword + description: > + New state of the PowerShell engine. + + example: Stopped +- name: powershell.file + type: group + description: Data related to the executed script file. + fields: + - name: script_block_id + type: keyword + description: Id of the executed script block. + example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" + - name: script_block_text + type: text + analyzer: powershell_script_analyzer + search_analyzer: powershell_script_analyzer + description: > + Text of the executed script block. + + example: ".\\a_script.ps1" +- name: powershell.process.executable_version + type: keyword + description: Version of the engine hosting process executable. + example: "5.1.17763.1007" +- name: powershell.provider + type: group + description: Data related to the PowerShell engine host. + fields: + - name: new_state + type: keyword + description: > + New state of the PowerShell provider. + + example: Active + - name: name + type: keyword + description: > + Provider name. + + example: Variable diff --git a/packages/windows/1.12.1/data_stream/forwarded/fields/winlog.yml b/packages/windows/1.12.1/data_stream/forwarded/fields/winlog.yml new file mode 100755 index 0000000000..031494e84e --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/fields/winlog.yml @@ -0,0 +1,620 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. + + The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: level + type: keyword + required: false + description: > + The event severity. Levels are Critical, Error, Warning and Information, Verbose + + - name: outcome + type: keyword + required: false + description: > + Success or Failure of the event. + + - name: time_created + type: keyword + required: false + description: > + Time event was created + + - name: trustAttribute + type: keyword + required: false + - name: trustDirection + type: keyword + required: false + - name: trustType + type: keyword + required: false + - name: computerObject + type: group + description: > + computer Object data + + fields: + - name: domain + type: keyword + - name: id + type: keyword + - name: name + type: keyword + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AccessGranted + type: keyword + - name: AccessRemoved + type: keyword + - name: AccountDomain + type: keyword + - name: AccountExpires + type: keyword + - name: AccountName + type: keyword + - name: AllowedToDelegateTo + type: keyword + - name: AuditPolicyChanges + type: keyword + - name: AuditPolicyChangesDescription + type: keyword + - name: AuditSourceName + type: keyword + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: CallerProcessId + type: keyword + - name: CallerProcessName + type: keyword + - name: Category + type: keyword + - name: CategoryId + type: keyword + - name: ClientAddress + type: keyword + - name: ClientInfo + type: keyword + - name: ClientName + type: keyword + - name: CommandLine + type: keyword + - name: Company + type: keyword + - name: Configuration + type: keyword + - name: CorruptionActionState + type: keyword + - name: CrashOnAuditFailValue + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DisplayName + type: keyword + - name: DomainBehaviorVersion + type: keyword + - name: DomainName + type: keyword + - name: DomainPolicyChanged + type: keyword + - name: DomainSid + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: Dummy + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: EventSourceId + type: keyword + - name: EventType + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FailureReason + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: GroupTypeChange + type: keyword + - name: HandleId + type: keyword + - name: HomeDirectory + type: keyword + - name: HomePath + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KerberosPolicyChange + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonHours + type: keyword + - name: LogonId + type: keyword + - name: LogonID + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MachineAccountQuota + type: keyword + - name: MajorVersion + type: keyword + - name: MandatoryLabel + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: MixedDomainMode + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewSd + type: keyword + - name: NewSdDacl0 + type: keyword + - name: NewSdDacl1 + type: keyword + - name: NewSdDacl2 + type: keyword + - name: NewSdSacl0 + type: keyword + - name: NewSdSacl1 + type: keyword + - name: NewSdSacl2 + type: keyword + - name: NewTargetUserName + type: keyword + - name: NewTime + type: keyword + - name: NewUACList + type: keyword + - name: NewUacValue + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: ObjectName + type: keyword + - name: ObjectServer + type: keyword + - name: ObjectType + type: keyword + - name: OemInformation + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldSd + type: keyword + - name: OldSdDacl0 + type: keyword + - name: OldSdDacl1 + type: keyword + - name: OldSdDacl2 + type: keyword + - name: OldSdSacl0 + type: keyword + - name: OldSdSacl1 + type: keyword + - name: OldSdSacl2 + type: keyword + - name: OldTargetUserName + type: keyword + - name: OldTime + type: keyword + - name: OldUacValue + type: keyword + - name: OriginalFileName + type: keyword + - name: PackageName + type: keyword + - name: PasswordLastSet + type: keyword + - name: PasswordHistoryLength + type: keyword + - name: Path + type: keyword + - name: ParentProcessName + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreAuthType + type: keyword + - name: PreviousTime + type: keyword + - name: PrimaryGroupId + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: ProfilePath + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SamAccountName + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptPath + type: keyword + - name: Session + type: keyword + - name: SidHistory + type: keyword + - name: ScriptBlockText + type: keyword + - name: Service + type: keyword + - name: ServiceAccount + type: keyword + - name: ServiceFileName + type: keyword + - name: ServiceName + type: keyword + - name: ServiceSid + type: keyword + - name: ServiceStartType + type: keyword + - name: ServiceType + type: keyword + - name: ServiceVersion + type: keyword + - name: SessionName + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: SidFilteringEnabled + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StatusDescription + type: keyword + - name: StopTime + type: keyword + - name: SubCategory + type: keyword + - name: SubCategoryGuid + type: keyword + - name: SubcategoryGuid + type: keyword + - name: SubCategoryId + type: keyword + - name: SubcategoryId + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: SubStatus + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetSid + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TdoAttributes + type: keyword + - name: TdoDirection + type: keyword + - name: TdoType + type: keyword + - name: TerminalSessionId + type: keyword + - name: TicketEncryptionType + type: keyword + - name: TicketEncryptionTypeDescription + type: keyword + - name: TicketOptions + type: keyword + - name: TicketOptionsDescription + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: UserAccountControl + type: keyword + - name: UserParameters + type: keyword + - name: UserPrincipalName + type: keyword + - name: UserSid + type: keyword + - name: UserWorkstations + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: WorkstationName + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user_data + type: group + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + fields: + - name: BackupPath + type: keyword + - name: Channel + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: xml_name + type: keyword + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/packages/windows/1.12.1/data_stream/forwarded/manifest.yml b/packages/windows/1.12.1/data_stream/forwarded/manifest.yml new file mode 100755 index 0000000000..b5ebb051ea --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/manifest.yml @@ -0,0 +1,107 @@ +type: logs +title: Windows forwarded events +elasticsearch: + index_template: + settings: + analysis: + analyzer: + powershell_script_analyzer: + type: pattern + pattern: '[\W&&[^-]]+' +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Forwarded + description: 'Collect ForwardedEvents channel logs' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. + required: false + show_user: false + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: httpjson + title: Windows ForwardedEvents via Splunk Enterprise REST API + description: Collect ForwardedEvents via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:ForwardedEvents\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/windows/1.12.1/data_stream/forwarded/sample_event.json b/packages/windows/1.12.1/data_stream/forwarded/sample_event.json new file mode 100755 index 0000000000..2b6f02eb4a --- /dev/null +++ b/packages/windows/1.12.1/data_stream/forwarded/sample_event.json @@ -0,0 +1,77 @@ +{ + "@timestamp": "2020-05-13T09:04:04.755Z", + "agent": { + "ephemeral_id": "17601e61-e945-4f5c-aec5-4a2d491f3b00", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.forwarded", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "4105", + "created": "2022-03-31T08:40:37.999Z", + "dataset": "windows.forwarded", + "ingested": "2022-03-31T08:40:39Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } +} \ No newline at end of file diff --git a/packages/windows/1.12.1/data_stream/perfmon/agent/stream/stream.yml.hbs b/packages/windows/1.12.1/data_stream/perfmon/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..142d2d803e --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/agent/stream/stream.yml.hbs @@ -0,0 +1,6 @@ +metricsets: ["perfmon"] +condition: ${host.platform} == 'windows' +perfmon.group_measurements_by_instance: {{perfmon.group_measurements_by_instance}} +perfmon.ignore_non_existent_counters: {{perfmon.ignore_non_existent_counters}} +perfmon.queries: {{perfmon.queries}} +period: {{period}} diff --git a/packages/windows/1.12.1/data_stream/perfmon/fields/agent.yml b/packages/windows/1.12.1/data_stream/perfmon/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/perfmon/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/perfmon/fields/base-fields.yml new file mode 100755 index 0000000000..2dfe4fa4af --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.perfmon +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/windows/1.12.1/data_stream/perfmon/fields/fields.yml b/packages/windows/1.12.1/data_stream/perfmon/fields/fields.yml new file mode 100755 index 0000000000..c5cca6fc04 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/fields/fields.yml @@ -0,0 +1,15 @@ +- name: windows.perfmon + type: group + fields: + - name: object + type: keyword + description: | + Object value. + - name: instance + type: keyword + description: | + Instance value. + - name: metrics.*.* + type: object + description: | + Metric values returned. diff --git a/packages/windows/1.12.1/data_stream/perfmon/manifest.yml b/packages/windows/1.12.1/data_stream/perfmon/manifest.yml new file mode 100755 index 0000000000..23ec03a7e4 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/perfmon/manifest.yml @@ -0,0 +1,45 @@ +title: Windows perfmon metrics +type: metrics +streams: + - input: windows/metrics + vars: + - name: perfmon.group_measurements_by_instance + type: bool + title: Perfmon Group Measurements By Instance + multi: false + required: false + show_user: true + default: false + description: Enabling this option will send all measurements with a matching perfmon instance as part of a single event + - name: perfmon.ignore_non_existent_counters + type: bool + title: Perfmon Ignore Non Existent Counters + multi: false + required: false + show_user: true + default: false + description: Enabling this option will make sure to ignore any errors caused by counters that do not exist + - name: perfmon.queries + type: yaml + title: Perfmon Queries + multi: false + required: true + show_user: true + default: | + - object: 'Process' + instance: ["*"] + counters: + - name: '% Processor Time' + field: cpu_perc + format: "float" + - name: "Working Set" + description: Will list the perfmon queries to execute, each query will have an `object` option, an optional `instance` contiguration and the actual counters + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 10s + title: Windows perfmon metrics + description: Collect Windows perfmon metrics diff --git a/packages/windows/1.12.1/data_stream/powershell/agent/stream/httpjson.yml.hbs b/packages/windows/1.12.1/data_stream/powershell/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0a82aa6acc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/agent/stream/httpjson.yml.hbs @@ -0,0 +1,101 @@ +config_version: "2" +interval: {{interval}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- decode_json_fields: + fields: message + target: json + add_error_key: true +- drop_event: + when: + not: + has_fields: ['json.result'] +- fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" +- drop_fields: + fields: message +- rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false +- drop_fields: + fields: json +- decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true +{{#if processors.length}} +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/powershell/agent/stream/winlog.yml.hbs b/packages/windows/1.12.1/data_stream/powershell/agent/stream/winlog.yml.hbs new file mode 100755 index 0000000000..8695fa2300 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/agent/stream/winlog.yml.hbs @@ -0,0 +1,24 @@ +name: Windows PowerShell +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/1.12.1/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..7e9df152b0 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,430 @@ +--- +description: Pipeline for Windows Powershell events +processors: + - kv: + description: Split Event 800 event data fields. + field: winlog.event_data.param2 + target_field: winlog.event_data + field_split: "\n\t" + trim_key: "\n\t" + trim_value: "\n\t" + value_split: "=" + if: ctx?.winlog?.event_id == "800" + - kv: + description: Split Events 4xx and 600 event data fields. + field: winlog.event_data.param3 + target_field: winlog.event_data + field_split: "\n\t" + trim_key: "\n\t" + trim_value: "\n\t" + value_split: "=" + if: ctx?.winlog?.event_id != "800" + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: process + - set: + field: event.type + value: start + if: ctx?.event.code == "400" + - set: + field: event.type + value: end + if: ctx?.event.code == "403" + - set: + field: event.type + value: info + if: ctx?.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostId + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostId != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostName != "" + + ## User fields. + + - split: + field: winlog.event_data.UserId + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.UserId != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null + + ## PowerShell fields. + + - rename: + field: winlog.event_data.NewEngineState + target_field: powershell.engine.new_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.NewEngineState != "" + - rename: + field: winlog.event_data.PreviousEngineState + target_field: powershell.engine.previous_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.PreviousEngineState != "" + - rename: + field: winlog.event_data.NewProviderState + target_field: powershell.provider.new_state + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.NewProviderState != "" + - rename: + field: winlog.event_data.ProviderName + target_field: powershell.provider.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ProviderName != "" + - convert: + field: winlog.event_data.DetailTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DetailTotal != "" + - convert: + field: winlog.event_data.DetailSequence + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.DetailSequence != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineId + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipelineId != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandType != "" + + - split: + description: Split Event 800 command invocation details. + field: winlog.event_data.param3 + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "800" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "800" + params: + field: param3 + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx?._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx?.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx?.