From 2a24e61bcecbd53c69345a11f6f514dcc808c02b Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 17 Apr 2025 11:02:59 -0500 Subject: [PATCH 01/56] fix(compliance-schedule): fix standard and section selection issue in report creation --- .../compliance-schedule.component.ts | 2 +- .../utm-compliance-select.component.html | 6 +++--- .../utm-compliance-select.component.ts | 19 ++++++++++--------- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.ts b/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.ts index 5e83886ec..e61531d44 100644 --- a/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.ts +++ b/frontend/src/app/compliance/compliance-schedule/compliance-schedule.component.ts @@ -18,10 +18,10 @@ import { UtmComplianceScheduleDeleteComponent } from '../shared/components/utm-compliance-schedule-delete/utm-compliance-schedule-delete.component'; import {ComplianceScheduleService} from '../shared/services/compliance-schedule.service'; +import {CronDescriptionGeneratorService} from '../shared/services/cron-description-generator.service'; import {ComplianceScheduleFilterType} from '../shared/type/compliance-schedule-filter.type'; import {ComplianceScheduleType} from '../shared/type/compliance-schedule.type'; import {ComplianceStandardType} from '../shared/type/compliance-standard.type'; -import {CronDescriptionGeneratorService} from "../shared/services/cron-description-generator.service"; @Component({ diff --git a/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.html b/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.html index 518fc8032..b41dcea42 100644 --- a/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.html +++ b/frontend/src/app/compliance/shared/components/utm-compliance-select/utm-compliance-select.component.html @@ -18,7 +18,7 @@ placeholder="Standard" style="width: 50%" > - - {{report.associatedDashboard.name}} + {{report.configReportName ? report.configReportName :report.associatedDashboard.name}} -
+
0 ? page - 1 : page; this.getDashboardList(); } getDashboardList() { const query = { - page: this.page - 1, - size: 1000, + page: this.page, + size: this.itemsPerPage, sort: 'id,asc', 'standardSectionId.equals': this.section, 'configSolution.contains': this.solution @@ -81,7 +81,7 @@ export class UtmComplianceSelectComponent implements OnInit { getSections() { const query = { - page: this.page - 1, + page: 0, size: 1000, sort: 'id,asc', 'standardId.equals': this.standard, @@ -89,7 +89,7 @@ export class UtmComplianceSelectComponent implements OnInit { }; this.cpStandardSectionService.query(query).subscribe(response => { this.standardSections = response.body; - this.section = !!this.section ? this.section : this.standardSections[0].id; + this.section = this.standardSections.length > 0 ? this.standardSections[0].id : null; this.getDashboardList(); if (this.idReport) { this.getSelectedDashboard(this.idReport); @@ -98,7 +98,8 @@ export class UtmComplianceSelectComponent implements OnInit { } getStandardList() { - this.cpStandardService.query({page: 0, size: 1000}).subscribe( + this.cpStandardService.query({page: 0, size: 1000}) + .subscribe( (res: HttpResponse) => { this.standards = res.body; this.standard = !!this.standard ? this.standard : this.standards[0].id; From 1b7cc966b3e31b1e13fd02b266afa773fc4ac5e8 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 17 Apr 2025 11:11:58 -0500 Subject: [PATCH 02/56] chore: Update CHANGELOG.md --- CHANGELOG.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aa1c862da..b9214cf28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,5 @@ -# UTMStack 10.7.3 Release Notes --- Implemented backend support for filtering compliance reports based on active integrations, optimizing query performance and data retrieval. --- Introduced new compliance reports aligned with the PCI DSS standard to expand auditing capabilities. --- Added support for creating and updating tag-based rules with dynamic conditions. +## UTMStack 10.7.4 Release Notes + ### Bug Fixes --- Improved exception handling in `automaticReview` to prevent the process from stopping due to errors, ensuring the system continues evaluating alerts even if a specific rule fails. --- Improved operator selection for more accurate and consistent filtering. \ No newline at end of file +-- Compliance Report Scheduling: Improved the stability of the selection process when creating new report schedules. \ No newline at end of file From 5d70f69c1e41c189846124d2789a5fea9d6d48ef Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 17 Apr 2025 11:12:13 -0500 Subject: [PATCH 03/56] chore: update version.yml --- version.