Skip to content

Commit

Permalink
updated windows mappings (#212)
Browse files Browse the repository at this point in the history 
Signed-off-by: Grant Haywood <[email protected]>
  • Loading branch information
@phaseshiftg
phaseshiftg authored Jan 9, 2023
1 parent 31c69ac commit fdcce13
Show file tree
Hide file tree
Showing 2 changed files with 244 additions and 26 deletions.
72 changes: 63 additions & 9 deletions src/main/resources/OSMapping/windows/fieldmappings.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,65 @@
# this file provides pre-defined mappings for Sigma fields defined for all Sigma rules under windows log group to their corresponding ECS Fields.
fieldmappings:
EventID: event_uid
HiveName: unmapped.HiveName
fieldB: mappedB
fieldA1: mappedA
CommandLine: windows-event_data-CommandLine
HostName: windows-hostname
Message: windows-message
Provider_Name: windows-provider-name
ServiceName: windows-servicename
AccountName: winlog-computerObject-name
AuthenticationPackageName: winlog-event_data-AuthenticationPackageName
Channel: winlog-channel
Company: winlog-event_data-Company
ComputerName: winlog-computer_name
Description: winlog-event_data-Description
Details: winlog-event_data-Detail
Device: winlog-event_data-DeviceName
DeviceName: winlog-event_data-DeviceName
FileName: winlog-event_data-OriginalFileName
FileVersion: winlog-event_data-FileVersion
IntegrityLevel: winlog-event_data-IntegrityLevel
IpAddress: winlog-event_data-IpAddress
KeyLength: winlog-event_data-KeyLength
Keywords: winlog-keywords
LogonId: winlog-event_data-LogonId
LogonProcessName: winlog-event_data-LogonProcessName
LogonType: winlog-event_data-LogonType
OriginalFileName: winlog-event_data-OriginalFileName
OriginalFilename: winlog-event_data-OriginalFileName
Path: winlog-event_data-Path
PrivilegeList: winlog-event_data-PrivilegeList
ProcessId: winlog-event_data-ProcessId
Product: winlog-event_data-Product
Provider: winlog-provider_name
ProviderName: winlog-provider_name
ScriptBlockText: winlog-event_data-ScriptBlockText
ServerName: winlog-event_data-TargetServerName
Service: winlog-event_data-ServiceName
Signed: winlog-event_data-Signed
State: winlog-event_data-State
Status: winlog-event_data-Status
SubjectDomainName: winlog-event_data-SubjectDomainName
SubjectLogonId: winlog-event_data-SubjectLogonId
SubjectUserName: winlog-event_data-SubjectUserName
SubjectUserSid: winlog-event_data-SubjectUserSid
TargetLogonId: winlog-event_data-TargetLogonId
TargetName: winlog-event_data-TargetUserName
TargetServerName: winlog-event_data-TargetServerName
TargetUserName: winlog-event_data-TargetUserName
TargetUserSid: winlog-event_data-TargetUserSid
TaskName: winlog-task
Type: winlog-user-type
User: winlog-user-name
UserName: winlog-user-name
Workstation: winlog-event_data-Workstation
WorkstationName: winlog-event_data-Workstation
event_uid: winlog-event_id
CommandLine: server-user-hash
hostname: host-hostname
message: windows-message
Provider_Name: winlog-provider_name
EventId: winlog-event_id
processPath: winlog-event_data-ProcessPath
ProcessName: winlog-event_data-ProcessName
ObjectName: winlog-computerObject-name
param1: winlog-event_data-param1
param2: winlog-event_data-param2
windows-hostname: winlog-computer_name
windows-provider-name: winlog-provider_name
windows-servicename: winlog-event_data-ServiceName


