search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
103 stars 4.92k forks source link

Winlogbeat pipeline improvements #36657

Open jguay opened 1 year ago

jguay commented 1 year ago

Describe the enhancement: Winlogbeat user is sending recommendations and pipeline for winlogbeat developers to review

Describe a specific use case for the enhancement or feature:

winlogbeat suggestions | Event Code Affected | Change Made | OverwritesExistingFields | |--------------|-----------|------------| |18454 | Set event outcome success for a list of conditional event codes | No| |18456 & 18452 & 4625 | Set event outcome failure for a list of conditional event codes | No| |18456 18454 18452 4625 | Set event category to authentication if doesn't exist | No| |18456 | Parse user.name ANDOR user.domain from winlog.event_data.param1 | No| |18456 | Set user.name to winlog.user.name IF Exists | No| |18456 | Set user.name to winlog.event_data.param1 | No| |18456 | Parse event.reason from winlog.event_data.param2 | No| |18456 | Parse client address from winlog.event_data.param3 Added additional grok parser to retrieve text | No| |18454 | Parse client address from winlog.event_data.param2 Added additional grok parser to retrieve text | No| |18452 | Parse client address from winlog.event_data.param1 Added additional grok parser to retrieve text | No| |18454 | Parse client address from winlog.event_data.param2 Added additional grok parser to retrieve text | No| |4625 & 4624 | Convert hex PID to dec into process.pid | No| |4625 & 4624 | Parse process.name and exec path from winlog.event_data.ProcessExecutable | No| |1 | set winlog.event_data.ProcessId to into process.pid | No| |4625 & 4624 | Set winlog.logon.code to winlog.event_data.LogonType | No| |4625 & 4624 | Set user.domain to winlog.event_data.TargetDomainName | No| |4625 & 4624 | Set user.name to winlog.event_data.TargetUserName | No| |4625 & 4624 | Set user.id to winlog.event_data.TargetUserSid | No| |4648 | Set user.domain to winlog.event_data.SubjectDomainName | No| |4648 | Set user.name to winlog.event_data.SubjectUserName | No| |4648 | Set user.id to winlog.event_data.SubjectUserSid | No| |4625 & 4624 | Set server.user.domain to winlog.event_data.SubjectDomainName | No| |4625 & 4624 | Set server.user.name to winlog.event_data.SubjectUserName | No| |4625 & 4624 | Set server.user.id to winlog.event_data.SubjectUserSid | No| |4648 | Set user.effective.name to winlog.event_data.TargetUserName | No| |4648 | Set user.effective.id to winlog.event_data.TargetUserSid | No| |4648 | Set user.effective.domain to winlog.event_data.TargetDomainName | No| |4625 & 4624 | Set source.domain to winlog.event_data.WorkstationName if exists | No| |4625 & 4624 | Set source.ip to winlog.event_data.IpAddress if exists | No| |4625 & 4624 | Set source.port to winlog.event_data.IpPort if exists | No| |4625 & 4624 | Set package.name to winlog.event_data.AuthenticationPackageName if exists | No| |4625 & 4624 | Set winlog.logon.process.name to winlog.event_data.LogonProcessName if exists | No| |4625 & 4624 | Set service.name to winlog.event_data.TransmittedServices if exists | No| |1 | Parse process.name and exec path from winlog.event_data.Image if it exists and process.name does not | No| |1 | Parses md5 and sha256 hash to process.hash. from winlog.event_data.Hashes | No| |4648 | Set server.address to winlog.event_data.TargetServerName if exists | No|
Pipeline processors ``` { "processors" : [ { "set" : { "field" : "event.outcome", "value" : "success", "if" : """ctx?.event?.outcome == null && ctx?.event?.code != null && (ctx?.event?.code == "18454" || ctx?.event?.code == 18454)""", "ignore_failure" : true, "description" : "24-08-23 JC - Event Code 18454 - Set event outcome success for a list of conditional event codes" } }, { "set" : { "field" : "event.outcome", "value" : "failure", "if" : """ctx?.event?.outcome == null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18452" || ctx?.event?.code == 18452 || ctx?.event?.code == "4625" || ctx?.event?.code == 4625)""", "ignore_failure" : true, "description" : "24-08-23 JC - Event Code 18456 & 18452 & 4625 - Set event outcome failure for a list of conditional event codes" } }, { "append" : { "field" : "event.category", "value" : [ "authentication" ], "if" : """ctx?.event?.category == null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18454" || ctx?.event?.code == 18454 || ctx?.event?.code == "18452" || ctx?.event?.code == 18452 || ctx?.event?.code == 18452 || ctx?.event?.code == "4625" || ctx?.event?.code == 4625)""", "ignore_failure" : true, "description" : "24-08-23 JC - Event Code 18456 18454 18452 4625 - Set event category to authentication if doesn't exist" } }, { "grok" : { "field" : "winlog.event_data.param1", "patterns" : [ """^%{HOSTNAME:user.domain}\\%{USERNAME:user.name}""", "^%{USERNAME:user.name}" ], "if" : """ctx?.winlog?.event_data?.param1 != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18454" || ctx?.event?.code == 18454) && (ctx?.user?.name == null || ctx?.user?.name == "-")""", "ignore_failure" : true, "description" : "24-08-23 JC - Event Code 18456 - Parse user.name ANDOR user.domain from winlog.event_data.param1" } }, { "set" : { "field" : "user.name", "copy_from" : "winlog.user.name", "if" : """ctx?.winlog?.user?.name != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18454" || ctx?.event?.code == 18454) && (ctx?.user?.name == null || ctx?.user?.name == "-")""", "ignore_failure" : true, "description" : "24-08-23 JC - Event Code 18456 - Set user.name to winlog.user.name IF Exists" } }, { "set" : { "field" : "user.name", "copy_from" : "winlog.event_data.param1", "if" : """ctx?.winlog?.event_data?.param1 != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18454" || ctx?.event?.code == 18454) && (ctx?.user?.name == null || ctx?.user?.name == "-")""", "ignore_failure" : true, "description" : "24-08-23 JC - Event Code 18456 - Set user.name to winlog.event_data.param1" } }, { "grok" : { "field" : "winlog.event_data.param2", "patterns" : [ "%{SPACE}Reason: %{GREEDYDATA:event.reason}$" ], "if" : """ctx?.winlog?.event_data?.param2 != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456) && (ctx?.event?.reason == null || ctx?.event?.reason == "-")""", "ignore_failure" : true, "description" : "24-08-23 JC - Event Code 18456 - Parse event.reason to winlog.event_data.param2" } }, { "grok" : { "field" : "winlog.event_data.param3", "patterns" : [ """^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]""", """^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]""" ], "ignore_missing" : true, "if" : """ctx?.winlog?.event_data?.param3 != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456) && (ctx?.client?.address == null || ctx?.client?.address == "-")""", "ignore_failure" : true, "description" : "13-09-23 JC - Event Code 18456 - Parse client address from winlog.event_data.param3" } }, { "grok" : { "field" : "winlog.event_data.param2", "patterns" : [ """^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]""", """^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]""" ], "ignore_missing" : true, "if" : """ctx?.winlog?.event_data?.param2 != null && ctx?.event?.code != null && (ctx?.event?.code == "18454" || ctx?.event?.code == 18454) && (ctx?.client?.address == null || ctx?.client?.address == "-")""", "ignore_failure" : true, "description" : "13-09-23 JC - Event Code 18454 - Parse client address from winlog.event_data.param2" } }, { "grok" : { "field" : "winlog.event_data.param1", "patterns" : [ """^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]""", """^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]""" ], "ignore_missing" : true, "if" : """ctx?.winlog?.event_data?.param1 != null && ctx?.event?.code != null && (ctx?.event?.code == "18452" || ctx?.event?.code == 18452) && (ctx?.client?.address == null || ctx?.client?.address == "-")""", "ignore_failure" : true, "description" : "13-09-23 JC - Event Code 18452 - Parse client address from winlog.event_data.param1" } }, { "grok" : { "field" : "winlog.event_data.param1", "patterns" : [ """^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]""", """^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]""" ], "ignore_missing" : true, "if" : """ctx?.winlog?.event_data?.param1 != null && ctx?.event?.code != null && (ctx?.event?.code == "18452" || ctx?.event?.code == 18452) && (ctx?.client?.address == null || ctx?.client?.address == "-")""", "ignore_failure" : true, "description" : "13-09-23 JC - Event Code 18454 - Parse client address from winlog.event_data.param2" } }, { "convert" : { "field" : "winlog.event_data.ProcessId", "type" : "integer", "target_field" : "process.pid", "if" : """ctx?.winlog?.event_data?.ProcessId != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""", "ignore_failure" : true, "description" : "24-08-23 JC - Event Code 4625 & 4624- Convert hex PID to dec into process.pid" } }, { "grok" : { "field" : "winlog.event_data.ProcessName", "patterns" : [ "^%{WINPATHALT:process.executable}" ], "pattern_definitions" : { "WINPATHALT" : """^(.