CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-14 21:22:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c89bc0b51a4002f7e3a6ab80b092e65f32434f07
securityonion/salt/logstash/pipelines/config/so/6300_windows.conf

162 lines
6.4 KiB
Plaintext
Raw Blame History

# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [type] == "windows" {
# json {
# source => "message"
# }
date {
match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
remove_field => [ "EventTime" ]
}
if [EventID] == 4634 {
mutate {
add_tag => [ "logoff" ]
}
}
if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
mutate {
add_tag => [ "logon" ]
add_tag => [ "alert_data" ]
}
}
if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
mutate {
add_tag => [ "logon_failure" ]
add_tag => [ "alert_data" ]
}
}
# Critical event IDs to monitor
if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
mutate {
add_tag => [ "alert_data" ]
}
}
# Critical event IDs to monitor
if [EventID] == 5152 { drop {} }
if [EventID] == 4688 { drop {} }
if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
# Whitelist/Blacklist check
if [EventID] == 7045 {
translate {
field => "ServiceName"
destination => "ServiceCheck"
dictionary_path => "/lib/dictionaries/services.yaml"
}
}
if [EventID] == 7045 and !([ServiceCheck]) {
mutate {
add_tag => [ "alert_data","new_service" ]
}
}
if [ServiceCheck] == 'whitelist' {
mutate {
remove_field => [ "ServiceCheck" ]
add_tag => [ "whitelist" ]
}
}
if [ServiceCheck] == 'blacklist' {
mutate {
remove_field => [ "ServiceCheck" ]
add_tag => [ "blacklist" ]
}
}
if [EventID] == 5158 {
if [Application] == "System" { drop {} }
if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
if [Application] =~ "mcafee" { drop {} }
if [Application] =~ "carestream" { drop {} }
if [Application] =~ "Softdent" { drop {} }
}
if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
if [EventID] == 4690 { drop {} }
if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
if [EventID] == 5447 { drop {} }
mutate {
rename => [ "AccountName", "user" ]
rename => [ "AccountType", "account_type" ]
rename => [ "ActivityID", "activity_id" ]
rename => [ "Category", "category" ]
rename => [ "ClientAddress", "client_ip" ]
rename => [ "Channel", "channel" ]
rename => [ "DCIPAddress", "domain_controller_ip" ]
rename => [ "DCName", "domain_controller_name" ]
rename => [ "EventID", "event_id" ]
rename => [ "EventReceivedTime", "event_received_time" ]
rename => [ "EventType", "event_type" ]
rename => [ "GatewayIPAddress", "gateway_ip" ]
rename => [ "IPAddress", "client_ip" ]
rename => [ "Ipaddress", "client_ip" ]
rename => [ "IpAddress", "client_ip" ]
rename => [ "IPPort", "source_port" ]
rename => [ "OpcodeValue", "opcode_value" ]
rename => [ "PreAuthType", "preauthentication_type" ]
rename => [ "PrincipleSAMName", "user" ]
rename => [ "ProcessID", "process_id" ]
rename => [ "ProviderGUID", "providerguid" ]
rename => [ "RecordNumber", "record_number" ]
rename => [ "RemoteAddress", "destination_ip" ]
rename => [ "ServiceName", "service_name" ]
rename => [ "ServiceID", "service_id" ]
rename => [ "SeverityValue", "severity_value" ]
rename => [ "SourceAddress", "client_ip" ]
rename => [ "SourceModuleName", "source_module_name" ]
rename => [ "SourceModuleType", "source_module_type" ]
rename => [ "SourceName", "source_name" ]
rename => [ "SubjectUserName", "user" ]
rename => [ "TaskName", "task_name" ]
rename => [ "TargetDomainName", "target_domain_name" ]
rename => [ "TargetUserName", "user" ]
rename => [ "ThreadID", "thread_id" ]
rename => [ "User_ID", "user" ]
rename => [ "UserID", "user" ]
rename => [ "username", "user" ]
}
# For any accounts that are service accounts or special accounts add the tag of service_account
# This example applies the tag to any username that starts with SVC_. If you use a different
# standard change this.
if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
mutate {
add_tag => [ "service_account" ]
}
}
# This looks for events that are typically noisy but may be of use for deep dive investigations
# A tag of noise is added to quickly filter out noise
if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
mutate {
add_tag => [ "noise" ]
}
}
#Identify machine accounts
if [user] =~ /\$/ {
mutate {
add_tag => [ "machine", "noise" ]
}
}
# Lower case all field names
ruby {
code => "
event_hash = event.to_hash
new_event = {}
event_hash.keys.each do |key|
new_event[key.downcase] = event[key]
end
event.instance_variable_set(:@data, new_event)"
}
mutate {
#add_tag => [ "conf_file_6300"]
}
}
}
Reference in New Issue View Git Blame Copy Permalink