-
Notifications
You must be signed in to change notification settings - Fork 374
/
default.yml
400 lines (379 loc) · 15.1 KB
/
default.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
---
description: Pipeline for Bravura Security Fabric events
processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
- convert:
field: event.code
type: string
ignore_missing: true
- rename:
field: message
target_field: event.original
ignore_missing: true
- grok:
field: event.original
patterns:
- '%{DATA:winlog.event_data.Message}\|%{GREEDYDATA:kvpairs}'
- kv:
field: kvpairs
field_split: '\|'
value_split: '='
target_field: winlog.event_data
ignore_missing: false
ignore_failure: false
- remove:
field: kvpairs
ignore_missing: true
ignore_failure: true
- split:
field: winlog.event_data.ClientIPs
separator: ","
preserve_trailing: true
ignore_missing: true
- split:
field: winlog.event_data.FailedTargets
separator: ","
preserve_trailing: true
ignore_missing: true
- script:
lang: painless
ignore_failure: false
tag: Decode symbolic id table
description: Decode symbolic id table
params:
"1": "AUTH_CHAIN_FAILURE"
"2": "AUTH_CHAIN_SUCCESS"
"3": "USER_LOGIN_LOCKOUT"
"4": "DB_COMMIT_SUSPEND"
"5": "DB_COMMIT_RESUME"
"6": "DB_REPLICATION_CONN_FAILURE"
"7": "DB_REPLICATION_CONN_RESTORED"
"8": "DB_REPLICATION_TRANS_FAILURE"
"9": "DB_QUEUE_INSERT_FAILURE"
"10": "DB_FAILED_PROC_RECORDED"
"11": "PAMSA_ORCHESTRATION_START_FAILURE"
"12": "PAMSA_ORCHESTRATION_END_FAILURE"
"13": "UPDATE_RESOURCE_FAILURE"
"14": "GSET_CHECKIN_FAILURE"
"15": "GSET_CHECKIN_PARTIAL"
"16": "GSET_CHECKIN_SUCCESS"
"17": "GSET_CHECKOUT_SUCCESS"
"18": "GSET_CHECKOUT_FAILURE"
"19": "GSET_CHECKOUT_PARTIAL"
"20": "PWD_CHECKOUT_SUCCESS"
"21": "PWD_CHECKOUT_FAILURE"
"22": "PWD_CHECKIN_SUCCESS"
"23": "PWD_CHECKIN_FAILURE"
"24": "WSTN_VIEW_PASSWORD_SUCCESS"
"25": "WSTN_VIEW_PASSWORD_FAILURE"
"26": "WSTN_VIEW_PASSWORD_HIS_SUCCESS"
"27": "WSTN_VIEW_PASSWORD_HIS_FAILURE"
"28": "ADMIN_ENABLE_ADMIN"
"29": "ADMIN_ENABLE_USER"
"30": "ADMIN_DISABLE_ADMIN"
"31": "ADMIN_DISABLE_USER"
"32": "ADMIN_UNLOCK_ADMIN"
"33": "ADMIN_UNLOCK_USER"
"34": "SMON_SESSION_START"
"35": "SMON_SESSION_END"
"36": "SMON_ADMIN_SESS_TERM_REQ"
"37": "PSUPDATE_START"
"38": "PSUPDATE_FINISH"
"39": "IDAPI_LOGIN_SUCCESS"
"40": "IDAPI_LOGIN_FAILURE"
"41": "MAQ_CHECKIN_FAILURE"
"42": "MAQ_CHECKIN_SUCCESS"
"43": "MAQ_CHECKOUT_FAILURE"
"44": "MAQ_CHECKOUT_SUCCESS"
"45": "TARGET_DEPLOYMENT_FAILURE"
"46": "TARGET_DEPLOYMENT_SUCCESS"
"47": "OPERATION_IMPORT_TARGET"
"48": "WSTN_ADD_WSTN_SUCCESS"
"49": "WSTN_ADD_WSTN_FAILURE"
"50": "IDWFM_EVENT_ABORT"
"51": "IDWFM_EVENT_FAILURE"
"52": "USER_QA_ADD_SUCCESS"
"53": "USER_QA_ADD_FAILURE"
"54": "USER_QA_UPDATE_SUCCESS"
"55": "USER_QA_UPDATE_FAILURE"
"56": "USER_QA_DELETE_SUCCESS"
"57": "ADMIN_QA_ADD_SUCCESS"
"58": "ADMIN_QA_ADD_FAILURE"
"59": "ADMIN_QA_UPDATE_SUCCESS"
"60": "ADMIN_QA_UPDATE_FAILURE"
