From fdcce13b8e60837acf369dd2d79f215e815fc328 Mon Sep 17 00:00:00 2001
From: phaseshiftg <115187865+phaseshiftg@users.noreply.github.com>
Date: Mon, 9 Jan 2023 11:40:48 -0700
Subject: [PATCH] updated windows mappings (#212)

Signed-off-by: Grant Haywood <grant@phaseshift.studio>
---
 .../OSMapping/windows/fieldmappings.yml       |  72 ++++++-
 .../resources/OSMapping/windows/mappings.json | 198 ++++++++++++++++--
 2 files changed, 244 insertions(+), 26 deletions(-)

diff --git a/src/main/resources/OSMapping/windows/fieldmappings.yml b/src/main/resources/OSMapping/windows/fieldmappings.yml
index 7567e715b..7f259f8a7 100644
--- a/src/main/resources/OSMapping/windows/fieldmappings.yml
+++ b/src/main/resources/OSMapping/windows/fieldmappings.yml
@@ -1,11 +1,65 @@
 # this file provides pre-defined mappings for Sigma fields defined for all Sigma rules under windows log group to their corresponding ECS Fields.
 fieldmappings:
-    EventID: event_uid
-    HiveName: unmapped.HiveName
-    fieldB: mappedB
-    fieldA1: mappedA
-    CommandLine: windows-event_data-CommandLine
-    HostName: windows-hostname
-    Message: windows-message
-    Provider_Name: windows-provider-name
-    ServiceName: windows-servicename
+    AccountName: winlog-computerObject-name
+    AuthenticationPackageName: winlog-event_data-AuthenticationPackageName
+    Channel: winlog-channel
+    Company: winlog-event_data-Company
+    ComputerName: winlog-computer_name
+    Description: winlog-event_data-Description
+    Details: winlog-event_data-Detail
+    Device: winlog-event_data-DeviceName
+    DeviceName: winlog-event_data-DeviceName
+    FileName: winlog-event_data-OriginalFileName
+    FileVersion: winlog-event_data-FileVersion
+    IntegrityLevel: winlog-event_data-IntegrityLevel
+    IpAddress: winlog-event_data-IpAddress
+    KeyLength: winlog-event_data-KeyLength
+    Keywords: winlog-keywords
+    LogonId: winlog-event_data-LogonId
+    LogonProcessName: winlog-event_data-LogonProcessName
+    LogonType: winlog-event_data-LogonType
+    OriginalFileName: winlog-event_data-OriginalFileName
+    OriginalFilename: winlog-event_data-OriginalFileName
+    Path: winlog-event_data-Path
+    PrivilegeList: winlog-event_data-PrivilegeList
+    ProcessId: winlog-event_data-ProcessId
+    Product: winlog-event_data-Product
+    Provider: winlog-provider_name
+    ProviderName: winlog-provider_name
+    ScriptBlockText: winlog-event_data-ScriptBlockText
+    ServerName: winlog-event_data-TargetServerName
+    Service: winlog-event_data-ServiceName
+    Signed: winlog-event_data-Signed
+    State: winlog-event_data-State
+    Status: winlog-event_data-Status
+    SubjectDomainName: winlog-event_data-SubjectDomainName
+    SubjectLogonId: winlog-event_data-SubjectLogonId
+    SubjectUserName: winlog-event_data-SubjectUserName
+    SubjectUserSid: winlog-event_data-SubjectUserSid
+    TargetLogonId: winlog-event_data-TargetLogonId
+    TargetName: winlog-event_data-TargetUserName
+    TargetServerName: winlog-event_data-TargetServerName
+    TargetUserName: winlog-event_data-TargetUserName
+    TargetUserSid: winlog-event_data-TargetUserSid
+    TaskName: winlog-task
+    Type: winlog-user-type
+    User: winlog-user-name
+    UserName: winlog-user-name
+    Workstation: winlog-event_data-Workstation
+    WorkstationName: winlog-event_data-Workstation
+    event_uid: winlog-event_id
+    CommandLine: server-user-hash
+    hostname: host-hostname
+    message: windows-message
+    Provider_Name: winlog-provider_name
+    EventId: winlog-event_id
+    processPath: winlog-event_data-ProcessPath
+    ProcessName: winlog-event_data-ProcessName
+    ObjectName: winlog-computerObject-name
+    param1: winlog-event_data-param1
+    param2: winlog-event_data-param2
+    windows-hostname: winlog-computer_name
+    windows-provider-name: winlog-provider_name
+    windows-servicename: winlog-event_data-ServiceName
+
+
diff --git a/src/main/resources/OSMapping/windows/mappings.json b/src/main/resources/OSMapping/windows/mappings.json
index 5a60ac7be..e2075c854 100644
--- a/src/main/resources/OSMapping/windows/mappings.json
+++ b/src/main/resources/OSMapping/windows/mappings.json
@@ -1,28 +1,192 @@
 {
   "properties": {
-    "windows-event_data-CommandLine": {
-      "type": "alias",
-      "path": "windows-event_data-CommandLine"
+    "winlog-computerObject-name": {
+      "path": "winlog.computerObject.name",
+      "type": "alias"
     },
-    "event_uid": {
-      "type": "alias",
-      "path": "event_uid"
+    "winlog-event_data-AuthenticationPackageName": {
+      "path": "winlog.event_data.AuthenticationPackageName",
+      "type": "alias"
     },
-    "windows-hostname": {
-      "type": "alias",
-      "path": "windows-hostname"
+    "winlog-channel": {
+      "path": "winlog.channel",
+      "type": "alias"
+    },
+    "winlog-event_data-Company": {
+      "path": "winlog.event_data.Company",
+      "type": "alias"
+    },
+    "winlog-computer_name": {
+      "path": "winlog.computer_name",