*(?<=\\))?+(?.*$|$)""" }, "if" : """ctx?.winlog?.event_data?.ProcessName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""", "ignore_failure" : true, "description" : "24-08-23 JC - Event Code 4625 & 4624- Parse process.name and exec path from winlog.event_data.ProcessExecutable" } }, { "set" : { "if" : """ctx?.winlog?.event_data?.ProcessId != null && ctx?.event?.code != null && (ctx?.event?.code == 1 || ctx?.event?.code == "1")""", "ignore_failure" : true, "field" : "process.pid", "copy_from" : "winlog.event_data.ProcessId", "description" : "12-09-23 JC - Event Code 1- set winlog.event_data.ProcessId to into process.pid -" } }, { "set" : { "field" : "winlog.logon.code", "copy_from" : "winlog.event_data.LogonType", "if" : """ctx?.winlog?.event_data?.LogonType != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""", "ignore_failure" : true, "description" : "30-08-23 JC - Event Code 4625 & 4624- Set winlog.logon/code to winlog.event_data.LogonType" } }, { "set" : { "field" : "user.domain", "copy_from" : "winlog.event_data.TargetDomainName", "if" : """ctx?.winlog?.event_data?.TargetDomainName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""", "ignore_failure" : true, "description" : "12-05-09-23 JC - Event Code 4625 & 4624 - Set user.domain to winlog.event_data.TargetDomainName" } }, { "set" : { "field" : "user.name", "copy_from" : "winlog.event_data.TargetUserName", "if" : """ctx?.winlog?.event_data?.TargetUserName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""", "ignore_failure" : true, "description" : "12-09-23 JC - Event Code 4625 & 4624 - Set user.name to winlog.event_data.TargetUserName" } }, { "set" : { "field" : "user.id", "copy_from" : "winlog.event_data.TargetUserSid", "if" : """ctx?.winlog?.event_data?.TargetUserSid != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""", "ignore_failure" : true, "description" : "12-09-23 JC - Event Code 4625 & 4624 - Set user.id to winlog.event_data.TargetUserSid" } }, { "set" : { "field" : "user.domain", "copy_from" : "winlog.event_data.SubjectDomainName", "if" : """ctx?.winlog?.event_data?.SubjectDomainName != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""", "ignore_failure" : true, "description" : "12-05-09-23 JC - Event Code 4648 - Set user.domain to winlog.event_data.SubjectDomainName" } }, { "set" : { "field" : "user.name", "copy_from" : "winlog.event_data.SubjectUserName", "if" : """ctx?.winlog?.event_data?.SubjectUserName != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""", "ignore_failure" : true, "description" : "12-05-09-23 JC - Event Code 4648 - Set user.name to winlog.event_data.SubjectUserName" } }, { "set" : { "field" : "user.id", "copy_from" : "winlog.event_data.SubjectUserSid", "if" : """ctx?.winlog?.event_data?.SubjectUserSid != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""", "ignore_failure" : true, "description" : "12-05-09-23 JC - Event Code 4648 - Set user.id to winlog.event_data.SubjectUserSid" } }, { "set" : { "field" : "server.user.domain", "copy_from" : "winlog.event_data.SubjectDomainName", "if" : """ctx?.winlog?.event_data?.SubjectDomainName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""", "ignore_failure" : true, "description" : "12-09-23 JC - Event Code 4625 & 4624 - Set server.user.domain to winlog.event_data.SubjectDomainName" } }, { "set" : { "field" : "server.user.name", "copy_from" : "winlog.event_data.SubjectUserName", "if" : """ctx?.winlog?.event_data?.SubjectUserName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && (ctx?.server?.user?.name == null || ctx?.server?.user?.name == "-")""", "ignore_failure" : true, "description" : "12-09-23 JC - Event Code 4625 & 4624 - Set server.user.name to winlog.event_data.SubjectUserName" } }, { "set" : { "field" : "server.user.id", "copy_from" : "winlog.event_data.SubjectUserSid", "if" : """ctx?.winlog?.event_data?.SubjectUserSid != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && (ctx?.server?.user?.id == null || ctx?.server?.user?.id == "-")""", "ignore_failure" : true, "description" : "12-09-23 JC - Event Code 4625 & 4624 - Set server.user.id to winlog.event_data.SubjectUserSid" } }, { "set" : { "field" : "user.effective.name", "copy_from" : "winlog.event_data.TargetUserName", "if" : """ctx?.winlog?.event_data?.TargetUserName != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""", "ignore_failure" : true, "description" : "12-09-23 JC - Event Code 4648 - Set user.effective.name to winlog.event_data.TargetUserName" } }, { "set" : { "field" : "user.effective.id", "copy_from" : "winlog.event_data.TargetUserSid", "if" : """ctx?.winlog?.event_data?.TargetUserSid != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""", "ignore_failure" : true, "description" : "12-09-23 JC - Event Code 4648 - Set user.effective.id to winlog.event_data.TargetUserSid" } }, { "set" : { "field" : "user.effective.domain", "copy_from" : "winlog.event_data.TargetDomainName", "if" : """ctx?.winlog?.event_data?.TargetDomainName != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""", "ignore_failure" : true, "description" : "12-09-23 JC - Event Code 4648 - Set user.effective.domain to winlog.event_data.TargetDomainName" } }, { "set" : { "field" : "source.domain", "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.WorkstationName != null && ctx?.source?.domain == null""", "ignore_failure" : true, "copy_from" : "winlog.event_data.WorkstationName", "description" : "30-08-23 JC - Event Code 4625 & 4624 - Set source.domain to winlog.event_data.WorkstationName if exists -" } }, { "grok" : { "field" : "winlog.event_data.IpAddress", "patterns" : [ "^%{IP:source.ip}" ], "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.IpAddress != null && ctx?.source?.ip == null""", "ignore_failure" : true, "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set source.ip to winlog.event_data.IpAddress if exists -" } }, { "grok" : { "field" : "winlog.event_data.IpPort", "patterns" : [ "^%{INT:source.port}" ], "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.IpPort != null && ctx?.source?.port == null""", "ignore_failure" : true, "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set source.port to winlog.event_data.IpPort if exists -" } }, { "set" : { "field" : "package.name", "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.AuthenticationPackageName != null && ctx?.package?.name == null""", "ignore_failure" : true, "copy_from" : "winlog.event_data.AuthenticationPackageName", "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set package.name to winlog.event_data.AuthenticationPackageName if exists -" } }, { "set" : { "field" : "winlog.logon.process.name", "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.LogonProcessName != null && ctx?.winlog?.logon?.process?.name == null""", "ignore_failure" : true, "copy_from" : "winlog.event_data.LogonProcessName", "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set winlog.logon.process.name to winlog.event_data.LogonProcessName if exists -" } }, { "set" : { "field" : "service.name", "copy_from" : "winlog.event_data.TransmittedServices", "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.TransmittedServices != null && ctx?.service?.name == null""", "ignore_failure" : true, "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set service.name to winlog.event_data.TransmittedServices if exists -" } }, { "grok" : { "field" : "winlog.event_data.Image", "patterns" : [ "^%{WINPATHALT:process.executable}" ], "pattern_definitions" : { "WINPATHALT" : """^(.*(?<=\\))?+(?.*$|$)""" }, "if" : """ctx?.winlog?.event_data?.Image != null && ctx?.event?.code != null && (ctx?.event?.code == 1 || ctx?.event?.code == "1")""", "ignore_failure" : true, "description" : "05-09-023 JC - Event Code 1 - Parse process.name and exec path from winlog.event_data.Image if it exists and process.name does not" } }, { "grok" : { "field" : "winlog.event_data.Hashes", "patterns" : [ "^MD5=%{DATA:process.hash.md5},SHA256=%{DATA:process.hash.sha256},IMPHASH=%{DATA:process.hash.imphash}$" ], "if" : """ctx?.winlog?.event_data?.Hashes != null && ctx?.event?.code != null && (ctx?.event?.code == 1 || ctx?.event?.code == "1")""", "ignore_failure" : true, "description" : "05-09-23 JC - Event Code 1 - Parses md5 and sha256 hash to process.hash. from winlog.event_data.Hashes" } }, { "set" : { "field" : "server.address", "copy_from" : "winlog.event_data.TargetServerName", "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648") && ctx?.winlog?.event_data?.TargetServerName != null && ctx?.server?.address == null""", "ignore_failure" : true, "description" : "05-09-23 JC - Event Code 4648 - Set server.address to winlog.event_data.TargetServerName if exists -" } } ] } ```
elasticmachine commented 1 year ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