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - script: + description: Adds file information. + lang: painless + if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptName != "" + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.param1 + - winlog.event_data.param2 + - winlog.event_data.param3 + - winlog.event_data.SequenceNumber + - winlog.event_data.DetailTotal + - winlog.event_data.DetailSequence + - winlog.event_data.UserId + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/agent.yml b/packages/windows/1.12.1/data_stream/powershell/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/powershell/fields/base-fields.yml new file mode 100755 index 0000000000..baeabae2d0 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/base-fields.yml @@ -0,0 +1,34 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.powershell +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/beats.yml b/packages/windows/1.12.1/data_stream/powershell/fields/beats.yml new file mode 100755 index 0000000000..3c48f1f224 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/ecs.yml b/packages/windows/1.12.1/data_stream/powershell/fields/ecs.yml new file mode 100755 index 0000000000..b38edb214f --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/ecs.yml @@ -0,0 +1,201 @@ +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/fields.yml b/packages/windows/1.12.1/data_stream/powershell/fields/fields.yml new file mode 100755 index 0000000000..1c154bd041 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/fields.yml @@ -0,0 +1,133 @@ +- name: powershell.id + type: keyword + description: Shell Id. + example: Microsoft Powershell +- name: powershell.pipeline_id + type: keyword + description: Pipeline id. + example: "1" +- name: powershell.runspace_id + type: keyword + description: Runspace id. + example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" +- name: powershell.sequence + type: long + description: Sequence number of the powershell execution. + example: 1 +- name: powershell.total + type: long + description: Total number of messages in the sequence. + example: 10 +- name: powershell.command + type: group + description: Data related to the executed command. + fields: + - name: path + type: keyword + description: Path of the executed command. + example: "C:\\Windows\\system32\\cmd.exe" + - name: name + type: keyword + description: Name of the executed command. + example: "cmd.exe" + - name: type + type: keyword + description: Type of the executed command. + example: Application + - name: value + type: text + description: The invoked command. + example: Import-LocalizedData LocalizedData -filename ArchiveResources + - name: invocation_details + type: array + description: > + An array of objects containing detailed information of the executed command. + + - name: invocation_details.type + type: keyword + description: The type of detail. + example: CommandInvocation + - name: invocation_details.related_command + type: keyword + description: The command to which the detail is related to. + example: Add-Type + - name: invocation_details.name + type: keyword + description: > + Only used for ParameterBinding detail type. Indicates the parameter name. + + example: AssemblyName + - name: invocation_details.value + type: text + description: > + The value of the detail. The meaning of it will depend on the detail type. + + example: System.IO.Compression.FileSystem +- name: powershell.connected_user + type: group + description: Data related to the connected user executing the command. + fields: + - name: domain + type: keyword + description: User domain. + example: VAGRANT + - name: name + type: keyword + description: User name. + example: vagrant +- name: powershell.engine + type: group + description: Data related to the PowerShell engine. + fields: + - name: version + type: keyword + description: Version of the PowerShell engine version used to execute the command. + example: "5.1.17763.1007" + - name: previous_state + type: keyword + description: > + Previous state of the PowerShell engine. + + example: Available + - name: new_state + type: keyword + description: > + New state of the PowerShell engine. + + example: Stopped +- name: powershell.file + type: group + description: Data related to the executed script file. + fields: + - name: script_block_id + type: keyword + description: Id of the executed script block. + example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" + - name: script_block_text + analyzer: powershell_script_analyzer + search_analyzer: powershell_script_analyzer + type: text + description: > + Text of the executed script block. + + example: ".\\a_script.ps1" +- name: powershell.process.executable_version + type: keyword + description: Version of the engine hosting process executable. + example: "5.1.17763.1007" +- name: powershell.provider + type: group + description: Data related to the PowerShell engine host. + fields: + - name: new_state + type: keyword + description: > + New state of the PowerShell provider. + + example: Active + - name: name + type: keyword + description: > + Provider name. + + example: Variable diff --git a/packages/windows/1.12.1/data_stream/powershell/fields/winlog.yml b/packages/windows/1.12.1/data_stream/powershell/fields/winlog.yml new file mode 100755 index 0000000000..4ac76fdcdc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/fields/winlog.yml @@ -0,0 +1,361 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. + + The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: Company + type: keyword + - name: CorruptionActionState + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonId + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MajorVersion + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewTime + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldTime + type: keyword + - name: OriginalFileName + type: keyword + - name: Path + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreviousTime + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptBlockText + type: keyword + - name: ServiceName + type: keyword + - name: ServiceVersion + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StopTime + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TerminalSessionId + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: UserSid + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: false + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/packages/windows/1.12.1/data_stream/powershell/manifest.yml b/packages/windows/1.12.1/data_stream/powershell/manifest.yml new file mode 100755 index 0000000000..7b712964ee --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/manifest.yml @@ -0,0 +1,106 @@ +type: logs +title: Windows Powershell logs +elasticsearch: + index_template: + settings: + analysis: + analyzer: + powershell_script_analyzer: + type: pattern + pattern: '[\W&&[^-]]+' +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Powershell + description: 'Windows Powershell channel' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. + required: true + show_user: false + default: 400, 403, 600, 800 + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: httpjson + title: Windows Powershell Events via Splunk Enterprise REST API + description: Collect Powershell Events via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:Windows PowerShell\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/windows/1.12.1/data_stream/powershell/sample_event.json b/packages/windows/1.12.1/data_stream/powershell/sample_event.json new file mode 100755 index 0000000000..45e597cfcc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell/sample_event.json @@ -0,0 +1,84 @@ +{ + "@timestamp": "2020-05-13T13:21:43.183Z", + "agent": { + "ephemeral_id": "9c05a45c-02bf-4437-9447-8591244dbdca", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.powershell", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "600", + "created": "2022-03-31T08:41:12.816Z", + "dataset": "windows.powershell", + "ingested": "2022-03-31T08:41:16Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 35, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\lateral.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", + "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", + "title": "Windows PowerShell ISE Host" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "winlog": { + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "provider_name": "PowerShell", + "record_id": "1089" + } +} \ No newline at end of file diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs b/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0a82aa6acc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs @@ -0,0 +1,101 @@ +config_version: "2" +interval: {{interval}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- decode_json_fields: + fields: message + target: json + add_error_key: true +- drop_event: + when: + not: + has_fields: ['json.result'] +- fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" +- drop_fields: + fields: message +- rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false +- drop_fields: + fields: json +- decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true +{{#if processors.length}} +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/winlog.yml.hbs b/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/winlog.yml.hbs new file mode 100755 index 0000000000..55799473ec --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/agent/stream/winlog.yml.hbs @@ -0,0 +1,24 @@ +name: Microsoft-Windows-PowerShell/Operational +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/1.12.1/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..16d21d8fe8 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,489 @@ +--- +description: Pipeline for Windows Powershell/Operational events +processors: + - kv: + description: Split Event 4103 event data fields. + field: winlog.event_data.ContextInfo + target_field: winlog.event_data + field_split: "\n" + trim_key: " \n\t" + trim_value: " \n\t" + value_split: "=" + if: ctx?.winlog?.event_id == "4103" + - script: + description: Remove spaces from all event_data keys. + lang: painless + if: ctx?.winlog?.event_data != null + source: |- + def newEventData = new HashMap(); + for (entry in ctx.winlog.event_data.entrySet()) { + def newKey = /\s/.matcher(entry.getKey().toString()).replaceAll(""); + newEventData.put(newKey, entry.getValue()); + } + ctx.winlog.event_data = newEventData; + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: process + - set: + field: event.type + value: start + if: ctx?.event.code == "4105" + - set: + field: event.type + value: end + if: ctx?.event.code == "4106" + - set: + field: event.type + value: info + if: ctx?.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostID + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostID != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.HostName != "" + + ## User fields. + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_failure: true + ignore_empty_value: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null + - split: + field: winlog.event_data.ConnectedUser + target_field: "_temp.connected_user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.ConnectedUser != null + - set: + field: source.user.domain + value: "{{_temp.connected_user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - set: + field: source.user.name + value: "{{_temp.connected_user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - append: + field: related.user + value: "{{source.user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.user?.name != null + - rename: + field: user.domain + target_field: destination.user.domain + ignore_failure: true + ignore_missing: true + if: ctx?.source?.user != null + - rename: + field: user.name + target_field: destination.user.name + ignore_failure: true + ignore_missing: true + if: ctx?.source?.user != null + - set: + field: user.domain + copy_from: source.user.domain + ignore_failure: true + ignore_empty_value: true + if: ctx?.source?.user != null + - set: + field: user.name + copy_from: source.user.name + ignore_failure: true + ignore_empty_value: true + if: ctx?.source?.user != null + + ## PowerShell fields. + + - convert: + field: winlog.event_data.MessageNumber + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.event_data.MessageTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ShellID + target_field: powershell.id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ShellID != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineID + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.PipelineID != "" + - rename: + field: winlog.event_data.RunspaceID + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceID != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.CommandType != "" + - rename: + field: winlog.event_data.ScriptBlockId + target_field: powershell.file.script_block_id + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptBlockId != "" + - rename: + field: winlog.event_data.ScriptBlockText + target_field: powershell.file.script_block_text + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptBlockText != "" + + - split: + description: Split Event 800 command invocation details. + field: winlog.event_data.Payload + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "4103" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "4103" + params: + field: Payload + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx?._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx?.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx?.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - rename: + field: winlog.event_data.Path + target_field: winlog.event_data.ScriptName + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.Path != "" + - script: + description: Adds file information. + lang: painless + if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx?.winlog?.event_data?.ScriptName != "" + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.SequenceNumber + - winlog.event_data.User + - winlog.event_data.ConnectedUser + - winlog.event_data.ContextInfo + - winlog.event_data.Severity + - winlog.event_data.MessageTotal + - winlog.event_data.MessageNumber + - winlog.event_data.Payload + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/agent.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/base-fields.yml new file mode 100755 index 0000000000..e5b4a9801c --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/base-fields.yml @@ -0,0 +1,34 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.powershell_operational +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/beats.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/beats.yml new file mode 100755 index 0000000000..3c48f1f224 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/ecs.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/ecs.yml new file mode 100755 index 0000000000..b38edb214f --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/ecs.yml @@ -0,0 +1,201 @@ +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/fields.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/fields.yml new file mode 100755 index 0000000000..ae35dff329 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/fields.yml @@ -0,0 +1,132 @@ +- name: powershell.id + type: keyword + description: Shell Id. + example: Microsoft Powershell +- name: powershell.pipeline_id + type: keyword + description: Pipeline id. + example: "1" +- name: powershell.runspace_id + type: keyword + description: Runspace id. + example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" +- name: powershell.sequence + type: long + description: Sequence number of the powershell execution. + example: 1 +- name: powershell.total + type: long + description: Total number of messages in the sequence. + example: 10 +- name: powershell.command + type: group + description: Data related to the executed command. + fields: + - name: path + type: keyword + description: Path of the executed command. + example: "C:\\Windows\\system32\\cmd.exe" + - name: name + type: keyword + description: Name of the executed command. + example: "cmd.exe" + - name: type + type: keyword + description: Type of the executed command. + example: Application + - name: value + type: text + description: The invoked command. + example: Import-LocalizedData LocalizedData -filename ArchiveResources + - name: invocation_details + type: array + description: > + An array of objects containing detailed information of the executed command. + + - name: invocation_details.type + type: keyword + description: The type of detail. + example: CommandInvocation + - name: invocation_details.related_command + type: keyword + description: The command to which the detail is related to. + example: Add-Type + - name: invocation_details.name + type: keyword + description: > + Only used for ParameterBinding detail type. Indicates the parameter name. + + example: AssemblyName + - name: invocation_details.value + type: text + description: > + The value of the detail. The meaning of it will depend on the detail type. + + example: System.IO.Compression.FileSystem +- name: powershell.connected_user + type: group + description: Data related to the connected user executing the command. + fields: + - name: domain + type: keyword + description: User domain. + example: VAGRANT + - name: name + type: keyword + description: User name. + example: vagrant +- name: powershell.engine + type: group + description: Data related to the PowerShell engine. + fields: + - name: version + type: keyword + description: Version of the PowerShell engine version used to execute the command. + example: "5.1.17763.1007" + - name: previous_state + type: keyword + description: > + Previous state of the PowerShell engine. + + example: Available + - name: new_state + type: keyword + description: > + New state of the PowerShell engine. + + example: Stopped +- name: powershell.file + type: group + description: Data related to the executed script file. + fields: + - name: script_block_id + type: keyword + description: Id of the executed script block. + example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" + - name: script_block_text + type: text + analyzer: powershell_script_analyzer + description: > + Text of the executed script block. + + example: ".