mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-14 13:12:49 +01:00
24 lines
973 B
Plaintext
24 lines
973 B
Plaintext
# Author: Wes Lambert
|
|
#
|
|
# Last Update: 09/24/2018
|
|
#
|
|
# This conf file is based on accepting Sysmon logs from winlogbeat
|
|
|
|
filter {
|
|
if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
|
|
mutate {
|
|
replace => { "type" => "sysmon" }
|
|
rename => { "[event_data][User]" => "username" }
|
|
rename => { "[event_data][DestinationPort]" => "destination_port" }
|
|
rename => { "[event_data][DestinationIp]" => "destination_ip" }
|
|
rename => { "[event_data][SourceIp]" => "source_ip" }
|
|
rename => { "[event_data][Image]" => "image_path" }
|
|
rename => { "[event_data][ParentImage]" => "parent_image_path" }
|
|
rename => { "[data][sysmon][targetfilename]" => "target_filename" }
|
|
rename => { "[event_data][SourceHostname]" => "source_hostname" }
|
|
rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
|
|
rename => { "[event_data][TargetFilename]" => "target_filename" }
|
|
}
|
|
}
|
|
}
|