efd6 commented 1 year ago

@jguay Would you mind asking for the JSON with pretty=false?

efd6 commented 1 year ago

I've gone through the processors here to reduce the syntax for clarity and maintainability. There is no indication of which of the modules the processors are intended to be added. Please ask the user to explain which modules each of the processors is intended to be added.

The pipeline (in YAML) with my changes is here.

---
processors:
- set:
    field: event.outcome
    value: success
    if: ctx.event?.outcome == null && ctx.event?.code == "18454"
    ignore_failure: true
    description: Event Code 18454 - Set event outcome success for a list of conditional event codes
- set:
    field: event.outcome
    value: failure
    if: ctx.event?.outcome == null && ["4625", "18452", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 & 18452 & 4625 - Set event outcome failure for a list of conditional event codes
- append:
    field: event.category
    value:
    - authentication
    if: ctx.event?.category == null && ["4625", "18452", "18454", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 18454 18452 4625 - Set event category to authentication if doesn't exist
- grok:
    field: winlog.event_data.param1
    patterns:
    - '^%{HOSTNAME:user.domain}\\%{USERNAME:user.name}'
    - '^%{USERNAME:user.name}'
    if: ctx.winlog?.event_data?.param1 != null && (ctx.user?.name == null || ctx.user.name == "-") && ["18454", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 - Parse user.name ANDOR user.domain from winlog.event_data.param1
- set:
    field: user.name
    copy_from: winlog.user.name
    if: ctx.winlog?.user?.name != null && (ctx.user?.name == null || ctx.user.name == "-") && ["18454", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 - Set user.name to winlog.user.name IF Exists
- set:
    field: user.name
    copy_from: winlog.event_data.param1
    if: ctx.winlog?.event_data?.param1 != null && (ctx.user?.name == null || ctx.user.name == "-") && ["18454", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 - Set user.name to winlog.event_data.param1
- grok:
    field: winlog.event_data.param2
    patterns:
    - '%{SPACE}Reason: %{GREEDYDATA:event.reason}$'
    if: ctx.winlog?.event_data?.param2 != null && ctx.event?.code == "18456" && (ctx.event?.reason == null || ctx.event.reason == "-")
    ignore_failure: true
    description: Event Code 18456 - Parse event.reason to winlog.event_data.param2
- grok:
    field: winlog.event_data.param3
    patterns:
    - '^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]'
    - '^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]'
    ignore_missing: true
    if: ctx.winlog?.event_data?.param3 != null && ctx.event?.code == "18456" && (ctx.event?.reason == null || ctx.event.reason == "-")
    ignore_failure: true
    description: Event Code 18456 - Parse client address from winlog.event_data.param3
- grok:
    field: winlog.event_data.param2
    patterns:
    - '^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]'
    - '^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]'
    ignore_missing: true
    if: ctx.winlog?.event_data?.param2 != null && ctx.event?.code == "18454" && (ctx.client?.address == null || ctx.client.address == "-")
    ignore_failure: true
    description: Event Code 18454 - Parse client address from winlog.event_data.param2
- grok:
    field: winlog.event_data.param1
    patterns:
    - '^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]'
    - '^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]'
    ignore_missing: true
    if: ctx.winlog?.event_data?.param1 != null && ctx.event?.code == "18452" && (ctx.client?.address == null || ctx.client.address == "-")
    ignore_failure: true