\\a_script.ps1" +- name: powershell.process.executable_version + type: keyword + description: Version of the engine hosting process executable. + example: "5.1.17763.1007" +- name: powershell.provider + type: group + description: Data related to the PowerShell engine host. + fields: + - name: new_state + type: keyword + description: > + New state of the PowerShell provider. + + example: Active + - name: name + type: keyword + description: > + Provider name. + + example: Variable diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/fields/winlog.yml b/packages/windows/1.12.1/data_stream/powershell_operational/fields/winlog.yml new file mode 100755 index 0000000000..4ac76fdcdc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/fields/winlog.yml @@ -0,0 +1,361 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. + + The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: Company + type: keyword + - name: CorruptionActionState + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonId + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MajorVersion + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewTime + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldTime + type: keyword + - name: OriginalFileName + type: keyword + - name: Path + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreviousTime + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptBlockText + type: keyword + - name: ServiceName + type: keyword + - name: ServiceVersion + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StopTime + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TerminalSessionId + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: UserSid + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: false + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/manifest.yml b/packages/windows/1.12.1/data_stream/powershell_operational/manifest.yml new file mode 100755 index 0000000000..5b3a0c3ad6 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/manifest.yml @@ -0,0 +1,106 @@ +type: logs +title: Windows Powershell/Operational logs +elasticsearch: + index_template: + settings: + analysis: + analyzer: + powershell_script_analyzer: + type: pattern + pattern: '[\W&&[^-]]+' +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Powershell Operational + description: 'Microsoft-Windows-Powershell/Operational channel' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. + required: true + show_user: false + default: 4103, 4104, 4105, 4106 + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: httpjson + title: Windows Powershell Operational Events via Splunk Enterprise REST API + description: Collect Powershell Operational Events via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Powershell/Operational\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/windows/1.12.1/data_stream/powershell_operational/sample_event.json b/packages/windows/1.12.1/data_stream/powershell_operational/sample_event.json new file mode 100755 index 0000000000..51586bda91 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/powershell_operational/sample_event.json @@ -0,0 +1,77 @@ +{ + "@timestamp": "2020-05-13T09:04:04.755Z", + "agent": { + "ephemeral_id": "d531ecae-45f4-4f96-a334-2c851a45469a", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.powershell_operational", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "4105", + "created": "2022-03-31T08:41:48.560Z", + "dataset": "windows.powershell_operational", + "ingested": "2022-03-31T08:41:49Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } +} \ No newline at end of file diff --git a/packages/windows/1.12.1/data_stream/service/agent/stream/stream.yml.hbs b/packages/windows/1.12.1/data_stream/service/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..d01c1b05cd --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/agent/stream/stream.yml.hbs @@ -0,0 +1,3 @@ +metricsets: ["service"] +condition: ${host.platform} == 'windows' +period: {{period}} diff --git a/packages/windows/1.12.1/data_stream/service/fields/agent.yml b/packages/windows/1.12.1/data_stream/service/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/service/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/service/fields/base-fields.yml new file mode 100755 index 0000000000..5ec8437476 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.service +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/windows/1.12.1/data_stream/service/fields/fields.yml b/packages/windows/1.12.1/data_stream/service/fields/fields.yml new file mode 100755 index 0000000000..7618a693c4 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/fields/fields.yml @@ -0,0 +1,44 @@ +- name: windows.service + type: group + fields: + - name: id + type: keyword + description: | + A unique ID for the service. It is a hash of the machine's GUID and the service name. + - name: name + type: keyword + description: | + The service name. + - name: display_name + type: keyword + description: | + The display name of the service. + - name: start_type + type: keyword + description: | + The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`. + - name: start_name + type: keyword + description: | + Account name under which a service runs. + - name: path_name + type: keyword + description: | + Fully qualified path to the file that implements the service, including arguments. + - name: state + type: keyword + description: | + The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`. + - name: exit_code + type: keyword + description: | + For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code. + - name: pid + type: long + description: | + For `Running` services this is the associated process PID. + - name: uptime.ms + type: long + format: duration + description: | + The service's uptime specified in milliseconds. diff --git a/packages/windows/1.12.1/data_stream/service/manifest.yml b/packages/windows/1.12.1/data_stream/service/manifest.yml new file mode 100755 index 0000000000..8810c1a5fa --- /dev/null +++ b/packages/windows/1.12.1/data_stream/service/manifest.yml @@ -0,0 +1,14 @@ +title: Windows service metrics +type: metrics +streams: + - input: windows/metrics + vars: + - name: period + type: text + title: Period + multi: false + required: true + show_user: true + default: 60s + title: Windows service metrics + description: Collect Windows service metrics diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs b/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..0a82aa6acc --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs @@ -0,0 +1,101 @@ +config_version: "2" +interval: {{interval}} +{{#unless token}} +{{#if username}} +{{#if password}} +auth.basic.user: {{username}} +auth.basic.password: {{password}} +{{/if}} +{{/if}} +{{/unless}} +cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' +request.url: {{url}}/services/search/jobs/export +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: POST +request.transforms: + - set: + target: url.params.search + value: |- + {{search}} | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: "json" + - set: + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + default: '[[(now (parseDuration "-{{interval}}")).Unix]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded +{{#unless username}} +{{#unless password}} +{{#if token}} + - set: + target: header.Authorization + value: {{token}} +{{/if}} +{{/unless}} +{{/unless}} +response.decode_as: application/x-ndjson +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- decode_json_fields: + fields: message + target: json + add_error_key: true +- drop_event: + when: + not: + has_fields: ['json.result'] +- fingerprint: + fields: + - json.result._cd + - json.result._indextime + - json.result._raw + - json.result._time + - json.result.host + - json.result.source + target_field: "@metadata._id" +- drop_fields: + fields: message +- rename: + fields: + - from: json.result._raw + to: event.original + - from: json.result.host + to: host.name + - from: json.result.source + to: event.provider + ignore_missing: true + fail_on_error: false +- drop_fields: + fields: json +- decode_xml_wineventlog: + field: event.original + target_field: winlog + ignore_missing: true + ignore_failure: true + map_ecs_fields: true +{{#if processors.length}} +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs b/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs new file mode 100755 index 0000000000..7795afb123 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs @@ -0,0 +1,24 @@ +name: Microsoft-Windows-Sysmon/Operational +condition: ${host.platform} == 'windows' +{{#if event_id}} +event_id: {{event_id}} +{{/if}} +{{#if ignore_older}} +ignore_older: {{ignore_older}} +{{/if}} +{{#if language}} +language: {{language}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if preserve_original_event}} +include_xml: true +{{/if}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..843d73b827 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1241 @@ +--- +description: Pipeline for Windows Sysmon Event Logs +processors: +## ECS and Event fields. + + - set: + field: ecs.version + value: '8.0.0' + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx.winlog?.event_data?.entrySet().removeIf(entry -> [null, "", "-", "{00000000-0000-0000-0000-000000000000}"].contains(entry.getValue())) + - rename: + field: winlog.level + target_field: log.level + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.level != "" + - date: + field: winlog.time_created + target_field: event.created + formats: + - ISO8601 + ignore_failure: true + if: ctx?.winlog?.time_created != null + - date: + field: winlog.event_data.UtcTime + formats: + - yyyy-MM-dd HH:mm:ss.SSS + timezone: UTC + ignore_failure: true + if: ctx?.winlog?.event_data?.UtcTime != null + + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + + - script: + description: Set event category and type for all event types. + lang: painless + params: + "1": + category: + - process + type: + - start + "2": + category: + - file + type: + - change + "3": + category: + - network + type: + - start + - connection + - protocol + "4": + category: + - process + type: + - change + "5": + category: + - process + type: + - end + "6": + category: + - driver + type: + - start + "7": + category: + - process + type: + - change + "10": + category: + - process + type: + - access + "11": + category: + - file + type: + - creation + "12": + category: + - configuration + - registry + type: + - change + "13": + category: + - configuration + - registry + type: + - change + "14": + category: + - configuration + - registry + type: + - change + "15": + category: + - file + type: + - access + "16": + category: + - configuration + type: + - change + "17": + category: + - file + type: + - creation + "18": + category: + - file + type: + - access + "22": + category: + - network + type: + - connection + - protocol + - info + "23": + category: + - file + type: + - deletion + "24": + type: + - change + "25": + category: + - process + type: + - change + "26": + category: + - file + type: + - deletion + tag: Add ECS categorization fields + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params[ctx.event.code]); + hm.forEach((k, v) -> ctx.event[k] = v); + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + - rename: + field: winlog.event_data.ID + target_field: error.code + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "255" + + - rename: + field: winlog.event_data.RuleName + target_field: rule.name + ignore_missing: true + ignore_failure: true + + - rename: + field: winlog.event_data.Type + target_field: message + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "25" + + - rename: + field: winlog.event_data.Hash + target_field: winlog.event_data.Hashes + ignore_missing: true + ignore_failure: true + - kv: + field: winlog.event_data.Hashes + target_field: _temp.hashes + field_split: "," + value_split: "=" + ignore_failure: true + if: ctx?.winlog?.event_data?.Hashes != null + - script: + lang: painless + if: ctx?._temp?.hashes != null + source: |- + def hashIsEmpty(String hash) { + if (hash == "") { + return true; + } + + Pattern emptyHashRegex = /^0*$/; + def matcher = emptyHashRegex.matcher(hash); + + return matcher.matches(); + } + + def hashes = new HashMap(); + def related = [ + "hash": new ArrayList() + ]; + for (entry in ctx._temp.hashes.entrySet()) { + def key = entry.getKey().toString().toLowerCase(); + def value = entry.getValue().toString().toLowerCase(); + + if (hashIsEmpty(value)) { + continue; + } + + hashes[key] = value; + related.hash.add(value); + } + + ctx._temp.hashes = hashes; + if (related.hash.length > 0) { + ctx.related = related; + } + +## Process fields + + - rename: + field: _temp.hashes + target_field: process.hash + if: |- + ctx?._temp?.hashes != null && + ["1", "23", "24", "25", "26"].contains(ctx.event.code) + - rename: + field: process.hash.imphash + target_field: process.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.ProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.Image + target_field: process.executable + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.SourceProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.SourceProcessGUID + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.SourceProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.event_data.SourceThreadId + target_field: process.thread.id + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.SourceImage + target_field: process.executable + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.Destination + target_field: process.executable + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.CommandLine + target_field: process.command_line + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.CurrentDirectory + target_field: process.working_directory + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.ParentProcessGuid + target_field: process.parent.entity_id + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.ParentProcessId + target_field: process.parent.pid + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ParentImage + target_field: process.parent.executable + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.ParentCommandLine + target_field: process.parent.command_line + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.OriginalFileName + target_field: process.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.company + copy_from: winlog.event_data.Company + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.description + copy_from: winlog.event_data.Description + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.product + copy_from: winlog.event_data.Product + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: |- + (ctx?.process?.command_line != null && ctx.process.command_line != "") || + (ctx?.process?.parent?.command_line != null && ctx.process.parent.command_line != "") + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + def cmd = ctx?.process?.command_line; + if (cmd != null && cmd != "") { + ctx.process.args = commandLineToArgv(cmd); + ctx.process.args_count = ctx.process.args.length; + } + + def parentCmd = ctx?.process?.parent?.command_line; + if (parentCmd != null && parentCmd != "") { + ctx.process.parent.args = commandLineToArgv(parentCmd); + ctx.process.parent.args_count = ctx.process.parent.args.length; + } + + - script: + description: Adds process name information. + lang: painless + if: |- + (ctx?.process?.executable != null && ctx.process.executable.length() > 1) || + (ctx?.process?.parent?.executable != null && ctx.process.parent.executable.length() > 1) + source: |- + def getProcessName(def path) { + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + return path.substring(idx+1); + } + return ""; + } + + def cmd = ctx?.process?.executable; + if (cmd != null && cmd != "" && ctx?.process?.name == null) { + def name = getProcessName(cmd); + if (name != "") { + ctx.process.name = name; + } + } + + def parentCmd = ctx?.process?.parent?.executable; + if (parentCmd != null && parentCmd != "" && ctx?.process?.parent?.name == null) { + def name = getProcessName(parentCmd); + if (name != "") { + ctx.process.parent.name = name; + } + } + +## File fields + + - rename: + field: _temp.hashes + target_field: file.hash + if: |- + ctx?._temp?.hashes != null && + ["6", "7", "15"].contains(ctx.event.code) + - rename: + field: file.hash.imphash + target_field: file.