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.yml b/version.yml index 21c159ed9..c8c242abc 100644 --- a/version.yml +++ b/version.yml @@ -1 +1 @@ -version: 10.7.3 \ No newline at end of file +version: 10.7.4 \ No newline at end of file From a5965e36002712808c97f83c8914c0c8477f6a9a Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 17 Apr 2025 14:44:38 -0500 Subject: [PATCH 04/56] fix(ui): display array fields as a single field without numeric suffixes --- .../dynamic-table/dynamic-table.component.ts | 7 ++- .../utm-table-detail-view.component.ts | 5 +- ...et-value-object-from-property-path.util.ts | 50 +++++++++++++++++++ 3 files changed, 58 insertions(+), 4 deletions(-) diff --git a/frontend/src/app/shared/components/utm/table/utm-table/dynamic-table/dynamic-table.component.ts b/frontend/src/app/shared/components/utm/table/utm-table/dynamic-table/dynamic-table.component.ts index 0182f4844..53cc033fc 100644 --- a/frontend/src/app/shared/components/utm/table/utm-table/dynamic-table/dynamic-table.component.ts +++ b/frontend/src/app/shared/components/utm/table/utm-table/dynamic-table/dynamic-table.component.ts @@ -4,7 +4,10 @@ import {SortEvent} from '../../../../../directives/sortable/type/sort-event'; import {ElasticDataTypesEnum} from '../../../../../enums/elastic-data-types.enum'; import {UtmDateFormatEnum} from '../../../../../enums/utm-date-format.enum'; import {UtmFieldType} from '../../../../../types/table/utm-field.type'; -import {convertObjectToKeyValueArray, extractValueFromObjectByPath} from '../../../../../util/get-value-object-from-property-path.util'; +import { + convertObjectToKeyValueArray, + extractFieldValueFromKvArray +} from '../../../../../util/get-value-object-from-property-path.util'; @Component({ selector: 'app-dynamic-table', @@ -85,7 +88,7 @@ export class UtmDynamicTableComponent implements OnInit { } resolveTdValue(row: any, td: UtmFieldType): any { - const value = extractValueFromObjectByPath(row, td); + const value = extractFieldValueFromKvArray(row, td); return td.type === this.dataTypeEnum.DATE && value === '-' ? null : value; } diff --git a/frontend/src/app/shared/components/utm/table/utm-table/utm-table-detail/utm-table-detail-view/utm-table-detail-view.component.ts b/frontend/src/app/shared/components/utm/table/utm-table/utm-table-detail/utm-table-detail-view/utm-table-detail-view.component.ts index 5772d3a83..58bb2276b 100644 --- a/frontend/src/app/shared/components/utm/table/utm-table/utm-table-detail/utm-table-detail-view/utm-table-detail-view.component.ts +++ b/frontend/src/app/shared/components/utm/table/utm-table/utm-table-detail/utm-table-detail-view/utm-table-detail-view.component.ts @@ -1,7 +1,8 @@ import {Component, Input, OnInit} from '@angular/core'; import {IndexFieldController} from '../../../../../../../log-analyzer/shared/behaviors/index-field-controller.behavior'; import {ElasticOperatorsEnum} from '../../../../../../enums/elastic-operators.enum'; -import {convertObjectToKeyValueArray} from '../../../../../../util/get-value-object-from-property-path.util'; +import { flattenToKeyValueArray, +} from '../../../../../../util/get-value-object-from-property-path.util'; import {UtmFilterBehavior} from '../../../../filters/utm-elastic-filter/shared/behavior/utm-filter.behavior'; @Component({ @@ -21,7 +22,7 @@ export class UtmTableDetailViewComponent implements OnInit { ngOnInit() { this.tableData = []; if (this.rowDocument) { - this.tableData = convertObjectToKeyValueArray(this.rowDocument); + this.tableData = flattenToKeyValueArray(this.rowDocument); } } diff --git a/frontend/src/app/shared/util/get-value-object-from-property-path.util.ts b/frontend/src/app/shared/util/get-value-object-from-property-path.util.ts index 01eac8b85..ac764d511 100644 --- a/frontend/src/app/shared/util/get-value-object-from-property-path.util.ts +++ b/frontend/src/app/shared/util/get-value-object-from-property-path.util.ts @@ -69,6 +69,21 @@ export function extractValueFromObjectByPath(row: any, field: UtmFieldType) { return tdValue ? tdValue : '-'; } +export function extractFieldValueFromKvArray(row: any, field: UtmFieldType) { + const arrayRow = flattenToKeyValueArray(row); + const objectRow = arrayRow + .reduce((acc, { key, value }) => { + acc[key] = value; + return acc; + }, {}); + + const fieldExtract = field.field.includes('.keyword') ? + field.field.replace('.keyword', '') : field.field; + + const tdValue = convertByType(objectRow[fieldExtract]); + return tdValue ? tdValue : '-'; +} + export function convertByType(data: any) { if (data && typeof data === 'object') { @@ -90,6 +105,41 @@ export function convertObjectToKeyValueArray(object) { } } +export function flattenToKeyValueArray(obj: any, parentKey: string = ''): { key: string, value: any }[] { + const result: { key: string, value: any }[] = []; + + for (const key in obj) { + if (!obj.hasOwnProperty(key)) { continue; } + + const value = obj[key]; + const fullKey = parentKey ? `${parentKey}.${key}` : key; + + if (Array.isArray(value)) { + if (value.length > 0 && typeof value[0] === 'object') { + const formattedArray = value.map(item => { + if (typeof item === 'object' && item !== null) { + return Object.entries(item) + .map(([k, v]) => `${k}=${v}`) + .join(', '); + } else { + return String(item); + } + }).join(' | '); + result.push({ key: fullKey, value: formattedArray }); + } else { + result.push({ key: fullKey, value: value.join(', ') }); + } + } else if (value !== null && typeof value === 'object') { + result.push(...flattenToKeyValueArray(value, fullKey)); + } else { + result.push({ key: fullKey, value }); + } + } + + return result; +} + + export function findInObject(obj, item) { for (const key in obj) { if (obj[key] && typeof obj[key] === 'object') { From e22eea90ddb3727eeffc5beb81c4942eea30139e Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 17 Apr 2025 14:45:02 -0500 Subject: [PATCH 05/56] chore: update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9214cf28..72b39cec9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,4 +2,5 @@ ### Bug Fixes --- Compliance Report Scheduling: Improved the stability of the selection process when creating new report schedules. \ No newline at end of file +-- Compliance Report Scheduling: Improved the stability of the selection process when creating new report schedules. +-- Improved field rendering in Log Explorer by consolidating list-based fields into a single entry for better readability and consistency. \ No newline at end of file From 997405e490c781988b7cbe7689ccd2f226ec880d Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 22 Apr 2025 10:30:02 -0500 Subject: [PATCH 06/56] fix(alert-field-render): resolve persistent loading spinner when displaying "tags" column --- .../alert-management/alert-view/alert-view.component.html | 1 + .../alert-apply-note/alert-apply-note.component.html | 7 ++++--- .../alert-apply-note/alert-apply-note.component.ts | 1 + .../alert-apply-tags/alert-tags-apply.component.html | 6 +++--- .../alert-apply-tags/alert-tags-apply.component.ts | 4 ++++ .../data-field-render/data-field-render.component.html | 6 +++++- .../data-field-render/data-field-render.component.ts | 2 ++ 7 files changed, 20 insertions(+), 7 deletions(-) diff --git a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html index 0b4b12cf3..79b03187e 100644 --- a/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html +++ b/frontend/src/app/data-management/alert-management/alert-view/alert-view.component.html @@ -160,6 +160,7 @@
*ngIf="(td.visible)"> diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-note/alert-apply-note.component.html b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-note/alert-apply-note.component.html index 04df39603..23e5740b0 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-note/alert-apply-note.component.html +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-note/alert-apply-note.component.html @@ -2,15 +2,16 @@ placement="top" tooltipClass="utm-tooltip-top"> - + {{note}} diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-note/alert-apply-note.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-note/alert-apply-note.component.ts index 5a2c8a4c8..f6ad3d207 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-note/alert-apply-note.