Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
164 lines (151 sloc) 5.55 KB
filter {
if [log_name] == "Microsoft-Windows-Sysmon/Operational" {
translate {
field => "SeverityValue"
destination => "[data_model][fields][severity]"
override => "true"
fallback => "unknown"
dictionary => [
"1","Debug",
"2","Information",
"3","Warning",
"4","Error",
"5","Critical"
]
}
mutate {
add_field => {
"[sensor][name]"=>"sysmon"
"received_at"=>"%{@timestamp}"
}
rename => {
"source_name" => "[data_model][fields][log_name]"
"computer_name" => "[data_model][fields][fqdn]"
"record_number" => "[data_model][fields][record_number]"
"Keywords" => "[data_model][fields][keywords]"
"host" => "[data_model][fields][hostname]"
"event_id" => "[data_model][fields][event_code]"
}
}
translate {
field => "event_id"
destination => "[data_model][object]"
override => "true"
fallback => "unknown"
dictionary => [
"1","process",
"2","file",
"3","flow",
"4","sysmon",
"5","process",
"6","driver",
"7","module",
"8","thread",
"9","raw_access",
"10","process",
"255","error"
]
}
translate {
field => "event_id"
destination => "[data_model][action]"
override => "true"
fallback => "unknown"
dictionary => [
"1","create",
"2","attr_modify",
"3","start",
"4","change",
"5","stop",
"6","load",
"7","load",
"8","create",
"9","read",
"10","read",
"255","error"
]
}
translate {
field => "event_id"
destination => "[type]"
override => "true"
fallback => "unknown"
dictionary => [
"1","sysmon_process",
"2","sysmon_file",
"3","sysmon_flow",
"4","sysmon_sysmon",
"5","sysmon_process",
"6","sysmon_driver",
"7","sysmon_module",
"8","sysmon_thread",
"9","sysmon_raw_access",
"10","sysmon_process_access",
"255","error"
]
}
if [type] == "sysmon_process"
{
mutate {
add_field => {
"[sensor][name]"=>"sysmon-process"
"received_at"=>"%{@timestamp}"
}
}
grok{
match => {"Message"=>"(.)ProcessId: %{NUMBER:[data_model][fields][pid]}"}
}}
mutate {
add_tag => ["sysmoncheck"]
rename => {
"[event_data][UtcTime]" => "[data_model][fields][utc_time]"
"[event_data][Image]" => "[data_model][fields][image_path]"
"[event_data][ProcessId]" => "[data_model][fields][pid]"
"[event_data][CommandLine]" => "[data_model][fields][command_line]"
"[event_data][Hashes]" => "[data_model][fields][hashes]"
"[user][identifier]" => "[data_model][fields][uuid]"
"[event_data][ProcessGuid]" => "[data_model][fields][process_guid]"
"[event_data][LogonId]" => "[data_model][fields][logon_id]"
"[event_data][LogonGuid]" => "[data_model][fields][logon_guid]"
"[event_data][TerminalSessionId]" => "[data_model][fields][terminal_session_id]"
"[event_data][IntegrityLevel]" => "[data_model][fields][integrity_level]"
"[event_data][ParentProcessGuid]" => "[data_model][fields][parent_process_guid]"
"[event_data][ParentProcessId]" => "[data_model][fields][ppid]"
"[event_data][ParentImage]" => "[data_model][fields][parent_image_path]"
"[event_data][ParentCommandLine]" => "[data_model][fields][terminal_session_id]"
"[user][name]" => "[data_model][fields][user]"
"[event_data][TargetFilename]" => "[data_model][fields][file_name]"
"[event_data][CreationUtcTime]" => "[data_model][fields][creation_time]"
"[event_data][PreviousCreationUtcTime]" => "[data_model][fields][previous_creation_time]"
"[event_data][Device]" => "[data_model][fields][device]"
"[event_data][ImageLoaded]" => "[data_model][fields][image_loaded]"
"[event_data][Signature]" => "[data_model][fields][signature]"
"[event_data][Signed]" => "[data_model][fields][signed]"
"process_id" => "[data_model][fields][src_pid]"
"source_name" => "[data_model][fields][source_image_path]"
"threat_id" => "[data_model][fields][src_tid]"
"[event_data][StartAddress]" => "[data_model][fields][start_address]"
"[event_data][StartFunction]" => "[data_model][fields][start_function]"
"[event_data][StartModule]" => "[data_model][fields][start_module_name]"
"[event_data][TargetProcessId]" => "[data_model][fields][target_pid]"
"[event_data][TargetProcessGuid]" => "[data_model][fields][target_guid]"
"host" => "[account][ip]"
"[beat][hostname]" => "[account][hostname]"
"Domain" => "[account][domain]"
}
}
grok {
match => {"[data_model][fields][hashes]" => "SHA1=%{BASE16NUM:[data_model][fields][sha1_hash]},MD5=%{BASE16NUM:[data_model][fields][md5_hash]},SHA256=%{BASE16NUM:[data_model][fields][hash][sha256_hash]},IMPHASH=%{BASE16NUM:[data_model][fields][imphash_hash]}"}
}
}
if ([data_model][fields][image_path]) {
ruby {
code => "event.set('[data_model][fields][exe]',event.get('[data_model][fields][image_path]').split('\\').last)"
}
}
if ([data_model][fields][parent_image_path]) {
ruby {
code => "event.set('[data_model][fields][parent_exe]',event.get('[data_model][fields][parent_image_path]').split('\\').last)"
}
}
}