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.TargetFilename + target_field: file.path + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.Device + target_field: file.path + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.PipeName + target_field: file.name + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.ImageLoaded + target_field: file.path + ignore_missing: true + ignore_failure: true + - set: + field: file.code_signature.subject_name + copy_from: winlog.event_data.Signature + ignore_failure: true + ignore_empty_value: true + - set: + field: file.code_signature.status + copy_from: winlog.event_data.SignatureStatus + ignore_failure: true + ignore_empty_value: true + - rename: + field: winlog.event_data.OriginalFileName + target_field: file.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "7" + - set: + field: file.pe.company + copy_from: winlog.event_data.Company + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.description + copy_from: winlog.event_data.Description + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.product + copy_from: winlog.event_data.Product + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.code_signature.signed + value: true + if: ctx?.winlog?.event_data?.Signed == true + - set: + field: file.code_signature.valid + value: true + if: ctx?.winlog?.event_data?.SignatureStatus == "Valid" + + - script: + description: Adds file information. + lang: painless + if: ctx?.file?.path != null && ctx.file.path.length() > 1 + source: |- + def path = ctx.file.path; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx?.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + +## Network, Destination, and Source fields + + - rename: + field: winlog.event_data.Protocol + target_field: network.transport + ignore_missing: true + ignore_failure: true + - rename: + field: winlog.event_data.DestinationPortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" + - rename: + field: winlog.event_data.SourcePortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" + - set: + field: network.protocol + value: dns + if: ctx.event.code == "22" + - convert: + field: winlog.event_data.SourceIp + target_field: source.ip + type: ip + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.SourceHostname + target_field: source.domain + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.SourcePort + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.event_data.DestinationIp + target_field: destination.ip + type: ip + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.DestinationHostname + target_field: destination.domain + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.DestinationPort + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.QueryName + target_field: dns.question.name + ignore_missing: true + ignore_failure: true + - set: + field: network.direction + value: egress + if: ctx?.winlog?.event_data?.Initiated == "true" + - set: + field: network.direction + value: ingress + if: ctx?.winlog?.event_data?.Initiated == "false" + - set: + field: network.type + value: ipv4 + if: ctx?.winlog?.event_data?.SourceIsIpv6 == "false" + - set: + field: network.type + value: ipv6 + if: ctx?.winlog?.event_data?.SourceIsIpv6 == "true" + - script: + description: | + Splits the QueryResults field that contains the DNS responses. + Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" + lang: painless + if: ctx?.winlog?.event_data?.QueryResults != null + params: + "1": "A" + "2": "NS" + "3": "MD" + "4": "MF" + "5": "CNAME" + "6": "SOA" + "7": "MB" + "8": "MG" + "9": "MR" + "10": "NULL" + "11": "WKS" + "12": "PTR" + "13": "HINFO" + "14": "MINFO" + "15": "MX" + "16": "TXT" + "17": "RP" + "18": "AFSDB" + "19": "X25" + "20": "ISDN" + "21": "RT" + "22": "NSAP" + "23": "NSAPPTR" + "24": "SIG" + "25": "KEY" + "26": "PX" + "27": "GPOS" + "28": "AAAA" + "29": "LOC" + "30": "NXT" + "31": "EID" + "32": "NIMLOC" + "33": "SRV" + "34": "ATMA" + "35": "NAPTR" + "36": "KX" + "37": "CERT" + "38": "A6" + "39": "DNAME" + "40": "SINK" + "41": "OPT" + "43": "DS" + "46": "RRSIG" + "47": "NSEC" + "48": "DNSKEY" + "49": "DHCID" + "100": "UINFO" + "101": "UID" + "102": "GID" + "103": "UNSPEC" + "248": "ADDRS" + "249": "TKEY" + "250": "TSIG" + "251": "IXFR" + "252": "AXFR" + "253": "MAILB" + "254": "MAILA" + "255": "ANY" + "65281": "WINS" + "65282": "WINSR" + source: |- + def results = /;/.split(ctx.winlog.event_data.QueryResults); + def answers = new ArrayList(); + def ips = new ArrayList(); + def relatedHosts = new ArrayList(); + for (def i = 0; i < results.length; i++) { + def answer = results[i]; + if (answer == "") { + continue; + } + + if (answer.startsWith("type:")) { + def parts = /\s+/.split(answer); + if (parts.length != 3) { + throw new Exception("unexpected QueryResult format"); + } + + answers.add([ + "type": params[parts[1]], + "data": parts[2] + ]); + relatedHosts.add(parts[2]); + } else { + answer = answer.replace("::ffff:", ""); + ips.add(answer); + } + } + + if (answers.length > 0) { + ctx.dns.answers = answers; + } + if (ips.length > 0) { + ctx.dns.resolved_ip = ips; + } + if (relatedHosts.length > 0) { + if (ctx?.related == null) { + ctx.related = new HashMap(); + } + ctx.related.hosts = relatedHosts; + } + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + convert: + field: _ingest._value + type: ip + on_failure: + - remove: + field: _ingest._value + - script: + description: Convert V4MAPPED addresses. + lang: painless + if: ctx?.dns?.resolved_ip != null + source: |- + if (ctx.dns.answers == null) { + ctx.dns.answers = new ArrayList(); + } + for (def i = 0; i < ctx.dns.resolved_ip.length; i++) { + def ip = ctx.dns.resolved_ip[i]; + if (ip == null) { + ctx.dns.resolved_ip.remove(i); + continue; + } + + // Synthesize record type based on IP address type. + def type = "A"; + if (ip.indexOf(":") != -1) { + type = "AAAA"; + } + ctx.dns.answers.add([ + "type": type, + "data": ip + ]); + } + - registered_domain: + field: dns.question.name + target_field: dns.question + ignore_failure: true + ignore_missing: true + - append: + field: related.hosts + value: "{{dns.question.name}}" + allow_duplicates: false + if: ctx?.dns?.question?.name != null && ctx?.dns?.question?.name != "" + - remove: + description: Remove dns.question.domain because it is not part of ECS and is redundant with dns.question.name. + field: dns.question.domain + ignore_missing: true + ignore_failure: true + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + append: + field: related.ip + value: "{{_ingest._value}}" + allow_duplicates: false + ignore_failure: true + - community_id: + ignore_failure: true + ignore_missing: false + +## User fields + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_empty_value: true + ignore_failure: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx?.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + +## Sysmon fields + + - rename: + field: winlog.event_data.QueryStatus + target_field: sysmon.dns.status + ignore_missing: true + ignore_failure: true + - script: + description: Translate DNS Query status. + lang: painless + params: + "5": "ERROR_ACCESS_DENIED" + "0": "SUCCESS" + "8": "ERROR_NOT_ENOUGH_MEMORY" + "13": "ERROR_INVALID_DATA" + "14": "ERROR_OUTOFMEMORY" + "123": "ERROR_INVALID_NAME" + "1214": "ERROR_INVALID_NETNAME" + "1223": "ERROR_CANCELLED" + "1460": "ERROR_TIMEOUT" + "4312": "ERROR_OBJECT_NOT_FOUND" + "9001": "DNS_ERROR_RCODE_FORMAT_ERROR" + "9002": "DNS_ERROR_RCODE_SERVER_FAILURE" + "9003": "DNS_ERROR_RCODE_NAME_ERROR" + "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED" + "9005": "DNS_ERROR_RCODE_REFUSED" + "9006": "DNS_ERROR_RCODE_YXDOMAIN" + "9007": "DNS_ERROR_RCODE_YXRRSET" + "9008": "DNS_ERROR_RCODE_NXRRSET" + "9009": "DNS_ERROR_RCODE_NOTAUTH" + "9010": "DNS_ERROR_RCODE_NOTZONE" + "9016": "DNS_ERROR_RCODE_BADSIG" + "9017": "DNS_ERROR_RCODE_BADKEY" + "9018": "DNS_ERROR_RCODE_BADTIME" + "9101": "DNS_ERROR_KEYMASTER_REQUIRED" + "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE" + "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1" + "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS" + "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM" + "9106": "DNS_ERROR_INVALID_KEY_SIZE" + "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE" + "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION" + "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR" + "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR" + "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION" + "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE" + "9113": "DNS_ERROR_TOO_MANY_SKDS" + "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD" + "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET" + "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS" + "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT" + "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK" + "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD" + "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED" + "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE" + "9122": "DNS_ERROR_BAD_KEYMASTER" + "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD" + "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT" + "9125": "DNS_ERROR_DNSSEC_IS_DISABLED" + "9126": "DNS_ERROR_INVALID_XML" + "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS" + "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE" + "9129": "DNS_ERROR_NSEC3_NAME_COLLISION" + "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1" + "9501": "DNS_INFO_NO_RECORDS" + "9502": "DNS_ERROR_BAD_PACKET" + "9503": "DNS_ERROR_NO_PACKET" + "9504": "DNS_ERROR_RCODE" + "9505": "DNS_ERROR_UNSECURE_PACKET" + "9506": "DNS_REQUEST_PENDING" + "9551": "DNS_ERROR_INVALID_TYPE" + "9552": "DNS_ERROR_INVALID_IP_ADDRESS" + "9553": "DNS_ERROR_INVALID_PROPERTY" + "9554": "DNS_ERROR_TRY_AGAIN_LATER" + "9555": "DNS_ERROR_NOT_UNIQUE" + "9556": "DNS_ERROR_NON_RFC_NAME" + "9557": "DNS_STATUS_FQDN" + "9558": "DNS_STATUS_DOTTED_NAME" + "9559": "DNS_STATUS_SINGLE_PART_NAME" + "9560": "DNS_ERROR_INVALID_NAME_CHAR" + "9561": "DNS_ERROR_NUMERIC_NAME" + "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER" + "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION" + "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS" + "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS" + "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL" + "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE" + "9568": "DNS_ERROR_BACKGROUND_LOADING" + "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC" + "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME" + "9571": "DNS_ERROR_DELEGATION_REQUIRED" + "9572": "DNS_ERROR_INVALID_POLICY_TABLE" + "9573": "DNS_ERROR_ADDRESS_REQUIRED" + "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST" + "9602": "DNS_ERROR_NO_ZONE_INFO" + "9603": "DNS_ERROR_INVALID_ZONE_OPERATION" + "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR" + "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD" + "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS" + "9607": "DNS_ERROR_ZONE_LOCKED" + "9608": "DNS_ERROR_ZONE_CREATION_FAILED" + "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS" + "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS" + "9611": "DNS_ERROR_INVALID_ZONE_TYPE" + "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP" + "9613": "DNS_ERROR_ZONE_NOT_SECONDARY" + "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES" + "9615": "DNS_ERROR_WINS_INIT_FAILED" + "9616": "DNS_ERROR_NEED_WINS_SERVERS" + "9617": "DNS_ERROR_NBSTAT_INIT_FAILED" + "9618": "DNS_ERROR_SOA_DELETE_INVALID" + "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS" + "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP" + "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN" + "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING" + "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE" + "9652": "DNS_ERROR_INVALID_DATAFILE_NAME" + "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE" + "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED" + "9655": "DNS_ERROR_DATAFILE_PARSING" + "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + "9702": "DNS_ERROR_RECORD_FORMAT" + "9703": "DNS_ERROR_NODE_CREATION_FAILED" + "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE" + "9705": "DNS_ERROR_RECORD_TIMED_OUT" + "9706": "DNS_ERROR_NAME_NOT_IN_ZONE" + "9707": "DNS_ERROR_CNAME_LOOP" + "9708": "DNS_ERROR_NODE_IS_CNAME" + "9709": "DNS_ERROR_CNAME_COLLISION" + "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT" + "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS" + "9712": "DNS_ERROR_SECONDARY_DATA" + "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA" + "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST" + "9715": "DNS_WARNING_PTR_CREATE_FAILED" + "9716": "DNS_WARNING_DOMAIN_UNDELETED" + "9717": "DNS_ERROR_DS_UNAVAILABLE" + "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS" + "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE" + "9720": "DNS_ERROR_NODE_IS_DNAME" + "9721": "DNS_ERROR_DNAME_COLLISION" + "9722": "DNS_ERROR_ALIAS_LOOP" + "9751": "DNS_INFO_AXFR_COMPLETE" + "9752": "DNS_ERROR_AXFR" + "9753": "DNS_INFO_ADDED_LOCAL_WINS" + "9801": "DNS_STATUS_CONTINUE_NEEDED" + "9851": "DNS_ERROR_NO_TCPIP" + "9852": "DNS_ERROR_NO_DNS_SERVERS" + "9901": "DNS_ERROR_DP_DOES_NOT_EXIST" + "9902": "DNS_ERROR_DP_ALREADY_EXISTS" + "9903": "DNS_ERROR_DP_NOT_ENLISTED" + "9904": "DNS_ERROR_DP_ALREADY_ENLISTED" + "9905": "DNS_ERROR_DP_NOT_AVAILABLE" + "9906": "DNS_ERROR_DP_FSMO_ERROR" + "9911": "DNS_ERROR_RRL_NOT_ENABLED" + "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE" + "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX" + "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX" + "9915": "DNS_ERROR_RRL_INVALID_TC_RATE" + "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE" + "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE" + "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS" + "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST" + "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED" + "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME" + "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE" + "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS" + "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST" + "9953": "DNS_ERROR_DEFAULT_ZONESCOPE" + "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME" + "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES" + "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED" + "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED" + "9958": "DNS_ERROR_INVALID_SCOPE_NAME" + "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST" + "9960": "DNS_ERROR_DEFAULT_SCOPE" + "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION" + "9962": "DNS_ERROR_SCOPE_LOCKED" + "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS" + "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS" + "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST" + "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA" + "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS" + "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED" + "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST" + "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS" + "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST" + "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS" + "9980": "DNS_ERROR_POLICY_LOCKED" + "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT" + "9982": "DNS_ERROR_POLICY_INVALID_NAME" + "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA" + "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME" + "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID" + "9986": "DNS_ERROR_POLICY_SCOPE_MISSING" + "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED" + "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED" + "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED" + "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET" + "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL" + "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL" + "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE" + "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN" + "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE" + "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY" + "10054": "WSAECONNRESET" + "10055": "WSAENOBUFS" + "10060": "WSAETIMEDOUT" + if: ctx?.sysmon?.dns?.status != null && ctx?.sysmon?.dns?.status != "" + source: |- + def status = params[ctx.sysmon.dns.status]; + if (status != null) { + ctx.sysmon.dns.status = status; + } + - convert: + field: winlog.event_data.Archived + target_field: sysmon.file.archived + type: boolean + ignore_missing: true + ignore_failure: true + - convert: + field: winlog.event_data.IsExecutable + target_field: sysmon.file.is_executable + type: boolean + ignore_missing: true + ignore_failure: true + +## Related fields + + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.user?.name != null && ctx.user.name != "" + - append: + field: related.ip + value: "{{source.