    description: Event Code 18452 - Parse client address from winlog.event_data.param1
- grok:
    field: winlog.event_data.param1
    patterns:
    - '^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]'
    - '^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]'
    ignore_missing: true
    if: ctx.winlog?.event_data?.param1 != null && ctx.event?.code == "18452" && (ctx.client?.address == null || ctx.client.address == "-")
    ignore_failure: true
    description: Event Code 18454 - Parse client address from winlog.event_data.param2
- convert:
    field: winlog.event_data.ProcessId
    type: integer
    target_field: process.pid
    if: ctx.winlog?.event_data?.ProcessId != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624- Convert hex PID to dec into process.pid
- grok:
    field: winlog.event_data.ProcessName
    patterns:
    - '^%{WINPATHALT:process.executable}'
    pattern_definitions:
      WINPATHALT: '^(.*(?<=\\))?+(?.*$|$)'
    if: ctx.winlog?.event_data?.ProcessName != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624- Parse process.name and exec path from winlog.event_data.ProcessExecutable
- set:
    if: ctx.winlog?.event_data?.ProcessId != null && ctx.event?.code == "1"
    ignore_failure: true
    field: process.pid
    copy_from: winlog.event_data.ProcessId
    description: Event Code 1- set winlog.event_data.ProcessId to into process.pid -
- set:
    field: winlog.logon.code
    copy_from: winlog.event_data.LogonType
    if: ctx.winlog?.event_data?.LogonType != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624- Set winlog.logon/code to winlog.event_data.LogonType
- set:
    field: user.domain
    copy_from: winlog.event_data.TargetDomainName
    if: ctx.winlog?.event_data?.TargetDomainName != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625  & 4624 - Set user.domain to winlog.event_data.TargetDomainName
- set:
    field: user.name
    copy_from: winlog.event_data.TargetUserName
    if: ctx.winlog?.event_data?.TargetUserName != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set user.name to winlog.event_data.TargetUserName
- set:
    field: user.id
    copy_from: winlog.event_data.TargetUserSid
    if: ctx.winlog?.event_data?.TargetUserSid != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set user.id to winlog.event_data.TargetUserSid
- set:
    field: user.domain
    copy_from: winlog.event_data.SubjectDomainName
    if: ctx.winlog?.event_data?.SubjectDomainName != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.domain to winlog.event_data.SubjectDomainName
- set:
    field: user.name
    copy_from: winlog.event_data.SubjectUserName
    if: ctx.winlog?.event_data?.SubjectUserName != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.name to winlog.event_data.SubjectUserName
- set:
    field: user.id
    copy_from: winlog.event_data.SubjectUserSid
    if: ctx.winlog?.event_data?.SubjectUserSid != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.id to winlog.event_data.SubjectUserSid
- set:
    field: server.user.domain
    copy_from: winlog.event_data.SubjectDomainName
    if: ctx.winlog?.event_data?.SubjectDomainName != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625  & 4624 - Set server.user.domain to winlog.event_data.SubjectDomainName
- set:
    field: server.user.name
    copy_from: winlog.event_data.SubjectUserName
    if: ctx.winlog?.event_data?.SubjectUserName != null && (ctx.server?.user?.name == null || ctx.server.user.name == "-") && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set server.user.name to winlog.event_data.SubjectUserName
- set:
    field: server.user.id
    copy_from: winlog.event_data.SubjectUserSid