"61": "ADMIN_QA_DELETE_SUCCESS"
"62": "USER_PW_RESET_START"
"63": "USER_PW_RESET_SUCCESS"
"64": "USER_PW_RESET_FAILURE"
"65": "ADMIN_PW_RESET_START"
"66": "ADMIN_PW_RESET_SUCCESS"
"67": "ADMIN_PW_RESET_FAILURE"
"68": "USER_ACCT_UNLOCK_START"
"69": "USER_ACCT_UNLOCK_SUCCESS"
"70": "USER_ACCT_UNLOCK_FAILURE"
"71": "ADMIN_ACCT_UNLOCK_START"
"72": "ADMIN_ACCT_UNLOCK_SUCCESS"
"73": "ADMIN_ACCT_UNLOCK_FAILURE"
"74": "DB_REPLICATION_WATERMARK_WARN"
"75": "USER_ALIAS_ALREADY_CLAIMED"
"76": "ADMIN_ALIAS_ALREADY_CLAIMED"
"77": "CONNECTOR_TIMEOUT"
"78": "FILE_REPLICATION_FAILURE"
"79": "IDPM_GROUP_SUCCESS"
"80": "IDPM_GROUP_FAILURE"
"81": "WF_REQUEST_BATCH_APPROVED"
"82": "WF_REQUEST_BATCH_REJECTED"
"83": "WF_REQUEST_BATCH_CANCELED"
"84": "WF_REQUEST_BATCH_REVOKED"
"85": "WF_REQUEST_BATCH_PROCESSED"
"86": "DID_REGISTER_SUCCESS"
"87": "DID_REGISTER_FAILURE"
"88": "DID_UPDATE_SUCCESS"
"89": "DID_SEND_SUCCESS"
"90": "USER_IDENTIFY_SUCCESS"
"91": "USER_IDENTIFY_FAILURE"
"92": "USER_LOGIN_SUCCESS"
"93": "USER_LOGIN_FAILURE"
"94": "FEDIDP_IDENTIFY_SUCCESS"
"95": "FEDIDP_IDENTIFY_FAILURE"
"96": "FEDIDP_AUTH_SUCCESS"
"97": "FEDIDP_AUTH_FAILURE"
"98": "DB_STORED_PROC_FAILURE"
"99": "ADMIN_CRED_FAILURE"
"100": "ADMIN_CRED_SUCCESS"
"101": "FEDIDP_SSO_SESSION_CREATE"
"102": "FEDIDP_SSO_SESSION_DESTROY"
"103": "PAM_CHECKOUT_SUCCESS"
"104": "PAM_CHECKOUT_PARTIAL"
"105": "PAM_CHECKOUT_FAILURE"
"106": "PAM_CHECKIN_SUCCESS"
"107": "PAM_CHECKIN_PARTIAL"
"108": "PAM_CHECKIN_FAILURE"
"109": "PAM_CHECKOUT_EXPIRY"
"110": "PAM_CHECKOUT_LIMIT_REACHED"
"111": "PAM_CHECKOUT_OPERATION_SUCCESS"
"112": "PAM_CHECKOUT_OPERATION_FAILURE"
"113": "PAM_CHECKIN_OPERATION_SUCCESS"
"114": "PAM_CHECKIN_OPERATION_FAILURE"
"115": "FEDSP_SAMLAUTH_ASR_FAILURE"
"116": "FEDSP_SAMLAUTH_ASR_SUCCESS"
"117": "FEDSP_SAMLAUTH_ISSUED"
"118": "DB_REPLICATION_QUEUE_DELAY_PAST_THRESHOLD"
"119": "USER_HDD_RECOVERY_SUCCESS"
"120": "USER_HDD_RECOVERY_FAILURE"
"121": "USER_MOBILE_DEVICE_REGISTRATION"
source: |-
if (ctx?.winlog?.event_id == null) {
return;
}
def t = params.get(ctx.winlog.event_id);
if (t == null) {
return;
}
ctx.winlog.put("symbolic_id", t)
- script:
lang: painless
ignore_failure: false
tag: Decode description table
description: Decode description table
params:
"1": "User failed to authenticate"
"2": "User successfully authenticated"
"3": "User lockout triggered"
"4": "Database commits suspended, replication queue full"
"5": "Database commits resuming"
"6": "Connectivity to replica database lost"
"7": "Connectivity to replica database restored"
"8": "Failed to replicate database transaction"
"9": "Failed to insert data into database replication queue"
"10": "ed to run stored procedure on replica server"
"11": "Subscriber orchestration failed to start"
"12": "Subscriber orchestration completed with failures"
"13": "Failed to update subscriber password"
"14": "Failed to check-in managed group set"