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.source?.ip != null && ctx.source.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx.destination.ip != "" + +## Registry fields + + - script: + description: Set registry fields. + lang: painless + if: |- + ctx?.winlog?.event_data?.TargetObject != null && ["12", "13", "14"].contains(ctx.event.code) + params: + HKEY_CLASSES_ROOT: "HKCR" + HKCR: "HKCR" + HKEY_CURRENT_CONFIG: "HKCC" + HKCC: "HKCC" + HKEY_CURRENT_USER: "HKCU" + HKCU: "HKCU" + HKEY_DYN_DATA: "HKDD" + HKDD: "HKDD" + HKEY_LOCAL_MACHINE: "HKLM" + HKLM: "HKLM" + HKEY_PERFORMANCE_DATA: "HKPD" + HKPD: "HKPD" + HKEY_USERS: "HKU" + HKU: "HKU" + source: |- + ctx.registry = new HashMap(); + Pattern qwordRegex = /(?i)QWORD \(((0x[0-9A-F]{8})-(0x[0-9A-F]{8}))\)/; + Pattern dwordRegex = /(?i)DWORD \((0x[0-9A-F]{8})\)/; + Pattern binDataRegex = /Binary Data/; + + def path = ctx.winlog.event_data.TargetObject; + ctx.registry.path = path; + + def pathTokens = Arrays.asList(/\\/.split(path)); + def hive = params[pathTokens[0]]; + if (hive != null) { + ctx.registry.hive = hive; + if (pathTokens.length > 1) { + ctx.registry.key = pathTokens.subList(1, pathTokens.length).join("\\"); + } + } + + def value = pathTokens[pathTokens.length - 1]; + ctx.registry.value = value; + + def data = ctx?.winlog?.event_data?.Details; + if (data != null && data != "") { + def prefixLen = 2; // to remove 0x prefix + def dataValue = ""; + def dataType = ""; + def matcher = qwordRegex.matcher(data); + if (matcher.matches()) { + def parsedHighByte = Long.parseLong(matcher.group(2).substring(prefixLen), 16); + def parsedLowByte = Long.parseLong(matcher.group(3).substring(prefixLen), 16); + if (!Double.isNaN(parsedHighByte) && !Double.isNaN(parsedLowByte)) { + dataType = "SZ_QWORD"; + dataValue = Long.toString(((parsedHighByte << 8) + parsedLowByte)); + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; + } + return; + } + + matcher = dwordRegex.matcher(data); + if (matcher.matches()) { + def parsedValue = Long.parseLong(matcher.group(1).substring(prefixLen), 16); + if (!Double.isNaN(parsedValue)) { + dataType = "SZ_DWORD"; + dataValue = Long.toString(parsedValue); + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; + } + return; + } + + matcher = binDataRegex.matcher(data); + if (matcher.matches()) { + // Data type could be REG_BINARY or REG_MULTI_SZ + ctx.registry.data = [ + "strings": [data], + "type": "REG_BINARY" + ]; + return; + } + + // REG_SZ or REG_EXPAND_SZ + ctx.registry.data = [ + "strings": [data], + "type": "REG_SZ" + ]; + } + +## Cleanup + + - remove: + field: + - _temp + - winlog.event_data.ProcessId + - winlog.event_data.ParentProcessId + - winlog.event_data.SourceProcessId + - winlog.event_data.SourceThreadId + - winlog.event_data.SourceIp + - winlog.event_data.SourcePort + - winlog.event_data.SourcePortName + - winlog.event_data.DestinationIp + - winlog.event_data.DestinationPort + - winlog.event_data.DestinationPortName + - winlog.event_data.RuleName + - winlog.event_data.User + - winlog.event_data.Initiated + - winlog.event_data.SourceIsIpv6 + - winlog.event_data.DestinationIsIpv6 + - winlog.event_data.QueryStatus + - winlog.event_data.Archived + - winlog.event_data.IsExecutable + - winlog.event_data.QueryResults + - winlog.event_data.UtcTime + - winlog.event_data.Hash + - winlog.event_data.Hashes + - winlog.event_data.TargetObject + - winlog.event_data.Details + - winlog.time_created + - winlog.level + ignore_failure: true + ignore_missing: true + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: "error.message" + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/agent.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/base-fields.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/base-fields.yml new file mode 100755 index 0000000000..2d622167df --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/base-fields.yml @@ -0,0 +1,34 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: event.module + type: constant_keyword + description: Event module + value: windows +- name: event.dataset + type: constant_keyword + description: Event dataset + value: windows.sysmon_operational +- name: '@timestamp' + type: date + description: Event timestamp. +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/beats.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/beats.yml new file mode 100755 index 0000000000..3c48f1f224 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/ecs.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/ecs.yml new file mode 100755 index 0000000000..9f34a703c2 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/ecs.yml @@ -0,0 +1,515 @@ +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + Array of 2 letter DNS header flags. + Expected values are: AA, TC, RD, RA, AD, CD, DO. + name: dns.header_flags + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + name: dns.op_code + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Boolean to capture if a signature is present. + name: file.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: file.code_signature.status + type: keyword +- description: Subject name of the code signer + name: file.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: file.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: file.code_signature.valid + type: boolean +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: CPU architecture target for the file. + name: file.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: file.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: file.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: file.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: file.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: file.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: file.pe.product + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.parent.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.parent.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.parent.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.parent.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.parent.executable + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: Process id. + name: process.parent.pid + type: long +- description: CPU architecture target for the file. + name: process.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.pe.product + type: keyword +- description: Process id. + name: process.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + Content when writing string types. + Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + name: registry.data.strings + type: wildcard +- description: Standard registry type for encoding contents + name: registry.data.type + type: keyword +- description: Abbreviated name for the hive. + name: registry.hive + type: keyword +- description: Hive-relative path of keys. + name: registry.key + type: keyword +- description: Full path, including hive, key and value + name: registry.path + type: keyword +- description: Name of the value written. + name: registry.value + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/fields.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/fields.yml new file mode 100755 index 0000000000..fe766a8460 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/fields.yml @@ -0,0 +1,9 @@ +- name: sysmon.dns.status + type: keyword + description: Windows status code returned for the DNS query. +- name: sysmon.file.archived + type: boolean + description: Indicates if the deleted file was archived. +- name: sysmon.file.is_executable + type: boolean + description: Indicates if the deleted file was an executable. diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/fields/winlog.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/winlog.yml new file mode 100755 index 0000000000..85152cf774 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/fields/winlog.yml @@ -0,0 +1,371 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + + fields: + - name: api + required: true + type: keyword + description: > + The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. + + The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: AuthenticationPackageName + type: keyword + - name: Binary + type: keyword + - name: BitlockerUserInputTime + type: keyword + - name: BootMode + type: keyword + - name: BootType + type: keyword + - name: BuildVersion + type: keyword + - name: ClientInfo + type: keyword + - name: Company + type: keyword + - name: Configuration + type: keyword + - name: CorruptionActionState + type: keyword + - name: CreationUtcTime + type: keyword + - name: Description + type: keyword + - name: Detail + type: keyword + - name: DeviceName + type: keyword + - name: DeviceNameLength + type: keyword + - name: DeviceTime + type: keyword + - name: DeviceVersionMajor + type: keyword + - name: DeviceVersionMinor + type: keyword + - name: DriveName + type: keyword + - name: DriverName + type: keyword + - name: DriverNameLength + type: keyword + - name: DwordVal + type: keyword + - name: EntryCount + type: keyword + - name: EventType + type: keyword + - name: ExtraInfo + type: keyword + - name: FailureName + type: keyword + - name: FailureNameLength + type: keyword + - name: FileVersion + type: keyword + - name: FinalStatus + type: keyword + - name: Group + type: keyword + - name: IdleImplementation + type: keyword + - name: IdleStateCount + type: keyword + - name: ImpersonationLevel + type: keyword + - name: IntegrityLevel + type: keyword + - name: IpAddress + type: keyword + - name: IpPort + type: keyword + - name: KeyLength + type: keyword + - name: LastBootGood + type: keyword + - name: LastShutdownGood + type: keyword + - name: LmPackageName + type: keyword + - name: LogonGuid + type: keyword + - name: LogonId + type: keyword + - name: LogonProcessName + type: keyword + - name: LogonType + type: keyword + - name: MajorVersion + type: keyword + - name: MaximumPerformancePercent + type: keyword + - name: MemberName + type: keyword + - name: MemberSid + type: keyword + - name: MinimumPerformancePercent + type: keyword + - name: MinimumThrottlePercent + type: keyword + - name: MinorVersion + type: keyword + - name: NewProcessId + type: keyword + - name: NewProcessName + type: keyword + - name: NewSchemeGuid + type: keyword + - name: NewTime + type: keyword + - name: NominalFrequency + type: keyword + - name: Number + type: keyword + - name: OldSchemeGuid + type: keyword + - name: OldTime + type: keyword + - name: OriginalFileName + type: keyword + - name: Path + type: keyword + - name: PerformanceImplementation + type: keyword + - name: PreviousCreationUtcTime + type: keyword + - name: PreviousTime + type: keyword + - name: PrivilegeList + type: keyword + - name: ProcessId + type: keyword + - name: ProcessName + type: keyword + - name: ProcessPath + type: keyword + - name: ProcessPid + type: keyword + - name: Product + type: keyword + - name: PuaCount + type: keyword + - name: PuaPolicyId + type: keyword + - name: QfeVersion + type: keyword + - name: Reason + type: keyword + - name: SchemaVersion + type: keyword + - name: ScriptBlockText + type: keyword + - name: ServiceName + type: keyword + - name: ServiceVersion + type: keyword + - name: Session + type: keyword + - name: ShutdownActionType + type: keyword + - name: ShutdownEventCode + type: keyword + - name: ShutdownReason + type: keyword + - name: Signature + type: keyword + - name: SignatureStatus + type: keyword + - name: Signed + type: keyword + - name: StartTime + type: keyword + - name: State + type: keyword + - name: Status + type: keyword + - name: StopTime + type: keyword + - name: SubjectDomainName + type: keyword + - name: SubjectLogonId + type: keyword + - name: SubjectUserName + type: keyword + - name: SubjectUserSid + type: keyword + - name: TSId + type: keyword + - name: TargetDomainName + type: keyword + - name: TargetInfo + type: keyword + - name: TargetLogonGuid + type: keyword + - name: TargetLogonId + type: keyword + - name: TargetServerName + type: keyword + - name: TargetUserName + type: keyword + - name: TargetUserSid + type: keyword + - name: TerminalSessionId + type: keyword + - name: TokenElevationType + type: keyword + - name: TransmittedServices + type: keyword + - name: Type + type: keyword + - name: UserSid + type: keyword + - name: Version + type: keyword + - name: Workstation + type: keyword + - name: param1 + type: keyword + - name: param2 + type: keyword + - name: param3 + type: keyword + - name: param4 + type: keyword + - name: param5 + type: keyword + - name: param6 + type: keyword + - name: param7 + type: keyword + - name: param8 + type: keyword + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. + + - name: process.thread.id + type: long + required: false + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with `event_data`. + + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with this event. + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. + + - name: user.name + type: keyword + description: > + Name of the user associated with this event. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/manifest.yml b/packages/windows/1.12.1/data_stream/sysmon_operational/manifest.yml new file mode 100755 index 0000000000..24eb2f3039 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/manifest.yml @@ -0,0 +1,97 @@ +type: logs +title: Windows Sysmon/Operational events +streams: + - input: winlog + template_path: winlog.yml.hbs + title: Sysmon Operational + description: 'Collect Microsoft-Windows-Sysmon/Operational channel logs' + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: >- + Preserves a raw copy of the original XML event, added to the field `event.original` + type: bool + multi: false + default: false + - name: event_id + type: text + title: Event ID + description: >- + A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. + required: false + show_user: false + - name: ignore_older + type: text + title: Ignore events older than + default: 72h + required: false + show_user: false + description: >- + If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + - name: language + type: text + title: Language ID + description: >- + The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US + required: false + show_user: false + default: 0 + - name: tags + type: text + title: Tags + multi: true + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: httpjson + title: Windows Sysmon Operational Events via Splunk Enterprise REST API + description: Collect Sysmon Operational Events via Splunk Enterprise REST API + enabled: false + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval to query Splunk Enterprise REST API + description: Go Duration syntax (eg. 10s) + show_user: true + required: true + default: 10s + - name: search + type: text + title: Splunk search string + show_user: false + required: true + default: "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\"" + - name: tags + type: text + title: Tags + multi: true + show_user: false + default: + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/windows/1.12.1/data_stream/sysmon_operational/sample_event.json b/packages/windows/1.12.1/data_stream/sysmon_operational/sample_event.json new file mode 100755 index 0000000000..0e68166259 --- /dev/null +++ b/packages/windows/1.12.1/data_stream/sysmon_operational/sample_event.json @@ -0,0 +1,126 @@ +{ + "@timestamp": "2019-07-18T03:34:01.261Z", + "agent": { + "ephemeral_id": "0670a96e-1852-42bc-b667-66e022ab1c89", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.sysmon_operational", + "namespace": "ep", + "type": "logs" + }, + "dns": { + "answers": [ + { + "data": "www-msn-com.a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.203", + "type": "A" + } + ], + "question": { + "name": "www.msn.com", + "registered_domain": "msn.