198 changes: 181 additions & 17 deletions src/main/resources/OSMapping/windows/mappings.json
View file
Original file line number Diff line number Diff line change
@@ -1,28 +1,192 @@
{
"properties": {
"windows-event_data-CommandLine": {
"type": "alias",
"path": "windows-event_data-CommandLine"
"winlog-computerObject-name": {
"path": "winlog.computerObject.name",
"type": "alias"
},
"event_uid": {
"type": "alias",
"path": "event_uid"
"winlog-event_data-AuthenticationPackageName": {
"path": "winlog.event_data.AuthenticationPackageName",
"type": "alias"
},
"windows-hostname": {
"type": "alias",
"path": "windows-hostname"
"winlog-channel": {
"path": "winlog.channel",
"type": "alias"
},
"winlog-event_data-Company": {
"path": "winlog.event_data.Company",
"type": "alias"
},
"winlog-computer_name": {
"path": "winlog.computer_name",
"type": "alias"
},
"winlog-event_data-Description": {
"path": "winlog.event_data.Description",
"type": "alias"
},
"winlog-event_data-Detail": {
"path": "winlog.event_data.Detail",
"type": "alias"
},
"winlog-event_data-DeviceName": {
"path": "winlog.event_data.DeviceName",
"type": "alias"
},
"winlog-event_data-OriginalFileName": {
"path": "winlog.event_data.OriginalFileName",
"type": "alias"
},
"winlog-event_data-FileVersion": {
"path": "winlog.event_data.FileVersion",
"type": "alias"
},
"winlog-event_data-IntegrityLevel": {
"path": "winlog.event_data.IntegrityLevel",
"type": "alias"
},
"winlog-event_data-IpAddress": {
"path": "winlog.event_data.IpAddress",
"type": "alias"
},
"winlog-event_data-KeyLength": {
"path": "winlog.event_data.KeyLength",
"type": "alias"
},
"winlog-keywords": {
"path": "winlog.keywords",
"type": "alias"
},
"winlog-event_data-LogonId": {
"path": "winlog.event_data.LogonId",
"type": "alias"
},
"winlog-event_data-LogonProcessName": {
"path": "winlog.event_data.LogonProcessName",
"type": "alias"
},
"winlog-event_data-LogonType": {
"path": "winlog.event_data.LogonType",
"type": "alias"
},
"winlog-event_data-Path": {
"path": "winlog.event_data.Path",
"type": "alias"
},
"winlog-event_data-PrivilegeList": {
"path": "winlog.event_data.PrivilegeList",
"type": "alias"
},
"winlog-event_data-ProcessId": {
"path": "winlog.event_data.ProcessId",
"type": "alias"
},
"winlog-event_data-Product": {
"path": "winlog.event_data.Product",
"type": "alias"
},
"winlog-provider_name": {
"path": "winlog.provider_name",
"type": "alias"
},
"winlog-event_data-ScriptBlockText": {
"path": "winlog.event_data.ScriptBlockText",
"type": "alias"
},
"winlog-event_data-TargetServerName": {
"path": "winlog.event_data.TargetServerName",
"type": "alias"
},
"winlog-event_data-ServiceName": {
"path": "winlog.event_data.ServiceName",
"type": "alias"
},
"winlog-event_data-Signed": {
"path": "winlog.event_data.Signed",
"type": "alias"
},
"winlog-event_data-State": {
"path": "winlog.event_data.State",
"type": "alias"
},
"winlog-event_data-Status": {
"path": "winlog.event_data.Status",
"type": "alias"
},
"winlog-event_data-SubjectDomainName": {
"path": "winlog.event_data.SubjectDomainName",
"type": "alias"
},
"winlog-event_data-SubjectLogonId": {
"path": "winlog.event_data.SubjectLogonId",
"type": "alias"
},
"winlog-event_data-SubjectUserName": {
"path": "winlog.event_data.SubjectUserName",
"type": "alias"
},
"winlog-event_data-SubjectUserSid": {
"path": "winlog.event_data.SubjectUserSid",
"type": "alias"
},
"winlog-event_data-TargetLogonId": {
"path": "winlog.event_data.TargetLogonId",
"type": "alias"
},
"winlog-event_data-TargetUserName": {
"path": "winlog.event_data.TargetUserName",
"type": "alias"
},
"winlog-event_data-TargetUserSid": {
"path": "winlog.event_data.TargetUserSid",
"type": "alias"
},
"winlog-task": {
"path": "winlog.task",
"type": "alias"
},
"winlog-user-type": {
"path": "winlog.user.type",
"type": "alias"
},
"winlog-user-name": {
"path": "winlog.user.name",
"type": "alias"
},
"winlog-event_data-Workstation": {
"path": "winlog.event_data.Workstation",
"type": "alias"
},
"winlog-event_id": {
"path": "winlog.event_id",
"type": "alias"
},
"server-user-hash": {
"path": "server.user.hash",
"type": "alias"
},
"host-hostname": {
"path": "host.hostname",
"type": "alias"
},
"windows-message": {
"type": "alias",
"path": "windows-message"
"path": "windows.message",
"type": "alias"
},
"winlog-event_data-ProcessPath": {
"path": "winlog.event_data.ProcessPath",
"type": "alias"
},
"winlog-event_data-ProcessName": {
"path": "winlog.event_data.ProcessName",
"type": "alias"
},
"windows-provider-name": {
"type": "alias",
"path": "windows-provider-name"
"winlog-event_data-param1": {
"path": "winlog.event_data.param1",
"type": "alias"
},
"windows-servicename": {
"type": "alias",
"path": "windows-servicename"
"winlog-event_data-param2": {
"path": "winlog.event_data.param2",
"type": "alias"
}
}
}

0 comments on commit fdcce13

Please sign in to comment.