# Author: Wes Lambert
# wlambertts@gmail.com
#
# This conf file is based on accepting Sysmon logs from OSSEC
#
# Parse using grok
filter {
  # OSSEC Logs and Alerts
  if [type] == "sysmon" or "sysmon" in [tags] {
    if [message] !~ /^{.*}$/ {
      #mutate { replace => { "type" => "sysmon" } }
      grok {
      # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
        match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
      }
      mutate {
        convert => ["event_id", "integer"]
        remove_field => ["timestamp"]
        remove_field => ["year"]
      }
      if [event_id] == 1 {
        grok {
          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
        }
        mutate {
          convert => ["process_guid", "integer"]
          convert => ["process_id", "integer"]
          add_tag => ["process_creation"]
        }
      }
      if [event_id] == 3 {
        mutate {
          remove_field => ["source_ip"]
        }
        grok {
        match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
        }
        mutate {
          convert => ["process_guid", "integer"]
          convert => ["process_id", "integer"]
          convert => ["source_port", "integer"]
          convert => ["destination_port", "integer"]
          add_tag => ["network_connection"]
        }
      }
      if [event_id] == 5 {
        grok {
          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
        }
        mutate {
          convert => ["process_guid", "integer"]
          convert => ["process_id", "integer"]
          add_tag => ["process_termination"]
        }
      }
      if [event_id] == 11 {
        grok {
          match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
        }
        mutate {
          convert => ["process_guid", "integer"]
          convert => ["process_id", "integer"]
          add_tag => ["file_created"]
        }
      }
      mutate {
        remove_field => ["rest_of_msg"]
      }
    } else {
      mutate {
	rename => { "[data][srcuser]" => "username" }
        rename => { "[data][id]" => "event_id" }
        rename => { "[data][dstport]" => "destination_port" }
        rename => { "[data][dstip]" => "destination_ip" }
        rename => { "[data][srcip]" => "source_ip" }
        rename => { "[data][sysmon][image]" => "image_path" }
        rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
        rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
        rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
      }
      # Wazuh 3.8.2  
      if [data][EventChannel] {
        mutate {
           rename => { "[data][EventChannel][EventData][User]" => "username" }
           rename => { "[data][EventChannel][System][EventID]" => "event_id" }
           rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
           rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
           rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
           rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
           rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
           rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
           rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
           rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
           rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
	}
      }
      # Wazuh 3.9.2
      if [data][win] {
        mutate {
          rename => { "[data][win][eventdata][user]" => "username" }
          rename => { "[data][win][system][eventID]" => "event_id" }
          rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
          rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
          rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
          rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
          rename => { "[data][win][eventdata][image]" => "image_path" }
          rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
          rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
          rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
          rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
        }
      }    
    }
  }
}