"15": "Failed to fully check-in managed group set, some memberships were not revoked"
"16": "Managed group set successfully checked in"
"17": "Managed group set successfully checked out"
"18": "Failed to check out managed group set"
"19": "Managed group set partially checked out, some memberships were not granted"
"20": "Managed account password successfully checked out"
"21": "Failed to check-out managed account password"
"22": "Managed account password successfully checked in"
"23": "Failed to check-in managed account password"
"24": "Managed account password viewed"
"25": "Failed to view managed account password"
"26": "Historical managed account password viewed"
"27": "Failed to view historical managed account password"
"28": "Administrative profile enabled"
"29": "User profile enabled"
"30": "Administrative profile disabled"
"31": "User profile disabled"
"32": "Administrative profile unlocked"
"33": "User profile unlocked"
"34": "Privileged access session recording started"
"35": "Privileged access session recording ended"
"36": "Privileged access session termination requested by administrator"
"37": "Nightly discovery process started"
"38": "Nightly discovery process finished"
"39": "API login succeeded"
"40": "API login failure"
"41": "Failed to check in system and account query based access"
"42": "Succeeded in checking in system and account query based access"
"43": "Failed to check out system and account query based access"
"44": "Succeeded in checking out system and account query based access"
"45": "Target deployment finished with a failure."
"46": "Successfully finished target deployment."
"47": "Successfully imported a single target."
"48": "Successfully finished target deployment."
"49": "Target deployment finished with a failure."
"50": "Workflow manager aborted event processing."
"51": "Workflow manager failed to process event."
"52": "Security question successfully added."
"53": "Failed to add security question."
"54": "Security question successfully updated."
"55": "Failed to update security question."
"56": "Security question successfully deleted."
"57": "Security question successfully added."
"58": "Failed to add security question."
"59": "Security question successfully updated."
"60": "Failed to update security question."
"61": "Security question successfully deleted."
"62": "Self-service password reset started."
"63": "Self-service password reset successful."
"64": "Self-service password reset failed."
"65": "Help-desk assisted password reset started."
"66": "Help-desk assisted password reset successful."
"67": "Help-desk assisted password reset failed."
"68": "Self-service account unlock started."
"69": "Self-service account unlock successful."
"70": "Self-service account unlock failed."
"71": "Help-desk assisted account unlock started."
"72": "Help-desk assisted account unlock successful."
