mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-20 07:53:06 +01:00
119 lines
9.3 KiB
Plaintext
119 lines
9.3 KiB
Plaintext
# Author: Wes Lambert
|
|
# wlambertts@gmail.com
|
|
#
|
|
# This conf file is based on accepting Sysmon logs from OSSEC
|
|
#
|
|
# Parse using grok
|
|
filter {
|
|
# OSSEC Logs and Alerts
|
|
if [type] == "sysmon" or "sysmon" in [tags] {
|
|
if [message] !~ /^{.*}$/ {
|
|
#mutate { replace => { "type" => "sysmon" } }
|
|
grok {
|
|
# match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
|
|
match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
|
|
}
|
|
mutate {
|
|
convert => ["event_id", "integer"]
|
|
remove_field => ["timestamp"]
|
|
remove_field => ["year"]
|
|
}
|
|
if [event_id] == 1 {
|
|
grok {
|
|
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
|
|
"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
|
|
"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
|
|
}
|
|
mutate {
|
|
convert => ["process_guid", "integer"]
|
|
convert => ["process_id", "integer"]
|
|
add_tag => ["process_creation"]
|
|
}
|
|
}
|
|
if [event_id] == 3 {
|
|
mutate {
|
|
remove_field => ["source_ip"]
|
|
}
|
|
grok {
|
|
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
|
|
}
|
|
mutate {
|
|
convert => ["process_guid", "integer"]
|
|
convert => ["process_id", "integer"]
|
|
convert => ["source_port", "integer"]
|
|
convert => ["destination_port", "integer"]
|
|
add_tag => ["network_connection"]
|
|
}
|
|
}
|
|
if [event_id] == 5 {
|
|
grok {
|
|
match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
|
|
}
|
|
mutate {
|
|
convert => ["process_guid", "integer"]
|
|
convert => ["process_id", "integer"]
|
|
add_tag => ["process_termination"]
|
|
}
|
|
}
|
|
if [event_id] == 11 {
|
|
grok {
|
|
match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
|
|
}
|
|
mutate {
|
|
convert => ["process_guid", "integer"]
|
|
convert => ["process_id", "integer"]
|
|
add_tag => ["file_created"]
|
|
}
|
|
}
|
|
mutate {
|
|
remove_field => ["rest_of_msg"]
|
|
}
|
|
} else {
|
|
mutate {
|
|
rename => { "[data][srcuser]" => "username" }
|
|
rename => { "[data][id]" => "event_id" }
|
|
rename => { "[data][dstport]" => "destination_port" }
|
|
rename => { "[data][dstip]" => "destination_ip" }
|
|
rename => { "[data][srcip]" => "source_ip" }
|
|
rename => { "[data][sysmon][image]" => "image_path" }
|
|
rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
|
|
rename => { "[data][sysmon][targetfilename]" => "target_filename" }
|
|
rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
|
|
rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
|
|
}
|
|
# Wazuh 3.8.2
|
|
if [data][EventChannel] {
|
|
mutate {
|
|
rename => { "[data][EventChannel][EventData][User]" => "username" }
|
|
rename => { "[data][EventChannel][System][EventID]" => "event_id" }
|
|
rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
|
|
rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
|
|
rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
|
|
rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
|
|
rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
|
|
rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
|
|
rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
|
|
rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
|
|
rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
|
|
}
|
|
}
|
|
# Wazuh 3.9.2
|
|
if [data][win] {
|
|
mutate {
|
|
rename => { "[data][win][eventdata][user]" => "username" }
|
|
rename => { "[data][win][system][eventID]" => "event_id" }
|
|
rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
|
|
rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
|
|
rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
|
|
rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
|
|
rename => { "[data][win][eventdata][image]" => "image_path" }
|
|
rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
|
|
rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
|
|
rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
|
|
rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|