Closed jsecurity101 closed 4 years ago
Can you provide more details on this one @jsecurity101 ?
Absolutely @Cyb3rWard0g,
You, @neu5ron, and I talked in private about creating a translation sheet for things like %%2500
to logon_impersonation_level
. Standardizing the translations across the board for all events. Merge HELK and OSSEM a little easier that way.
decided to just do it in a few mins from HELK pipeline configs. Document can grow as HELK parses more. HELK pipe config: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-logstash/pipeline/1545-winevent-security-conversions.conf Doc: https://docs.google.com/spreadsheets/d/18hQ0f1Qr4zfK3alDjIMgoLMpX3XJZEbdMKIV7X8YHxI/edit?usp=sharing
As previously discussed offline, a translation sheet needs to be made for field names - logon_impersonation_level, SIDS, and more.