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.203" + ] + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "dataset": "windows.sysmon_operational", + "ingested": "2022-03-31T08:42:26Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "www-msn-com.a-0003.a-msedge.net", + "a-0003.a-msedge.net", + "www.msn.com" + ], + "ip": [ + "204.79.197.203" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "67", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } +} \ No newline at end of file diff --git a/packages/windows/1.12.1/docs/README.md b/packages/windows/1.12.1/docs/README.md new file mode 100755 index 0000000000..2f9e3154f8 --- /dev/null +++ b/packages/windows/1.12.1/docs/README.md @@ -0,0 +1,1268 @@ +# Windows Integration + +The Windows package allows you to monitor the Windows os, services, applications etc. Because the Windows integration +always applies to the local server, the `hosts` config option is not needed. Note that for 7.11, `security`, `application` and `system` logs have been moved to the system package. + +## Compatibility + +The Windows datasets collect different kinds of metric data, which may require dedicated permissions +to be fetched and which may vary across operating systems. + +## Configuration + +### Ingesting Windows Events via Splunk + +This integration offers the ability to seamlessly ingest data from a Splunk Enterprise instance. +These integrations work by using the [httpjson input](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html) in Elastic Agent to run a Splunk search via the Splunk REST API and then extract the raw event from the results. +The raw event is then processed via the Elastic Agent. +The Splunk search is customizable and the interval between searches is customizable. +For more information on the Splunk API integration please see [here](https://www.elastic.co/guide/en/observability/current/ingest-splunk.html). + +This integration requires Windows Events from Splunk to be in XML format. +To achieve this, `renderXml` needs to be set to `1` in your [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) file. + +## Metrics + +### Service + +The Windows `service` dataset provides service details. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| windows.service.display_name | The display name of the service. | keyword | +| windows.service.exit_code | For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code. | keyword | +| windows.service.id | A unique ID for the service. It is a hash of the machine's GUID and the service name. | keyword | +| windows.service.name | The service name. | keyword | +| windows.service.path_name | Fully qualified path to the file that implements the service, including arguments. | keyword | +| windows.service.pid | For `Running` services this is the associated process PID. | long | +| windows.service.start_name | Account name under which a service runs. | keyword | +| windows.service.start_type | The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`. | keyword | +| windows.service.state | The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`. | keyword | +| windows.service.uptime.ms | The service's uptime specified in milliseconds. | long | + + + +### Perfmon + +The Windows `perfmon` dataset provides performance counter values. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| windows.perfmon.instance | Instance value. | keyword | +| windows.perfmon.metrics.\*.\* | Metric values returned. | object | +| windows.perfmon.object | Object value. | keyword | + + + +Both datasets are available on Windows only. + +## Logs + +### Forwarded + +The Windows `forwarded` dataset provides events from the Windows +`ForwardedEvents` event log. The fields will be the same as the +channel specific datasets. + +### Powershell + +The Windows `powershell` dataset provides events from the Windows +`Windows PowerShell` event log. + +An example event for `powershell` looks as following: + +```json +{ + "@timestamp": "2020-05-13T13:21:43.183Z", + "agent": { + "ephemeral_id": "9c05a45c-02bf-4437-9447-8591244dbdca", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.powershell", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "600", + "created": "2022-03-31T08:41:12.816Z", + "dataset": "windows.powershell", + "ingested": "2022-03-31T08:41:16Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 35, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\lateral.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", + "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", + "title": "Windows PowerShell ISE Host" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "winlog": { + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "provider_name": "PowerShell", + "record_id": "1089" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| dataset.name | Dataset name. | constant_keyword | +| dataset.namespace | Dataset namespace. | constant_keyword | +| dataset.type | Dataset type. | constant_keyword | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | +| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | +| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | +| powershell.command.invocation_details.type | The type of detail. | keyword | +| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | +| powershell.command.name | Name of the executed command. | keyword | +| powershell.command.path | Path of the executed command. | keyword | +| powershell.command.type | Type of the executed command. | keyword | +| powershell.command.value | The invoked command. | text | +| powershell.connected_user.domain | User domain. | keyword | +| powershell.connected_user.name | User name. | keyword | +| powershell.engine.new_state | New state of the PowerShell engine. | keyword | +| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | +| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | +| powershell.file.script_block_id | Id of the executed script block. | keyword | +| powershell.file.script_block_text | Text of the executed script block. | text | +| powershell.id | Shell Id. | keyword | +| powershell.pipeline_id | Pipeline id. | keyword | +| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | +| powershell.provider.name | Provider name. | keyword | +| powershell.provider.new_state | New state of the PowerShell provider. | keyword | +| powershell.runspace_id | Runspace id. | keyword | +| powershell.sequence | Sequence number of the powershell execution. | long | +| powershell.total | Total number of messages in the sequence. | long | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | +| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | +| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | +| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | +| winlog.event_data.AuthenticationPackageName | | keyword | +| winlog.event_data.Binary | | keyword | +| winlog.event_data.BitlockerUserInputTime | | keyword | +| winlog.event_data.BootMode | | keyword | +| winlog.event_data.BootType | | keyword | +| winlog.event_data.BuildVersion | | keyword | +| winlog.event_data.Company | | keyword | +| winlog.event_data.CorruptionActionState | | keyword | +| winlog.event_data.CreationUtcTime | | keyword | +| winlog.event_data.Description | | keyword | +| winlog.event_data.Detail | | keyword | +| winlog.event_data.DeviceName | | keyword | +| winlog.event_data.DeviceNameLength | | keyword | +| winlog.event_data.DeviceTime | | keyword | +| winlog.event_data.DeviceVersionMajor | | keyword | +| winlog.event_data.DeviceVersionMinor | | keyword | +| winlog.event_data.DriveName | | keyword | +| winlog.event_data.DriverName | | keyword | +| winlog.event_data.DriverNameLength | | keyword | +| winlog.event_data.DwordVal | | keyword | +| winlog.event_data.EntryCount | | keyword | +| winlog.event_data.ExtraInfo | | keyword | +| winlog.event_data.FailureName | | keyword | +| winlog.event_data.FailureNameLength | | keyword | +| winlog.event_data.FileVersion | | keyword | +| winlog.event_data.FinalStatus | | keyword | +| winlog.event_data.Group | | keyword | +| winlog.event_data.IdleImplementation | | keyword | +| winlog.event_data.IdleStateCount | | keyword | +| winlog.event_data.ImpersonationLevel | | keyword | +| winlog.event_data.IntegrityLevel | | keyword | +| winlog.event_data.IpAddress | | keyword | +| winlog.event_data.IpPort | | keyword | +| winlog.event_data.KeyLength | | keyword | +| winlog.event_data.LastBootGood | | keyword | +| winlog.event_data.LastShutdownGood | | keyword | +| winlog.event_data.LmPackageName | | keyword | +| winlog.event_data.LogonGuid | | keyword | +| winlog.event_data.LogonId | | keyword | +| winlog.event_data.LogonProcessName | | keyword | +| winlog.event_data.LogonType | | keyword | +| winlog.event_data.MajorVersion | | keyword | +| winlog.event_data.MaximumPerformancePercent | | keyword | +| winlog.event_data.MemberName | | keyword | +| winlog.event_data.MemberSid | | keyword | +| winlog.event_data.MinimumPerformancePercent | | keyword | +| winlog.event_data.MinimumThrottlePercent | | keyword | +| winlog.event_data.MinorVersion | | keyword | +| winlog.event_data.NewProcessId | | keyword | +| winlog.event_data.NewProcessName | | keyword | +| winlog.event_data.NewSchemeGuid | | keyword | +| winlog.event_data.NewTime | | keyword | +| winlog.event_data.NominalFrequency | | keyword | +| winlog.event_data.Number | | keyword | +| winlog.event_data.OldSchemeGuid | | keyword | +| winlog.event_data.OldTime | | keyword | +| winlog.event_data.OriginalFileName | | keyword | +| winlog.event_data.Path | | keyword | +| winlog.event_data.PerformanceImplementation | | keyword | +| winlog.event_data.PreviousCreationUtcTime | | keyword | +| winlog.event_data.PreviousTime | | keyword | +| winlog.event_data.PrivilegeList | | keyword | +| winlog.event_data.ProcessId | | keyword | +| winlog.event_data.ProcessName | | keyword | +| winlog.event_data.ProcessPath | | keyword | +| winlog.event_data.ProcessPid | | keyword | +| winlog.event_data.Product | | keyword | +| winlog.event_data.PuaCount | | keyword | +| winlog.event_data.PuaPolicyId | | keyword | +| winlog.event_data.QfeVersion | | keyword | +| winlog.event_data.Reason | | keyword | +| winlog.event_data.SchemaVersion | | keyword | +| winlog.event_data.ScriptBlockText | | keyword | +| winlog.event_data.ServiceName | | keyword | +| winlog.event_data.ServiceVersion | | keyword | +| winlog.event_data.ShutdownActionType | | keyword | +| winlog.event_data.ShutdownEventCode | | keyword | +| winlog.event_data.ShutdownReason | | keyword | +| winlog.event_data.Signature | | keyword | +| winlog.event_data.SignatureStatus | | keyword | +| winlog.event_data.Signed | | keyword | +| winlog.event_data.StartTime | | keyword | +| winlog.event_data.State | | keyword | +| winlog.event_data.Status | | keyword | +| winlog.event_data.StopTime | | keyword | +| winlog.event_data.SubjectDomainName | | keyword | +| winlog.event_data.SubjectLogonId | | keyword | +| winlog.event_data.SubjectUserName | | keyword | +| winlog.event_data.SubjectUserSid | | keyword | +| winlog.event_data.TSId | | keyword | +| winlog.event_data.TargetDomainName | | keyword | +| winlog.event_data.TargetInfo | | keyword | +| winlog.event_data.TargetLogonGuid | | keyword | +| winlog.event_data.TargetLogonId | | keyword | +| winlog.event_data.TargetServerName | | keyword | +| winlog.event_data.TargetUserName | | keyword | +| winlog.event_data.TargetUserSid | | keyword | +| winlog.event_data.TerminalSessionId | | keyword | +| winlog.event_data.TokenElevationType | | keyword | +| winlog.event_data.TransmittedServices | | keyword | +| winlog.event_data.UserSid | | keyword | +| winlog.event_data.Version | | keyword | +| winlog.event_data.Workstation | | keyword | +| winlog.event_data.param1 | | keyword | +| winlog.event_data.param2 | | keyword | +| winlog.event_data.param3 | | keyword | +| winlog.event_data.param4 | | keyword | +| winlog.event_data.param5 | | keyword | +| winlog.event_data.param6 | | keyword | +| winlog.event_data.param7 | | keyword | +| winlog.event_data.param8 | | keyword | +| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | +| winlog.keywords | The keywords are used to classify an event. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | +| winlog.process.thread.id | | long | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | +| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | +| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | +| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | +| winlog.user.name | Name of the user associated with this event. | keyword | +| winlog.user.type | The type of account associated with this event. | keyword | +| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | +| winlog.version | The version number of the event's definition. | long | + + +### Powershell/Operational + +The Windows `powershell_operational` dataset provides events from the Windows +`Microsoft-Windows-PowerShell/Operational` event log. + +An example event for `powershell_operational` looks as following: + +```json +{ + "@timestamp": "2020-05-13T09:04:04.755Z", + "agent": { + "ephemeral_id": "d531ecae-45f4-4f96-a334-2c851a45469a", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.powershell_operational", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "process", + "code": "4105", + "created": "2022-03-31T08:41:48.560Z", + "dataset": "windows.powershell_operational", + "ingested": "2022-03-31T08:41:49Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| dataset.name | Dataset name. | constant_keyword | +| dataset.namespace | Dataset namespace. | constant_keyword | +| dataset.type | Dataset type. | constant_keyword | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | +| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | +| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | +| powershell.command.invocation_details.type | The type of detail. | keyword | +| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | +| powershell.command.name | Name of the executed command. | keyword | +| powershell.command.path | Path of the executed command. | keyword | +| powershell.command.type | Type of the executed command. | keyword | +| powershell.command.value | The invoked command. | text | +| powershell.connected_user.domain | User domain. | keyword | +| powershell.connected_user.name | User name. | keyword | +| powershell.engine.new_state | New state of the PowerShell engine. | keyword | +| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | +| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | +| powershell.file.script_block_id | Id of the executed script block. | keyword | +| powershell.file.script_block_text | Text of the executed script block. | text | +| powershell.id | Shell Id. | keyword | +| powershell.pipeline_id | Pipeline id. | keyword | +| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | +| powershell.provider.name | Provider name. | keyword | +| powershell.provider.new_state | New state of the PowerShell provider. | keyword | +| powershell.runspace_id | Runspace id. | keyword | +| powershell.sequence | Sequence number of the powershell execution. | long | +| powershell.total | Total number of messages in the sequence. | long | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | +| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | +| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | +| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | +| winlog.event_data.AuthenticationPackageName | | keyword | +| winlog.event_data.Binary | | keyword | +| winlog.event_data.BitlockerUserInputTime | | keyword | +| winlog.event_data.BootMode | | keyword | +| winlog.event_data.BootType | | keyword | +| winlog.event_data.BuildVersion | | keyword | +| winlog.event_data.Company | | keyword | +| winlog.event_data.CorruptionActionState | | keyword | +| winlog.event_data.CreationUtcTime | | keyword | +| winlog.event_data.Description | | keyword | +| winlog.event_data.Detail | | keyword | +| winlog.event_data.DeviceName | | keyword | +| winlog.event_data.DeviceNameLength | | keyword | +| winlog.event_data.DeviceTime | | keyword | +| winlog.event_data.DeviceVersionMajor | | keyword | +| winlog.event_data.DeviceVersionMinor | | keyword | +| winlog.event_data.DriveName | | keyword | +| winlog.event_data.DriverName | | keyword | +| winlog.event_data.DriverNameLength | | keyword | +| winlog.event_data.DwordVal | | keyword | +| winlog.event_data.EntryCount | | keyword | +| winlog.event_data.ExtraInfo | | keyword | +| winlog.event_data.FailureName | | keyword | +| winlog.event_data.FailureNameLength | | keyword | +| winlog.event_data.FileVersion | | keyword | +| winlog.event_data.FinalStatus | | keyword | +| winlog.event_data.Group | | keyword | +| winlog.event_data.IdleImplementation | | keyword | +| winlog.event_data.IdleStateCount | | keyword | +| winlog.event_data.ImpersonationLevel | | keyword | +| winlog.event_data.IntegrityLevel | | keyword | +| winlog.event_data.IpAddress | | keyword | +| winlog.event_data.IpPort | | keyword | +| winlog.event_data.KeyLength | | keyword | +| winlog.event_data.LastBootGood | | keyword | +| winlog.event_data.LastShutdownGood | | keyword | +| winlog.event_data.LmPackageName | | keyword | +| winlog.event_data.LogonGuid | | keyword | +| winlog.event_data.LogonId | | keyword | +| winlog.event_data.LogonProcessName | | keyword | +| winlog.event_data.LogonType | | keyword | +| winlog.event_data.MajorVersion | | keyword | +| winlog.event_data.MaximumPerformancePercent | | keyword | +| winlog.event_data.MemberName | | keyword | +| winlog.event_data.MemberSid | | keyword | +| winlog.event_data.MinimumPerformancePercent | | keyword | +| winlog.event_data.MinimumThrottlePercent | | keyword | +| winlog.event_data.MinorVersion | | keyword | +| winlog.event_data.NewProcessId | | keyword | +| winlog.event_data.NewProcessName | | keyword | +| winlog.event_data.NewSchemeGuid | | keyword | +| winlog.event_data.NewTime | | keyword | +| winlog.event_data.NominalFrequency | | keyword | +| winlog.event_data.Number | | keyword | +| winlog.event_data.OldSchemeGuid | | keyword | +| winlog.event_data.OldTime | | keyword | +| winlog.event_data.OriginalFileName | | keyword | +| winlog.event_data.Path | | keyword | +| winlog.event_data.PerformanceImplementation | | keyword | +| winlog.event_data.PreviousCreationUtcTime | | keyword | +| winlog.event_data.PreviousTime | | keyword | +| winlog.event_data.PrivilegeList | | keyword | +| winlog.event_data.ProcessId | | keyword | +| winlog.event_data.ProcessName | | keyword | +| winlog.event_data.ProcessPath | | keyword | +| winlog.event_data.ProcessPid | | keyword | +| winlog.event_data.Product | | keyword | +| winlog.event_data.PuaCount | | keyword | +| winlog.event_data.PuaPolicyId | | keyword | +| winlog.event_data.QfeVersion | | keyword | +| winlog.event_data.Reason | | keyword | +| winlog.event_data.SchemaVersion | | keyword | +| winlog.event_data.ScriptBlockText | | keyword | +| winlog.event_data.ServiceName | | keyword | +| winlog.event_data.ServiceVersion | | keyword | +| winlog.event_data.ShutdownActionType | | keyword | +| winlog.event_data.ShutdownEventCode | | keyword | +| winlog.event_data.ShutdownReason | | keyword | +| winlog.event_data.Signature | | keyword | +| winlog.event_data.SignatureStatus | | keyword | +| winlog.event_data.Signed | | keyword | +| winlog.event_data.StartTime | | keyword | +| winlog.event_data.State | | keyword | +| winlog.event_data.Status | | keyword | +| winlog.event_data.StopTime | | keyword | +| winlog.event_data.SubjectDomainName | | keyword | +| winlog.event_data.SubjectLogonId | | keyword | +| winlog.event_data.SubjectUserName | | keyword | +| winlog.event_data.SubjectUserSid | | keyword | +| winlog.event_data.TSId | | keyword | +| winlog.event_data.TargetDomainName | | keyword | +| winlog.event_data.TargetInfo | | keyword | +| winlog.event_data.TargetLogonGuid | | keyword | +| winlog.event_data.TargetLogonId | | keyword | +| winlog.event_data.TargetServerName | | keyword | +| winlog.event_data.TargetUserName | | keyword | +| winlog.event_data.TargetUserSid | | keyword | +| winlog.event_data.TerminalSessionId | | keyword | +| winlog.event_data.TokenElevationType | | keyword | +| winlog.event_data.TransmittedServices | | keyword | +| winlog.event_data.UserSid | | keyword | +| winlog.event_data.Version | | keyword | +| winlog.event_data.Workstation | | keyword | +| winlog.event_data.param1 | | keyword | +| winlog.event_data.param2 | | keyword | +| winlog.event_data.param3 | | keyword | +| winlog.event_data.param4 | | keyword | +| winlog.event_data.param5 | | keyword | +| winlog.event_data.param6 | | keyword | +| winlog.event_data.param7 | | keyword | +| winlog.event_data.param8 | | keyword | +| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | +| winlog.keywords | The keywords are used to classify an event. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | +| winlog.process.thread.id | | long | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | +| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | +| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | +| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | +| winlog.user.name | Name of the user associated with this event. | keyword | +| winlog.user.type | The type of account associated with this event. | keyword | +| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | +| winlog.version | The version number of the event's definition. | long | + + +### Sysmon/Operational + +The Windows `sysmon_operational` dataset provides events from the Windows +`Microsoft-Windows-Sysmon/Operational` event log. + +An example event for `sysmon_operational` looks as following: + +```json +{ + "@timestamp": "2019-07-18T03:34:01.261Z", + "agent": { + "ephemeral_id": "0670a96e-1852-42bc-b667-66e022ab1c89", + "hostname": "docker-fleet-agent", + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "windows.sysmon_operational", + "namespace": "ep", + "type": "logs" + }, + "dns": { + "answers": [ + { + "data": "www-msn-com.a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.203", + "type": "A" + } + ], + "question": { + "name": "www.msn.com", + "registered_domain": "msn.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.203" + ] + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0d57cbc7-6410-455a-840c-08fd44507a26", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "dataset": "windows.sysmon_operational", + "ingested": "2022-03-31T08:42:26Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "www-msn-com.a-0003.a-msedge.net", + "a-0003.a-msedge.net", + "www.msn.com" + ], + "ip": [ + "204.79.197.203" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "67", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| dataset.name | Dataset name. | constant_keyword | +| dataset.namespace | Dataset namespace. | constant_keyword | +| dataset.type | Dataset type. | constant_keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| file.code_signature.subject_name | Subject name of the code signer | keyword | +| file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.pe.architecture | CPU architecture target for the file. | keyword | +| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| file.pe.description | Internal description of the file, provided at compile-time. | keyword | +| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | +| registry.data.type | Standard registry type for encoding contents | keyword | +| registry.hive | Abbreviated name for the hive. | keyword | +| registry.key | Hive-relative path of keys. | keyword | +| registry.path | Full path, including hive, key and value | keyword | +| registry.value | Name of the value written. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| sysmon.dns.status | Windows status code returned for the DNS query. | keyword | +| sysmon.file.archived | Indicates if the deleted file was archived. | boolean | +| sysmon.file.is_executable | Indicates if the deleted file was an executable. | boolean | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | +| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | +| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | +| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | +| winlog.event_data.AuthenticationPackageName | | keyword | +| winlog.event_data.Binary | | keyword | +| winlog.event_data.BitlockerUserInputTime | | keyword | +| winlog.event_data.BootMode | | keyword | +| winlog.event_data.BootType | | keyword | +| winlog.event_data.BuildVersion | | keyword | +| winlog.event_data.ClientInfo | | keyword | +| winlog.event_data.Company | | keyword | +| winlog.event_data.Configuration | | keyword | +| winlog.event_data.CorruptionActionState | | keyword | +| winlog.event_data.CreationUtcTime | | keyword | +| winlog.event_data.Description | | keyword | +| winlog.event_data.Detail | | keyword | +| winlog.event_data.DeviceName | | keyword | +| winlog.event_data.DeviceNameLength | | keyword | +| winlog.event_data.DeviceTime | | keyword | +| winlog.event_data.DeviceVersionMajor | | keyword | +| winlog.event_data.DeviceVersionMinor | | keyword | +| winlog.event_data.DriveName | | keyword | +| winlog.event_data.DriverName | | keyword | +| winlog.event_data.DriverNameLength | | keyword | +| winlog.event_data.DwordVal | | keyword | +| winlog.event_data.EntryCount | | keyword | +| winlog.event_data.EventType | | keyword | +| winlog.event_data.ExtraInfo | | keyword | +| winlog.event_data.FailureName | | keyword | +| winlog.event_data.FailureNameLength | | keyword | +| winlog.event_data.FileVersion | | keyword | +| winlog.event_data.FinalStatus | | keyword | +| winlog.event_data.Group | | keyword | +| winlog.event_data.IdleImplementation | | keyword | +| winlog.event_data.IdleStateCount | | keyword | +| winlog.event_data.ImpersonationLevel | | keyword | +| winlog.event_data.IntegrityLevel | | keyword | +| winlog.event_data.IpAddress | | keyword | +| winlog.event_data.IpPort | | keyword | +| winlog.event_data.KeyLength | | keyword | +| winlog.event_data.LastBootGood | | keyword | +| winlog.event_data.LastShutdownGood | | keyword | +| winlog.event_data.LmPackageName | | keyword | +| winlog.event_data.LogonGuid | | keyword | +| winlog.event_data.LogonId | | keyword | +| winlog.event_data.LogonProcessName | | keyword | +| winlog.event_data.LogonType | | keyword | +| winlog.event_data.MajorVersion | | keyword | +| winlog.event_data.MaximumPerformancePercent | | keyword | +| winlog.event_data.MemberName | | keyword | +| winlog.event_data.MemberSid | | keyword | +| winlog.event_data.MinimumPerformancePercent | | keyword | +| winlog.event_data.MinimumThrottlePercent | | keyword | +| winlog.event_data.MinorVersion | | keyword | +| winlog.event_data.NewProcessId | | keyword | +| winlog.event_data.NewProcessName | | keyword | +| winlog.event_data.NewSchemeGuid | | keyword | +| winlog.event_data.NewTime | | keyword | +| winlog.event_data.NominalFrequency | | keyword | +| winlog.event_data.Number | | keyword | +| winlog.event_data.OldSchemeGuid | | keyword | +| winlog.event_data.OldTime | | keyword | +| winlog.event_data.OriginalFileName | | keyword | +| winlog.event_data.Path | | keyword | +| winlog.event_data.PerformanceImplementation | | keyword | +| winlog.event_data.PreviousCreationUtcTime | | keyword | +| winlog.event_data.PreviousTime | | keyword | +| winlog.event_data.PrivilegeList | | keyword | +| winlog.event_data.ProcessId | | keyword | +| winlog.event_data.ProcessName | | keyword | +| winlog.event_data.ProcessPath | | keyword | +| winlog.event_data.ProcessPid | | keyword | +| winlog.event_data.Product | | keyword | +| winlog.event_data.PuaCount | | keyword | +| winlog.event_data.PuaPolicyId | | keyword | +| winlog.event_data.QfeVersion | | keyword | +| winlog.event_data.Reason | | keyword | +| winlog.event_data.SchemaVersion | | keyword | +| winlog.event_data.ScriptBlockText | | keyword | +| winlog.event_data.ServiceName | | keyword | +| winlog.event_data.ServiceVersion | | keyword | +| winlog.event_data.Session | | keyword | +| winlog.event_data.ShutdownActionType | | keyword | +| winlog.event_data.ShutdownEventCode | | keyword | +| winlog.event_data.ShutdownReason | | keyword | +| winlog.event_data.Signature | | keyword | +| winlog.event_data.SignatureStatus | | keyword | +| winlog.event_data.Signed | | keyword | +| winlog.event_data.StartTime | | keyword | +| winlog.event_data.State | | keyword | +| winlog.event_data.Status | | keyword | +| winlog.event_data.StopTime | | keyword | +| winlog.event_data.SubjectDomainName | | keyword | +| winlog.event_data.SubjectLogonId | | keyword | +| winlog.event_data.SubjectUserName | | keyword | +| winlog.event_data.SubjectUserSid | | keyword | +| winlog.event_data.TSId | | keyword | +| winlog.event_data.TargetDomainName | | keyword | +| winlog.event_data.TargetInfo | | keyword | +| winlog.event_data.TargetLogonGuid | | keyword | +| winlog.event_data.TargetLogonId | | keyword | +| winlog.event_data.TargetServerName | | keyword | +| winlog.event_data.TargetUserName | | keyword | +| winlog.event_data.TargetUserSid | | keyword | +| winlog.event_data.TerminalSessionId | | keyword | +| winlog.event_data.TokenElevationType | | keyword | +| winlog.event_data.TransmittedServices | | keyword | +| winlog.event_data.Type | | keyword | +| winlog.event_data.UserSid | | keyword | +| winlog.event_data.Version | | keyword | +| winlog.event_data.Workstation | | keyword | +| winlog.event_data.param1 | | keyword | +| winlog.event_data.param2 | | keyword | +| winlog.event_data.param3 | | keyword | +| winlog.event_data.param4 | | keyword | +| winlog.event_data.param5 | | keyword | +| winlog.event_data.param6 | | keyword | +| winlog.event_data.param7 | | keyword | +| winlog.event_data.param8 | | keyword | +| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | +| winlog.keywords | The keywords are used to classify an event. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | +| winlog.process.thread.id | | long | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | +| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | +| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | +| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | +| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | +| winlog.user.name | Name of the user associated with this event. | keyword | +| winlog.user.type | The type of account associated with this event. | keyword | +| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | +| winlog.version | The version number of the event's definition. | long | + diff --git a/packages/windows/1.12.1/img/logo_windows.svg b/packages/windows/1.12.1/img/logo_windows.svg new file mode 100755 index 0000000000..953b33d8f5 --- /dev/null +++ b/packages/windows/1.12.1/img/logo_windows.svg @@ -0,0 +1,3 @@ + + + diff --git a/packages/windows/1.12.1/img/metricbeat-windows-service.png b/packages/windows/1.12.1/img/metricbeat-windows-service.png new file mode 100755 index 0000000000..b9437930a9 Binary files /dev/null and b/packages/windows/1.12.1/img/metricbeat-windows-service.png differ diff --git a/packages/windows/1.12.1/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..a1564e6c0d --- /dev/null +++ b/packages/windows/1.12.1/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "description": "Overview dashboard for powershell integration.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"fa41e799-b6b3-49ec-a11c-3f20231a4a79\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"fa41e799-b6b3-49ec-a11c-3f20231a4a79\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"65ce6b63-6ce0-4094-ab23-189126fc169f\",\"w\":7,\"x\":13,\"y\":0},\"panelIndex\":\"65ce6b63-6ce0-4094-ab23-189126fc169f\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"314e6f55-a05a-4ae3-ab76-bcae7f2074ab\",\"w\":8,\"x\":20,\"y\":0},\"panelIndex\":\"314e6f55-a05a-4ae3-ab76-bcae7f2074ab\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"a1f161f6-1abe-4177-9ede-4d1984f5a963\",\"w\":7,\"x\":28,\"y\":0},\"panelIndex\":\"a1f161f6-1abe-4177-9ede-4d1984f5a963\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"6b7ed122-22f3-4e9d-89eb-8de92c0d2033\",\"w\":4,\"x\":35,\"y\":0},\"panelIndex\":\"6b7ed122-22f3-4e9d-89eb-8de92c0d2033\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"d536f6a7-ad28-4a32-9319-9e0b983828bf\",\"w\":4,\"x\":39,\"y\":0},\"panelIndex\":\"d536f6a7-ad28-4a32-9319-9e0b983828bf\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"eda6d08f-b45e-448a-bf9f-afa5516d4b4b\",\"w\":4,\"x\":43,\"y\":0},\"panelIndex\":\"eda6d08f-b45e-448a-bf9f-afa5516d4b4b\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"56d2dd76-6fec-422b-96e9-22791b0c5f0c\",\"w\":10,\"x\":13,\"y\":6},\"panelIndex\":\"56d2dd76-6fec-422b-96e9-22791b0c5f0c\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5\",\"w\":12,\"x\":23,\"y\":6},\"panelIndex\":\"3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"a8c00572-667b-4e39-8b0c-10be56fbadd5\",\"w\":12,\"x\":35,\"y\":6},\"panelIndex\":\"a8c00572-667b-4e39-8b0c-10be56fbadd5\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"e8a57cba-14d2-4cd9-a727-f5e30165f6ba\",\"w\":13,\"x\":0,\"y\":8},\"panelIndex\":\"e8a57cba-14d2-4cd9-a727-f5e30165f6ba\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"8ae39cfa-cb06-45eb-880e-b749c3355d61\",\"w\":12,\"x\":23,\"y\":13},\"panelIndex\":\"8ae39cfa-cb06-45eb-880e-b749c3355d61\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"ef92d192-b56d-476c-b640-e226679ed178\",\"w\":12,\"x\":35,\"y\":13},\"panelIndex\":\"ef92d192-b56d-476c-b640-e226679ed178\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"b15dcac5-3616-4b41-8abb-cb28398b16f4\",\"w\":13,\"x\":0,\"y\":16},\"panelIndex\":\"b15dcac5-3616-4b41-8abb-cb28398b16f4\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"23af61c8-6a45-4d7d-9905-8ed265328130\",\"w\":10,\"x\":13,\"y\":16},\"panelIndex\":\"23af61c8-6a45-4d7d-9905-8ed265328130\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"390068ed-b7fb-4ec1-87d5-e89f7cc82e04\",\"w\":12,\"x\":23,\"y\":20},\"panelIndex\":\"390068ed-b7fb-4ec1-87d5-e89f7cc82e04\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"45724dca-fea2-4f3b-af79-cf89bb12a31b\",\"w\":12,\"x\":35,\"y\":20},\"panelIndex\":\"45724dca-fea2-4f3b-af79-cf89bb12a31b\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":14,\"i\":\"7f0c4a51-d972-42a5-ba0a-d3de814c7440\",\"w\":47,\"x\":0,\"y\":27},\"panelIndex\":\"7f0c4a51-d972-42a5-ba0a-d3de814c7440\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"}]", + "timeRestore": false, + "title": "[Windows