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-note/alert-apply-note.component.ts @@ -17,6 +17,7 @@ export class AlertApplyNoteComponent implements OnInit, OnChanges { @Output() applyNote = new EventEmitter(); note: string; creating = false; + @Input( )showIcon = true; constructor(private alertServiceManagement: AlertManagementService, private utmToastService: UtmToastService, diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-tags/alert-tags-apply.component.html b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-tags/alert-tags-apply.component.html index 884f57e7b..1a7d0a037 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-tags/alert-tags-apply.component.html +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-tags/alert-tags-apply.component.html @@ -2,10 +2,10 @@ placement="auto" container="body" tooltipClass="utm-tooltip-top" (click)="addNewTagRule()" *ngIf="tags;else loadingTag"> - + - + {{selected.length <= 5 ? selected.length : '+5'}} diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-tags/alert-tags-apply.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-tags/alert-tags-apply.component.ts index d427ea542..a754103ef 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-tags/alert-tags-apply.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-actions/alert-apply-tags/alert-tags-apply.component.ts @@ -20,6 +20,7 @@ export class AlertTagsApplyComponent implements OnInit, OnChanges { @Output() applyTagsEvent = new EventEmitter<{ tags: string[], automatic: boolean }>(); icon: string; color: string; + @Input() showIcon = true; constructor(private modalService: NgbModal, private alertUpdateTagBehavior: AlertUpdateTagBehavior) { @@ -50,6 +51,9 @@ export class AlertTagsApplyComponent implements OnInit, OnChanges { } addNewTagRule() { + if (!this.showIcon){ + return; + } const modalRef = this.modalService.open(AlertRuleCreateComponent, {centered: true, size: 'lg'}); modalRef.componentInstance.alert = this.alert; modalRef.componentInstance.action = 'select'; diff --git a/frontend/src/app/data-management/alert-management/shared/components/data-field-render/data-field-render.component.html b/frontend/src/app/data-management/alert-management/shared/components/data-field-render/data-field-render.component.html index d87c78f6a..47854bf94 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/data-field-render/data-field-render.component.html +++ b/frontend/src/app/data-management/alert-management/shared/components/data-field-render/data-field-render.component.html @@ -11,9 +11,13 @@ - + diff --git a/frontend/src/app/data-management/alert-management/shared/components/data-field-render/data-field-render.component.ts b/frontend/src/app/data-management/alert-management/shared/components/data-field-render/data-field-render.component.ts index d477806cf..9685fecba 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/data-field-render/data-field-render.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/data-field-render/data-field-render.component.ts @@ -10,6 +10,7 @@ import { ALERT_TIMESTAMP_FIELD } from '../../../../../shared/constants/alert/alert-field.constant'; import {UtmDateFormatEnum} from '../../../../../shared/enums/utm-date-format.enum'; +import {AlertTags} from '../../../../../shared/types/alert/alert-tag.type'; import {UtmAlertType} from '../../../../../shared/types/alert/utm-alert.type'; import {UtmFieldType} from '../../../../../shared/types/table/utm-field.type'; import {extractValueFromObjectByPath} from '../../../../../shared/util/get-value-object-from-property-path.util'; @@ -25,6 +26,7 @@ export class DataFieldRenderComponent implements OnInit { @Input() field: UtmFieldType; @Input() showStatusChange: boolean; @Input() dataType: EventDataTypeEnum; + @Input() tags: AlertTags[] = []; @Output() refreshData = new EventEmitter(); STATUS_FIELD = ALERT_STATUS_FIELD; SEVERITY_FIELD = ALERT_SEVERITY_FIELD; From dbc47b59b08387f97a7b34e20166a87bb81984fb Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 22 Apr 2025 10:35:23 -0500 Subject: [PATCH 07/56] chore: Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72b39cec9..f5edf33ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,4 +3,5 @@ ### Bug Fixes -- Compliance Report Scheduling: Improved the stability of the selection process when creating new report schedules. --- Improved field rendering in Log Explorer by consolidating list-based fields into a single entry for better readability and consistency. \ No newline at end of file +-- Improved field rendering in Log Explorer by consolidating list-based fields into a single entry for better readability and consistency. +-- Improved field rendering for tags and note fields in Alerts. \ No newline at end of file From 