CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7117 from Security-Onion-Solutions/feature/winlog_dtc_mappings

Browse Source 
Add winlog mappings
This commit is contained in:
weslambert
2022-02-04 12:16:16 -05:00
committed by GitHub
parent 66452b14ef 69cb83cac9
commit 898db542bf
4 changed files with 609 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

603
salt/elasticsearch/templates/component/ecs/winlog.json Normal file
View File

@@ -0,0 +1,603 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"dynamic_templates": [
{
"winlog.event_data": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "winlog.event_data.*"
}
},
{
"winlog.user_data": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "winlog.user_data.*"
}
}
],
"properties": {
"winlog": {
"properties": {
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"api": {
"ignore_above": 1024,
"type": "keyword"
},
"channel": {
"ignore_above": 1024,
"type": "keyword"
},
"computer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"event_data": {
"properties": {
"AuthenticationPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"Binary": {
"ignore_above": 1024,
"type": "keyword"
},
"BitlockerUserInputTime": {
"ignore_above": 1024,
"type": "keyword"
},
"BootMode": {
"ignore_above": 1024,
"type": "keyword"
},
"BootType": {
"ignore_above": 1024,
"type": "keyword"
},
"BuildVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Company": {
"ignore_above": 1024,
"type": "keyword"
},
"CorruptionActionState": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Description": {
"ignore_above": 1024,
"type": "keyword"
},
"Detail": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceTime": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMajor": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMinor": {
"ignore_above": 1024,
"type": "keyword"
},
"DriveName": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverName": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"DwordVal": {
"ignore_above": 1024,
"type": "keyword"
},
"EntryCount": {
"ignore_above": 1024,
"type": "keyword"
},
"ExtraInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"FileVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"FinalStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"Group": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleStateCount": {
"ignore_above": 1024,
"type": "keyword"
},
"ImpersonationLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"IntegrityLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"IpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"IpPort": {
"ignore_above": 1024,
"type": "keyword"
},
"KeyLength": {
"ignore_above": 1024,
"type": "keyword"
},
"LastBootGood": {
"ignore_above": 1024,
"type": "keyword"
},
"LastShutdownGood": {
"ignore_above": 1024,
"type": "keyword"
},
"LmPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"MajorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"MaximumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberName": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumThrottlePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"MinorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"NewTime": {
"ignore_above": 1024,
"type": "keyword"
},
"NominalFrequency": {
"ignore_above": 1024,
"type": "keyword"
},
"Number": {
"ignore_above": 1024,
"type": "keyword"
},
"OldSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"OldTime": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginalFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"Path": {
"ignore_above": 1024,
"type": "keyword"
},
"PerformanceImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousCreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousTime": {
"ignore_above": 1024,
"type": "keyword"
},
"PrivilegeList": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPath": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPid": {
"ignore_above": 1024,
"type": "keyword"
},
"Product": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaCount": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaPolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"QfeVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"SchemaVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"ScriptBlockText": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownActionType": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownEventCode": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownReason": {
"ignore_above": 1024,
"type": "keyword"
},
"Signature": {
"ignore_above": 1024,
"type": "keyword"
},
"SignatureStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"Signed": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTime": {
"ignore_above": 1024,
"type": "keyword"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"StopTime": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"TSId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetServerName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"TerminalSessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"TokenElevationType": {
"ignore_above": 1024,
"type": "keyword"
},
"TransmittedServices": {
"ignore_above": 1024,
"type": "keyword"
},
"UserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"Workstation": {
"ignore_above": 1024,
"type": "keyword"
},
"param1": {
"ignore_above": 1024,
"type": "keyword"
},
"param2": {
"ignore_above": 1024,
"type": "keyword"
},
"param3": {
"ignore_above": 1024,
"type": "keyword"
},
"param4": {
"ignore_above": 1024,
"type": "keyword"
},
"param5": {
"ignore_above": 1024,
"type": "keyword"
},
"param6": {
"ignore_above": 1024,
"type": "keyword"
},
"param7": {
"ignore_above": 1024,
"type": "keyword"
},
"param8": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"logon": {
"properties": {
"failure": {
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_name": {
"ignore_above": 1024,
"type": "keyword"
},
"record_id": {
"ignore_above": 1024,
"type": "keyword"
},
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"time_created": {
"type": "date"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_data": {
"type": "object"
},
"version": {
"type": "long"
}
}
}
}
}
}
}

3
salt/elasticsearch/templates/index/so/so-beats-template.json.jinja
View File

@@ -92,7 +92,8 @@
"dtc-user-mappings", "dtc-user-mappings",
"vulnerability-mappings", "vulnerability-mappings",
"common-settings", "common-settings",
"common-dynamic-mappings" "common-dynamic-mappings",
"winlog-mappings"
], ],
"priority": {{ PRIORITY }}, "priority": {{ PRIORITY }},
"_meta": { "_meta": {

3
salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja
View File

@@ -92,7 +92,8 @@
"dtc-user-mappings", "dtc-user-mappings",
"vulnerability-mappings", "vulnerability-mappings",
"common-settings", "common-settings",
"common-dynamic-mappings" "common-dynamic-mappings",
"winlog-mappings"
], ],
"priority": {{ PRIORITY }}, "priority": {{ PRIORITY }},
"_meta": { "_meta": {

3
salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja
View File

@@ -92,7 +92,8 @@
"dtc-user-mappings", "dtc-user-mappings",
"vulnerability-mappings", "vulnerability-mappings",
"common-settings", "common-settings",
"common-dynamic-mappings" "common-dynamic-mappings",
"winlog-mappings"
], ],
"priority": {{ PRIORITY }}, "priority": {{ PRIORITY }},
"_meta": { "_meta": {