powershell] Overview", + "version": 1 + }, + "id": "windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "windows-78874900-9f30-11ea-bef1-95118e62a7c1", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "windows-e64ff750-9f28-11ea-bef1-95118e62a7c1", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "windows-d27dea70-9f32-11ea-bef1-95118e62a7c1", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "windows-70751050-9f33-11ea-bef1-95118e62a7c1", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_15", + "type": "visualization" + }, + { + "id": "windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", + "name": "panel_16", + "type": "visualization" + }, + { + "id": "windows-11a61760-9f27-11ea-bef1-95118e62a7c1", + "name": "panel_17", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..2dc240f99d --- /dev/null +++ b/packages/windows/1.12.1/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "description": "Overview of the Windows Service States", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.service\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Metrics Windows] Services", + "version": 1 + }, + "id": "windows-d9eba730-c991-11e7-9835-2f31fe08873b", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "windows-eb8277d0-c98c-11e7-9835-2f31fe08873b", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "windows-23a5fff0-c98e-11e7-9835-2f31fe08873b", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "windows-830c45f0-c991-11e7-9835-2f31fe08873b", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "windows-35f5ad60-c996-11e7-9835-2f31fe08873b", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b", + "name": "panel_4", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..4eec362f7b --- /dev/null +++ b/packages/windows/1.12.1/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,40 @@ +{ + "attributes": { + "columns": [ + "event.code", + "powershell.engine.version", + "powershell.runspace_id", + "process.args", + "powershell.command.invocation_details", + "powershell.file.script_block_text" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Details [Windows powershell]", + "version": 1 + }, + "id": "windows-11a61760-9f27-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..ce978c720f --- /dev/null +++ b/packages/windows/1.12.1/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "columns": [ + "host.name", + "windows.service.display_name", + "windows.service.state", + "windows.service.start_type", + "windows.service.uptime.ms", + "windows.service.pid", + "windows.service.exit_code" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"windows.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"windows.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"service\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"service\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"service\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Services [Metrics Windows]", + "version": 1 + }, + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..04e954c31c --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Engine versions [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Engine version\",\"field\":\"powershell.engine.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Engine versions [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..a1d8795f59 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Hosts [Metrics Windows]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Services\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Hosts [Metrics Windows]\",\"type\":\"table\"}" + }, + "id": "windows-23a5fff0-c98e-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..c3010746e0 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" + }, + "title": "Unique engine versions [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique versions\",\"field\":\"powershell.engine.version\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique engine versions [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..a67dddfc97 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Unique Services [Metrics Windows]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Services\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Unique Services [Metrics Windows]\",\"type\":\"metric\"}" + }, + "id": "windows-35f5ad60-c996-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..89fc1c53f5 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" + }, + "title": "Users [Windows powershell]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Host count\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"User\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of host.name\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users [Windows powershell]\",\"type\":\"table\"}" + }, + "id": "windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..30859feacc --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" + }, + "title": "Total engine started [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: 400\"},\"label\":\"\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total engine started [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..05fb357273 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" + }, + "title": "Top active hosts [Windows powershell]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[],\"metrics\":[{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top active hosts [Windows powershell]\",\"type\":\"table\"}" + }, + "id": "windows-70751050-9f33-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..ea3f28e91a --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Total remote commands [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"process.title:\\\"ServerRemoteHost\\\" \"},\"label\":\"Remote commands\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total remote commands [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-78874900-9f30-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..20a555f9a3 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Engine and Command started[Windows powershell]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"*\":\"#EAB839\",\"Engine stopped\":\"#BF1B00\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"400\\\" \"},\"label\":\"Engine started\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4105\\\" \"},\"label\":\"Command started\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"label\":\"filters\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"label\":\"@timestamp per 30 minutes\",\"params\":{\"bounds\":{\"max\":\"2020-05-26T09:14:29.996Z\",\"min\":\"2020-05-25T09:14:29.996Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT30M\",\"intervalESUnit\":\"m\",\"intervalESValue\":30}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"log\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Engine and Command started[Windows powershell]\",\"type\":\"line\"}" + }, + "id": "windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..7991892c14 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Total commands [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"powershell.command.name: * \"},\"label\":\"Commands\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total commands [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..1c3be90530 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Startup States [Metrics Windows]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Service Count\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Startup Type\",\"field\":\"windows.service.start_type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"State\",\"field\":\"windows.service.state\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Startup States [Metrics Windows]\",\"type\":\"pie\"}" + }, + "id": "windows-830c45f0-c991-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..41e0eb5de2 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Unique hosts [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique hosts [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..f31c109dbd --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Connected users [Windows powershell]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"powershell.connected_user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"4\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Host count\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"User\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of host.name\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connected users [Windows powershell]\",\"type\":\"table\"}" + }, + "id": "windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..7c4f2295c8 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"powershell.command.invocation_details.type\",\"negate\":false,\"params\":{\"query\":\"CommandInvocation\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"powershell.command.invocation_details.type\":\"CommandInvocation\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Top Invoked Commands [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"powershell.command.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"powershell.command.invocation_details.related_command: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Top Invoked Commands [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..2e83176ae0 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Started providers [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"powershell.provider.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"powershell.provider.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Started providers [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..298c8a3225 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json @@ -0,0 +1,40 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"windows.service.exit_code\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":true,\"params\":{\"query\":\"0\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\"},\"query\":{\"match\":{\"windows.service.exit_code\":{\"query\":\"0\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":true,\"params\":{\"query\":\"ERROR_SERVICE_NEVER_STARTED\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR_SERVICE_NEVER_STARTED\"},\"query\":{\"match\":{\"windows.service.exit_code\":{\"query\":\"ERROR_SERVICE_NEVER_STARTED\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Non-zero Service Exit Codes [Metrics Windows]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Non-zero Exit Codes\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Non-zero Service Exit Codes [Metrics Windows]\",\"type\":\"metric\"}" + }, + "id": "windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..eb31ba6e7b --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Event type [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event type\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"event.code: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event type [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-d27dea70-9f32-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..5bc8c71d54 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Engine versions ran by host [Windows powershell]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Version count\",\"field\":\"powershell.engine.version\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Host\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Version count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Engine versions ran by host [Windows powershell]\",\"type\":\"table\"}" + }, + "id": "windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..5fccc4cea5 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Unique users [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique users\",\"field\":\"related.user\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique users [Windows powershell]\",\"type\":\"metric\"}" + }, + "id": "windows-e64ff750-9f28-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json b/packages/windows/1.12.1/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json new file mode 100755 index 0000000000..76751cae17 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Service States [Metrics Windows]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Latest Report\",\"field\":\"@timestamp\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Service\",\"field\":\"windows.service.display_name\",\"order\":\"asc\",\"orderBy\":\"_term\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"State\",\"field\":\"windows.service.state\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"@timestamp\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"max\"},\"orderBy\":\"custom\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Startup Type\",\"field\":\"windows.service.start_type\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"4-orderAgg\",\"params\":{\"field\":\"@timestamp\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"max\"},\"orderBy\":\"custom\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Service States [Metrics Windows]\",\"type\":\"table\"}" + }, + "id": "windows-eb8277d0-c98c-11e7-9835-2f31fe08873b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json b/packages/windows/1.12.1/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json new file mode 100755 index 0000000000..87af19a431 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Host processes [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"process.title\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"process.title: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Host processes [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/1.12.1/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json new file mode 100755 index 0000000000..d81f48dce2 --- /dev/null +++ b/packages/windows/1.12.1/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json @@ -0,0 +1,27 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" + }, + "title": "Event Levels [Windows powershell]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"log.level: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Levels [Windows powershell]\",\"type\":\"pie\"}" + }, + "id": "windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/windows/1.12.1/manifest.yml b/packages/windows/1.12.1/manifest.yml new file mode 100755 index 0000000000..a3632b677b --- /dev/null +++ b/packages/windows/1.12.1/manifest.yml @@ -0,0 +1,95 @@ +name: windows +title: Windows +version: 1.12.1 +description: Collect logs and metrics from Windows OS and services with Elastic Agent. +type: integration +categories: + - os_system + - security +icons: + - src: /img/logo_windows.svg + title: logo windows + size: 32x32 + type: image/svg+xml +format_version: 1.0.0 +license: basic +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +screenshots: + - src: /img/metricbeat-windows-service.png + title: metricbeat windows service + size: 3142x1834 + type: image/png +policy_templates: + - name: windows + title: Windows logs and metrics + description: Collect logs and metrics from Windows instances + inputs: + - type: winlog + title: 'Collect events from the following Windows event log channels:' + description: 'Collecting events from Windows event log' + - type: windows/metrics + title: Collect Windows perfmon and service metrics + description: Collecting perfmon and service metrics from Windows instances + - type: httpjson + title: Collect logs from third-party REST API (experimental) + description: Collect logs from third-party REST API (experimental) + vars: + - name: url + type: text + title: URL of Splunk Enterprise Server + description: i.e. scheme://host:port, path is automatic + show_user: true + required: true + default: https://server.example.com:8089 + - name: username + type: text + title: Splunk REST API Username + show_user: true + required: false + - name: password + type: password + title: Splunk REST API Password + show_user: true + required: false + - name: token + type: password + title: Splunk Authorization Token + description: | + Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..." + or "Splunk 192fd3e...". Cannot be used with username + and password. + show_user: true + required: false + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/integrations