"73": "Help-desk assisted password reset failed."
"74": "Database replication watermark hit."
"75": "User attempted to claim alias that is already claimed."
"76": "Admin attempted to assign alias that is already claimed."
"77": "Connector timed out while performing operation."
"78": "Error occured during file replication to remote nodes."
"79": "All passwords successfully synchronized."
"80": "One or more passwords failed to be synchronized."
"81": "Workflow request has been approved."
"82": "Workflow request has been rejected."
"83": "Workflow request has been canceled."
"84": "Workflow request has been revoked."
"85": "Workflow request has been processed."
"86": "Successfully registered Digital ID."
"87": "Failed to register Digital ID."
"88": "Successfully updated Digital ID."
"89": "Digital ID successfully downloaded."
"90": "User successfully identified"
"91": "Failed to identify user."
"92": "User successfully logged in."
"93": "User failed to log in."
"94": "Federated authn request successfully parsed."
"95": "Federated authn request failed to be parsed."
"96": "Federated assertion successfully generated."
"97": "Federated assertion failed to be generated."
"98": "Failed to execute stored procedure."
"99": "Target creation failure: Could not establish credentials."
"100": "Target creation successful: Credentials set successfully."
"101": "New federated SSO session created."
"102": "Federated SSO session terminated."
"103": "Generic access check-out successful."
"104": "Generic access check-out partially successful."
"105": "Generic access check-out failed."
"106": "Generic access check-in successful."
"107": "Generic access check-in partially successful."
"108": "Generic access check-in failed."
"109": "Generic access check-out expired."
"110": "Generic access check-out cannot be performed because it would exceed the check-out limit of one of its targets."
"111": "An operation run as part of a generic access check-out succeeded."
"112": "An operation run as part of a generic access check-out failed."
"113": "An operation run as part of a generic access check-in succeeded."
"114": "An operation run as part of a generic access check-in failed."
"115": "Failed to validate a SAML assertion."
"116": "Successfully validated a SAML assertion."
"117": "Issued SAML AuthNRequest."
"118": "Database replication queue delay exceeded configured threshold."
"119": "Self-service encrypted drive recovery successful."
"120": "Self-service encrypted drive recovery failure."
"121": "Self-service mobile device registration."
source: |-
if (ctx?.winlog?.event_id == null) {
return;
}
def t = params.get(ctx.winlog.event_id);
if (t == null) {
return;
}
if (ctx?.winlog?.event_data == null ) {
Map map = new HashMap();
ctx.winlog.put("event_data", map);
}
ctx.winlog.event_data.put("Description", t)
- convert:
field: winlog.record_id
type: string
ignore_missing: true
- convert:
field: winlog.event_id
type: string
ignore_missing: true
- convert:
field: winlog.event_data.DelayThreshold
type: long
ignore_missing: true
- convert:
field: winlog.event_data.QueueDelay
type: long
ignore_missing: true
- convert:
field: winlog.event_data.QueueSize
type: long
ignore_missing: true
- convert:
field: winlog.event_data.Runtime
type: long
ignore_missing: true
- set:
field: ecs.version
value: '8.8.0'
- set:
field: log.level
copy_from: winlog.level
ignore_empty_value: true
ignore_failure: true
if: ctx?.winlog?.level != ""
- date:
field: winlog.time_created
formats:
- ISO8601
ignore_failure: true
if: ctx?.winlog?.time_created != null
- remove:
field: event.original
if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
ignore_failure: true
ignore_missing: true
- remove:
ignore_missing: true
field:
- winlog.event_data.Value1
- winlog.event_data.Value2
- winlog.event_data.Value3
- winlog.event_data.Value4
- winlog.event_data.Value5
- winlog.event_data.Value6
- winlog.event_data.Value7
- winlog.event_data.Value8
- winlog.event_data.Value9
on_failure:
- set:
field: event.kind
value: pipeline_error
- append:
field: error.message
value: |-
Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"