Skip to content

Commit

Permalink
hostname ECS, some fixes for userdata
Browse files Browse the repository at this point in the history
  • Loading branch information
tomrade committed Aug 20, 2020
1 parent 61c389e commit 20c95da
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 18 deletions.
48 changes: 30 additions & 18 deletions es_stuff/ecs_map.json
Original file line number Diff line number Diff line change
Expand Up @@ -27,18 +27,21 @@
},
"4798" : {
"event.kind" : "event",
"event.category": "iam",
"event.action": "user-group-enumuration",
"user.name": "%%%%winlog.event_data.targetusername",
"user.domain" : "%%%%winlog.event_data.targetdomainname"
},
"4799" : {
"event.kind" : "event",
"event.category": "iam",
"event.action" : "user-group-enumuration",
"user.name": "%%%%winlog.event_data.targetusername",
"user.domain" : "%%%%winlog.event_data.targetdomainname"
},
"5379" : {
"event.kind" : "event",
"event.category": "iam",
"event.action" : "credential-fetch"
}
}
Expand All @@ -47,46 +50,51 @@
"Service Control Manager" : {
"7036" : {
"event.kind" : "event",
"event.action" : "service-change",
"event.category" : "service"
"event.action" : "service-status-change",
"event.category" : "package",
"event.type" : "change",
"package.name" : "%%%%winlog.event_data.param1"
},
"7040" : {
"event.kind" : "event",
"event.action" : "service-change",
"event.category" : "service",
"event.type" : "modify"
"event.action" : "service-modified",
"event.category" : "package",
"event.type" : "change",
"package.name" : "%%%%winlog.event_data.param1"
},
"7045" : {
"event.kind" : "event",
"event.action" : "service-install",
"event.category" : "service",
"event.type" : "install"
"event.category" : "package",
"event.type" : "install",
"package.name" : "%%%%winlog.event_data.servicename"
}
}
},
"Microsoft-Windows-TaskScheduler/Operational" : {
"Microsoft-Windows-TaskScheduler" : {
"100" : {
"event.kind" : "event",
"event.action" : "service-run",
"event.category" : "service"
"event.action" : "task-run",
"event.category" : "package",
"event.type" : "start"
},
"106" : {
"event.kind" : "event",
"event.action" : "service-install",
"event.category" : "service",
"event.action" : "task-install",
"event.category" : "package",
"event.type" : "install"
},
"140" : {
"event.kind" : "event",
"event.action" : "service-change",
"event.category" : "service",
"event.type" : "modify"
"event.action" : "task-modified",
"event.category" : "package",
"event.type" : "change"
},
"141" : {
"event.kind" : "event",
"event.action" : "service-delete",
"event.category" : "service",
"event.action" : "task-delete",
"event.category" : "package",
"event.type" : "delete"
}
}
Expand All @@ -95,15 +103,19 @@
"Microsoft-Windows-Partition" : {
"1006" : {
"event.kind" : "event",
"event.action" : "usbkey-insert"
"event.action" : "usbkey-insert",
"event.category" : "host",
"event.type" : "change"

}
}
},
"Microsoft-Windows-Hyper-V-VMMS-Admin" : {
"Microsoft-Windows-Hyper-V-VMMS" : {
"13002" : {
"event.kind": "event",
"event.action" : "vm-create"
"event.action" : "vm-create",
"event.type" : "change"
}
}
}
Expand Down
12 changes: 12 additions & 0 deletions lib/nom.py
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,7 @@ def prepare_actions(self,filename):
'@timestamp' : event['timecreated']['systemtime'],
'message' : event['message'],
'os' : {"platform" : "windows"},
'host' : {"hostname" : event['computer'] },
'log' : {"file" : {"path" : filename}},
'agent' : {"name" : "evtx-nom"},
'event' : {
Expand Down Expand Up @@ -203,6 +204,9 @@ def get_value(item):
elif '#attributes' in item:
for attr in item['#attributes']:
output[attr.lower()] = item['#attributes'][attr]
for thing in item:
if thing != '#attributes':
output[thing.lower()] = item[thing]
# Regular Object
else:
for thing in item:
Expand Down Expand Up @@ -238,6 +242,14 @@ def nom_file(filename,welm_map):
event.update(get_section(data['Event']['System']))
if data['Event'].get('EventData'):
event['event_data'] = get_section(data['Event']['EventData'])
if data['Event'].get('UserData'):
#print(data['Event'].get('UserData'))
if data['Event']['UserData'].get('EventXML'):
event['event_data'] = get_section(data['Event']['UserData']['EventXML'])
else:
# not sure about what other namesspaces are here so for now just this loop
for ns in data['Event']['UserData']:
event['event_data'] = get_section(data['Event']['UserData'][ns])
if isinstance(event['eventid'], dict):
print(event['eventid'])
print("#"*20)
Expand Down

0 comments on commit 20c95da

Please sign in to comment.