30d1a9a238d7421d319492dcfaa7fbbea2b12c3e Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 22 Apr 2025 10:49:45 -0500 Subject: [PATCH 08/56] fix: Resolve false positive checkbox selection when editing tagging rules --- .../alert-rule-create/alert-rule-create.component.ts | 7 ------- 1 file changed, 7 deletions(-) diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts index a2d04f8e2..a56aa2570 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts @@ -340,13 +340,6 @@ export class AlertRuleCreateComponent implements OnInit, OnDestroy { getTags() { this.alertTagService.query({page: 0, size: 100}).subscribe(reponse => { this.tags = reponse.body; - if (this.isForComplete) { - const index = this.tags.findIndex(value => value.tagName.includes('False positive')); - if (index !== -1) { - this.selected.push(this.tags[0]); - this.formRule.get('tags').setValue(this.selected); - } - } }); } From c59d0004dec8e72d247d6df609b62c34e7fad555 Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Mon, 28 Apr 2025 13:40:31 -0400 Subject: [PATCH 09/56] feat: implement alert correlation and context building for enhanced alert analysis --- soc-ai/configurations/const.go | 5 +- soc-ai/elastic/alerts.go | 139 +++++++++++++++++++++++++++++ soc-ai/gpt/client.go | 10 +++ soc-ai/processor/alertProcessor.go | 12 +++ 4 files changed, 164 insertions(+), 2 deletions(-) diff --git a/soc-ai/configurations/const.go b/soc-ai/configurations/const.go index 99bd2a439..aad503873 100644 --- a/soc-ai/configurations/const.go +++ b/soc-ai/configurations/const.go @@ -59,8 +59,9 @@ var ( "email": {Regexp: `([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})`, FakeValue: "jhondoe@gmail.com"}, //"ipv4": `(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)`, } - GPT_INSTRUCTION = "You are an expert security engineer. Perform a deep analysis of an alert created by a SIEM and the logs related to it. Determine if the alert could be an actual potential threat or not and explain why. Provide a description that shows a deep understanding of the alert based on a deep analysis of its logs and estimate the risk to the systems affected. Classify the alert in the following manner: if the alert information is sufficient to determine that the security, availability, confidentiality, or integrity of the systems has being compromised, then classify it as \"possible incident\". If the alert does not pose a security risk to the organization or has no security relevance, classify it as \"possible false positive\". If the alert does not pose an imminent risk to the systems, requires no urgent action from an administrator, or requires not urgent review by an administrator, it should be classified as a \"standard alert\". You will also provide context-specific instructions for remediation, mitigation, or further investigation, related to the alert and logs analyzed. Your answer should be provided using the following JSON format and the total number of characters in your answer must not exceed 1500 words. Your entire answer must be inside this json format. {\"activity_id\":\"\",\"classification\":\"\",\"reasoning\":[\"\"],\"nextSteps\":[{\"step\":1,\"action\":\"\",\"details\":\"\"},{\"step\":2,\"action\":\"\",\"details\":\"\"},{\"step\":3,\"action\":\"\"]}Ensure that your entire answer adheres to the provided JSON format. The response should be valid JSON syntax and schema." - GPT_FALSE_POSITIVE = "This alert is categorized as a potential false positive due to two key factors. Firstly, it originates from an automated system, which may occasionally produce alerts without direct human validation. Additionally, the absence of any correlated logs further raises suspicion, as a genuine incident typically leaves a trail of relevant log entries. Hence, the combination of its system-generated nature and the lack of associated logs suggests a likelihood of being a false positive rather than a genuine security incident." + GPT_INSTRUCTION = "You are an expert security engineer. Perform a deep analysis of an alert created by a SIEM and the logs related to it. Determine if the alert could be an actual potential threat or not and explain why. Provide a description that shows a deep understanding of the alert based on a deep analysis of its logs and estimate the risk to the systems affected. Classify the alert in the following manner: if the alert information is sufficient to determine that the security, availability, confidentiality, or