+      "type": "alias"
+    },
+    "winlog-event_data-Description": {
+      "path": "winlog.event_data.Description",
+      "type": "alias"
+    },
+    "winlog-event_data-Detail": {
+      "path": "winlog.event_data.Detail",
+      "type": "alias"
+    },
+    "winlog-event_data-DeviceName": {
+      "path": "winlog.event_data.DeviceName",
+      "type": "alias"
+    },
+    "winlog-event_data-OriginalFileName": {
+      "path": "winlog.event_data.OriginalFileName",
+      "type": "alias"
+    },
+    "winlog-event_data-FileVersion": {
+      "path": "winlog.event_data.FileVersion",
+      "type": "alias"
+    },
+    "winlog-event_data-IntegrityLevel": {
+      "path": "winlog.event_data.IntegrityLevel",
+      "type": "alias"
+    },
+    "winlog-event_data-IpAddress": {
+      "path": "winlog.event_data.IpAddress",
+      "type": "alias"
+    },
+    "winlog-event_data-KeyLength": {
+      "path": "winlog.event_data.KeyLength",
+      "type": "alias"
+    },
+    "winlog-keywords": {
+      "path": "winlog.keywords",
+      "type": "alias"
+    },
+    "winlog-event_data-LogonId": {
+      "path": "winlog.event_data.LogonId",
+      "type": "alias"
+    },
+    "winlog-event_data-LogonProcessName": {
+      "path": "winlog.event_data.LogonProcessName",
+      "type": "alias"
+    },
+    "winlog-event_data-LogonType": {
+      "path": "winlog.event_data.LogonType",
+      "type": "alias"
+    },
+    "winlog-event_data-Path": {
+      "path": "winlog.event_data.Path",
+      "type": "alias"
+    },
+    "winlog-event_data-PrivilegeList": {
+      "path": "winlog.event_data.PrivilegeList",
+      "type": "alias"
+    },
+    "winlog-event_data-ProcessId": {
+      "path": "winlog.event_data.ProcessId",
+      "type": "alias"
+    },
+    "winlog-event_data-Product": {
+      "path": "winlog.event_data.Product",
+      "type": "alias"
+    },
+    "winlog-provider_name": {
+      "path": "winlog.provider_name",
+      "type": "alias"
+    },
+    "winlog-event_data-ScriptBlockText": {
+      "path": "winlog.event_data.ScriptBlockText",
+      "type": "alias"
+    },
+    "winlog-event_data-TargetServerName": {
+      "path": "winlog.event_data.TargetServerName",
+      "type": "alias"
+    },
+    "winlog-event_data-ServiceName": {
+      "path": "winlog.event_data.ServiceName",
+      "type": "alias"
+    },
+    "winlog-event_data-Signed": {
+      "path": "winlog.event_data.Signed",
+      "type": "alias"
+    },
+    "winlog-event_data-State": {
+      "path": "winlog.event_data.State",
+      "type": "alias"
+    },
+    "winlog-event_data-Status": {
+      "path": "winlog.event_data.Status",
+      "type": "alias"
+    },
+    "winlog-event_data-SubjectDomainName": {
+      "path": "winlog.event_data.SubjectDomainName",
+      "type": "alias"
+    },
+    "winlog-event_data-SubjectLogonId": {
+      "path": "winlog.event_data.SubjectLogonId",
+      "type": "alias"
+    },
+    "winlog-event_data-SubjectUserName": {
+      "path": "winlog.event_data.SubjectUserName",
+      "type": "alias"
+    },
+    "winlog-event_data-SubjectUserSid": {
+      "path": "winlog.event_data.SubjectUserSid",
+      "type": "alias"
+    },
+    "winlog-event_data-TargetLogonId": {
+      "path": "winlog.event_data.TargetLogonId",
+      "type": "alias"
+    },
+    "winlog-event_data-TargetUserName": {
+      "path": "winlog.event_data.TargetUserName",
+      "type": "alias"
+    },
+    "winlog-event_data-TargetUserSid": {
+      "path": "winlog.event_data.TargetUserSid",
+      "type": "alias"
+    },
+    "winlog-task": {
+      "path": "winlog.task",
+      "type": "alias"
+    },
+    "winlog-user-type": {
+      "path": "winlog.user.type",
+      "type": "alias"
+    },
+    "winlog-user-name": {
+      "path": "winlog.user.name",
+      "type": "alias"
+    },
+    "winlog-event_data-Workstation": {
+      "path": "winlog.event_data.Workstation",
+      "type": "alias"
+    },
+    "winlog-event_id": {
+      "path": "winlog.event_id",
+      "type": "alias"
+    },
+    "server-user-hash": {
+      "path": "server.user.hash",
+      "type": "alias"
+    },
+    "host-hostname": {
+      "path": "host.hostname",
+      "type": "alias"
     },
     "windows-message": {
-      "type": "alias",
-      "path": "windows-message"
+      "path": "windows.message",
+      "type": "alias"
+    },
+    "winlog-event_data-ProcessPath": {
+      "path": "winlog.event_data.ProcessPath",
+      "type": "alias"
+    },
+    "winlog-event_data-ProcessName": {
+      "path": "winlog.event_data.ProcessName",
+      "type": "alias"
     },
-    "windows-provider-name": {
-      "type": "alias",
-      "path": "windows-provider-name"
+    "winlog-event_data-param1": {
+      "path": "winlog.event_data.param1",
+      "type": "alias"
     },
-    "windows-servicename": {
-      "type": "alias",
-      "path": "windows-servicename"
+    "winlog-event_data-param2": {
+      "path": "winlog.event_data.param2",
+      "type": "alias"
     }
   }
 }
\ No newline at end of file