    if: ctx.winlog?.event_data?.SubjectUserSid != null && (ctx.server?.user?.id == null || ctx.server.user.id == "-") && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set server.user.id to winlog.event_data.SubjectUserSid
- set:
    field: user.effective.name
    copy_from: winlog.event_data.TargetUserName
    if: ctx.winlog?.event_data?.TargetUserName != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.effective.name to winlog.event_data.TargetUserName
- set:
    field: user.effective.id
    copy_from: winlog.event_data.TargetUserSid
    if: ctx.winlog?.event_data?.TargetUserSid != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.effective.id to winlog.event_data.TargetUserSid
- set:
    field: user.effective.domain
    copy_from: winlog.event_data.TargetDomainName
    if: ctx.winlog?.event_data?.TargetDomainName != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.effective.domain to winlog.event_data.TargetDomainName
- set:
    field: source.domain
    copy_from: winlog.event_data.WorkstationName
    if: ctx.winlog?.event_data?.WorkstationName != null && ctx.source?.domain == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set source.domain to winlog.event_data.WorkstationName if exists -
- grok:
    field: winlog.event_data.IpAddress
    patterns:
    - '^%{IP:source.ip}'
    if: ctx.winlog?.event_data?.IpAddress != null && ctx.source?.ip == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set source.ip to winlog.event_data.IpAddress if exists -
- grok:
    field: winlog.event_data.IpPort
    patterns:
    - '^%{INT:source.port}'
    if: ctx.winlog?.event_data?.IpPort != null && ctx.source?.port == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set source.port to winlog.event_data.IpPort if exists -
- set:
    field: package.name
    copy_from: winlog.event_data.AuthenticationPackageName
    if: ctx.winlog?.event_data?.AuthenticationPackageName != null && ctx.package?.name == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set package.name to winlog.event_data.AuthenticationPackageName if exists -
- set:
    field: winlog.logon.process.name
    copy_from: winlog.event_data.LogonProcessName
    if: ctx.winlog?.event_data?.LogonProcessName != null && ctx.winlog?.logon?.process?.name == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set winlog.logon.process.name to winlog.event_data.LogonProcessName if exists -
- set:
    field: service.name
    copy_from: winlog.event_data.TransmittedServices
    if: ctx.winlog?.event_data?.TransmittedServices != null && ctx.service?.name == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set service.name to winlog.event_data.TransmittedServices if exists -
- grok:
    field: winlog.event_data.Image
    patterns:
    - '^%{WINPATHALT:process.executable}'
    pattern_definitions:
      WINPATHALT: '^(.*(?<=\\))?+(?.*$|$)'
    if: ctx.winlog?.event_data?.Image != null && ctx.event?.code == "1"
    ignore_failure: true
    description: Event Code 1 - Parse process.name and exec path from winlog.event_data.Image if it exists and process.name does not
- grok:
    field: winlog.event_data.Hashes
    patterns:
    - '^MD5=%{DATA:process.hash.md5},SHA256=%{DATA:process.hash.sha256},IMPHASH=%{DATA:process.hash.imphash}$'
    if: ctx.winlog?.event_data?.Hashes != null && ctx.event?.code == "1"
    ignore_failure: true
    description: Event Code 1 - Parses md5 and sha256 hash to process.hash. from winlog.event_data.Hashes
- set:
    field: server.address
    copy_from: winlog.event_data.TargetServerName
    if: ctx.winlog?.event_data?.TargetServerName != null && ctx.server?.address == null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set server.address to winlog.event_data.TargetServerName if exists -
elasticmachine commented 9 months ago

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)