integrity of the systems has being compromised, then classify it as \"possible incident\". If the alert does not pose a security risk to the organization or has no security relevance, classify it as \"possible false positive\". If the alert does not pose an imminent risk to the systems, requires no urgent action from an administrator, or requires not urgent review by an administrator, it should be classified as a \"standard alert\". You will also provide context-specific instructions for remediation, mitigation, or further investigation, related to the alert and logs analyzed. Your answer should be provided using the following JSON format and the total number of characters in your answer must not exceed 1500 words. Your entire answer must be inside this json format. {\"activity_id\":\"\",\"classification\":\"\",\"reasoning\":[\"\"],\"nextSteps\":[{\"step\":1,\"action\":\"\",\"details\":\"\"},{\"step\":2,\"action\":\"\",\"details\":\"\"},{\"step\":3,\"action\":\"\"]}Ensure that your entire answer adheres to the provided JSON format. The response should be valid JSON syntax and schema." + GPT_FALSE_POSITIVE = "This alert is categorized as a potential false positive due to two key factors. Firstly, it originates from an automated system, which may occasionally produce alerts without direct human validation. Additionally, the absence of any correlated logs further raises suspicion, as a genuine incident typically leaves a trail of relevant log entries. Hence, the combination of its system-generated nature and the lack of associated logs suggests a likelihood of being a false positive rather than a genuine security incident." + CORRELATION_CONTEXT = "\n\nAlert Context: The current alert has historical correlation with previous alerts:\n%s" ) func GetInternalKey() string { diff --git a/soc-ai/elastic/alerts.go b/soc-ai/elastic/alerts.go index 678608e8a..679191968 100644 --- a/soc-ai/elastic/alerts.go +++ b/soc-ai/elastic/alerts.go @@ -4,6 +4,7 @@ import ( "encoding/json" "fmt" "net/http" + "strings" "github.com/utmstack/soc-ai/configurations" "github.com/utmstack/soc-ai/schema" @@ -65,3 +66,141 @@ func ChangeAlertStatus(id string, status int, observations string) error { return nil } + +type AlertCorrelation struct { + CurrentAlert schema.Alert + RelatedAlerts []schema.Alert + Classifications []string +} + +func GetRelatedAlerts() ([]schema.GPTAlertResponse, error) { + result, err := ElasticSearch(configurations.ALERT_INDEX_PATTERN, "*", "*") + if err != nil { + return nil, fmt.Errorf("error getting historical alerts: %v", err) + } + + var alerts []schema.GPTAlertResponse + err = json.Unmarshal(result, &alerts) + if err != nil { + return nil, fmt.Errorf("error unmarshalling alerts: %v", err) + } + + return alerts, nil +} + +func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { + correlation := &AlertCorrelation{ + CurrentAlert: currentAlert, + RelatedAlerts: []schema.Alert{}, + Classifications: []string{}, + } + + historicalResponses, err := GetRelatedAlerts() + if err != nil { + return nil, err + } + + var alertIDs []string + for _, resp := range historicalResponses { + alertIDs = append(alertIDs, resp.ActivityID) + } + + for _, id := range alertIDs { + alert, err := GetAlertsInfo(id) + if err != nil { + continue + } + + if isAlertRelated(currentAlert, alert) { + correlation.RelatedAlerts = append(correlation.RelatedAlerts, alert) + + for _, resp := range historicalResponses { + if resp.ActivityID == alert.ID { + correlation.Classifications = append(correlation.Classifications, resp.Classification) + break + } + } + } + } + + return correlation, nil +} + +func isAlertRelated(current, historical schema.Alert) bool { + if current.Destination.IP != "" && current.Destination.IP == historical.Destination.IP { + return true + } + if current.Destination.Port != 0 && current.Destination.Port == historical.Destination.Port { + return true + } + if current.Destination.Host != "" && current.Destination.Host == historical.Destination.Host { + return true + } + if current.Destination.User != "" && current.Destination.User == historical.Destination.User { + return true + } + + if current.Source.IP != "" && current.Source.IP == historical.Source.IP { + return true + } + if current.Source.Port != 0 && current.Source.Port == historical.Source.Port { + return true + } + if current.Source.Host != "" && current.Source.Host == historical.Source.Host { + return true + } + if current.Source.User != "" && current.Source.User == historical.Source.User { + return true + } + + return false +} + +func BuildCorrelationContext(correlation *AlertCorrelation) string { + var context strings.Builder + + context.WriteString("\nHistorical Context:\n") + context.WriteString(fmt.Sprintf("Found %d related alerts with similar characteristics:\n", len(correlation.RelatedAlerts))) + + for i, alert := range correlation.RelatedAlerts { + context.WriteString(fmt.Sprintf("\nRelated Alert %d:\n", i+1)) + context.WriteString(fmt.Sprintf("- Name: %s\n", alert.Name)) + context.WriteString(fmt.Sprintf("- Severity: %s\n", alert.SeverityLabel)) + context.WriteString(fmt.Sprintf("- Category: %s\n", alert.Category)) + context.WriteString(fmt.Sprintf("- Classification: %s\n", correlation.Classifications[i])) + context.WriteString(fmt.Sprintf("- Time: %s\n", alert.Timestamp)) + + if alert.Source.IP != "" { + context.WriteString(fmt.Sprintf("- Source IP: %s\n", alert.Source.IP)) + } + if alert.Destination.IP != "" { + context.WriteString(fmt.Sprintf("- Destination IP: %s\n", alert.Destination.IP)) + } + if alert.Source.Host != "" { + context.WriteString(fmt.Sprintf("- Source Host: %s\n", alert.Source.Host)) + } + if alert.Destination.Host != "" { + context.WriteString(fmt.Sprintf("- Destination Host: %s\n", alert.Destination.Host)) + } + if alert.Source.User != "" { + context.WriteString(fmt.Sprintf("- Source User: %s\n", alert.Source.User)) + } + if alert.Destination.User != "" { + context.WriteString(fmt.Sprintf("- Destination User: %s\n", alert.Destination.User)) + } + if alert.Source.Port != 0 { + context.WriteString(fmt.Sprintf("- Source Port: %d\n", alert.Source.Port)) + } + if alert.Destination.Port != 0 { + context.WriteString(fmt.Sprintf("- Destination Port: %d\n", alert.Destination.Port)) + } + if alert.Protocol != "" { + context.WriteString(fmt.Sprintf("- Protocol: %s\n", alert.Protocol)) + } + if alert.Severity != 0 { + context.WriteString(fmt.Sprintf("- Severity: %d\n", alert.Severity)) + } + } + + return context.String() +} diff --git a/soc-ai/gpt/client.go b/soc-ai/gpt/client.go index edff874ee..32e3fb591 100644 --- a/soc-ai/gpt/client.go +++ b/soc-ai/gpt/client.go @@ -3,6 +3,7 @@ package gpt import ( "encoding/json" "fmt" + "strings" "sync" "github.com/utmstack/soc-ai/configurations" @@ -26,6 +27,15 @@ func GetGPTClient() *GPTClient { func (c *GPTClient) Request(alert schema.AlertGPTDetails) (string, error) { content := configurations.GPT_INSTRUCTION + + if alert.Description != "" { + correlationContext := strings.Split(alert.Description, "\nHistorical Context:") + if len(correlationContext) > 1 { + content = fmt.Sprintf("%s%s", + content, fmt.Sprintf(configurations.CORRELATION_CONTEXT, correlationContext[1])) + } + } + if alert.Logs == "" || alert.Logs == " " { content += content + ". " + configurations.GPT_FALSE_POSITIVE } diff --git a/soc-ai/processor/alertProcessor.go b/soc-ai/processor/alertProcessor.go index 2a4146c0d..e63eaeed7 100644 --- a/soc-ai/processor/alertProcessor.go +++ b/soc-ai/processor/alertProcessor.go @@ -5,6 +5,7 @@ import ( "github.com/utmstack/soc-ai/elastic" "github.com/utmstack/soc-ai/schema" + "github.com/utmstack/soc-ai/utils" ) func (p *Processor) processAlertsInfo() { @@ -15,7 +16,18 @@ func (p *Processor) processAlertsInfo() { continue } + correlation, err := elastic.FindRelatedAlerts(alertInfo) + if err != nil { + utils.Logger.ErrorF("error finding related alerts: %v", err) + } + details := schema.ConvertFromAlertToAlertDB(alertInfo) + + if correlation != nil && len(correlation.RelatedAlerts) > 0 { + correlationContext := elastic.BuildCorrelationContext(correlation) + details.Description = details.Description + "\n\n" + correlationContext + } + p.GPTQueue <- cleanAlerts(&details) } } From 1611144855ba063bb18c2f5ded81c51e604de883 Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Tue, 29 Apr 2025 22:41:44 -0400 Subject: [PATCH 10/56] add debug logging for GPT request --- soc-ai/gpt/client.