# Author: Wes Lambert
#
# Last Update: 09/24/2018
#
# This conf file is based on accepting Sysmon logs from winlogbeat

filter {
  if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
      mutate {
        replace => { "type" => "sysmon" }
        rename => { "[event_data][User]" => "username" }
        rename => { "[event_data][DestinationPort]" => "destination_port" }
        rename => { "[event_data][DestinationIp]" => "destination_ip" }
        rename => { "[event_data][SourceIp]" => "source_ip" }
        rename => { "[event_data][Image]" => "image_path" }
        rename => { "[event_data][ParentImage]" => "parent_image_path" }
        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
        rename => { "[event_data][SourceHostname]" => "source_hostname" }
        rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
	rename => { "[event_data][TargetFilename]" => "target_filename" }
      }
  }
}