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/soc-ai/gpt/client.go b/soc-ai/gpt/client.go index 32e3fb591..5721fa8dd 100644 --- a/soc-ai/gpt/client.go +++ b/soc-ai/gpt/client.go @@ -58,6 +58,9 @@ func (c *GPTClient) Request(alert schema.AlertGPTDetails) (string, error) { }, } + // Debug log + utils.Logger.Info("GPT Request: %s", req.Messages[0].Content) + requestJson, error := json.Marshal(req) if error != nil { return "", fmt.Errorf("error marshalling request: %v", error) From 5a4b09e75f13fd4d1979d9c257c815e424d1cf2e Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Thu, 1 May 2025 18:08:48 -0400 Subject: [PATCH 11/56] feat: add debug logging for alert processing and related alerts retrieval --- soc-ai/elastic/alerts.go | 28 ++++++++++++++++++++++------ soc-ai/gpt/client.go | 5 ++--- soc-ai/processor/alertProcessor.go | 3 +++ 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/soc-ai/elastic/alerts.go b/soc-ai/elastic/alerts.go index 679191968..6f91673f6 100644 --- a/soc-ai/elastic/alerts.go +++ b/soc-ai/elastic/alerts.go @@ -74,6 +74,9 @@ type AlertCorrelation struct { } func GetRelatedAlerts() ([]schema.GPTAlertResponse, error) { + // Debug log + utils.Logger.Info("Getting historical alerts from Elasticsearch") + result, err := ElasticSearch(configurations.ALERT_INDEX_PATTERN, "*", "*") if err != nil { return nil, fmt.Errorf("error getting historical alerts: %v", err) @@ -89,6 +92,9 @@ func GetRelatedAlerts() ([]schema.GPTAlertResponse, error) { } func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { + // Debug log + utils.Logger.Info("Finding related alerts for alert %s", currentAlert.ID) + correlation := &AlertCorrelation{ CurrentAlert: currentAlert, RelatedAlerts: []schema.Alert{}, @@ -100,6 +106,8 @@ func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { return nil, err } + utils.Logger.Info("Found %d historical alerts to analyze", len(historicalResponses)) + var alertIDs []string for _, resp := range historicalResponses { alertIDs = append(alertIDs, resp.ActivityID) @@ -123,36 +131,50 @@ func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { } } + utils.Logger.Info("Completed related alerts search. Found %d related alerts for ID: %s", + len(correlation.RelatedAlerts), currentAlert.ID) + return correlation, nil } func isAlertRelated(current, historical schema.Alert) bool { + utils.Logger.Info("Checking relation between alerts - Current: %s, Historical: %s", current.ID, historical.ID) + if current.Destination.IP != "" && current.Destination.IP == historical.Destination.IP { + utils.Logger.Info("Match found: Destination IP %s", current.Destination.IP) return true } if current.Destination.Port != 0 && current.Destination.Port == historical.Destination.Port { + utils.Logger.Info("Match found: Destination Port %d", current.Destination.Port) return true } if current.Destination.Host != "" && current.Destination.Host == historical.Destination.Host { + utils.Logger.Info("Match found: Destination Host %s", current.Destination.Host) return true } if current.Destination.User != "" && current.Destination.User == historical.Destination.User { + utils.Logger.Info("Match found: Destination User %s", current.Destination.User) return true } if current.Source.IP != "" && current.Source.IP == historical.Source.IP { + utils.Logger.Info("Match found: Source IP %s", current.Source.IP) return true } if current.Source.Port != 0 && current.Source.Port == historical.Source.Port { + utils.Logger.Info("Match found: Source Port %d", current.Source.Port) return true } if current.Source.Host != "" && current.Source.Host == historical.Source.Host { + utils.Logger.Info("Match found: Source Host %s", current.Source.Host) return true } if current.Source.User != "" && current.Source.User == historical.Source.User { + utils.Logger.Info("Match found: Source User %s", current.Source.User) return true } + utils.Logger.Info("No match found between alerts %s and %s", current.ID, historical.ID) return false } @@ -194,12 +216,6 @@ func BuildCorrelationContext(correlation *AlertCorrelation) string { if alert.Destination.Port != 0 { context.WriteString(fmt.Sprintf("- Destination Port: %d\n", alert.Destination.Port)) } - if alert.Protocol != "" { - context.WriteString(fmt.Sprintf("- Protocol: %s\n", alert.Protocol)) - } - if alert.Severity != 0 { - context.WriteString(fmt.Sprintf("- Severity: %d\n", alert.Severity)) - } } return context.String() diff --git a/soc-ai/gpt/client.go b/soc-ai/gpt/client.go index 5721fa8dd..c4611a47a 100644 --- a/soc-ai/gpt/client.go +++ b/soc-ai/gpt/client.go @@ -58,14 +58,13 @@ func (c *GPTClient) Request(alert schema.AlertGPTDetails) (string, error) { }, } - // Debug log - utils.Logger.Info("GPT Request: %s", req.Messages[0].Content) - requestJson, error := json.Marshal(req) if error != nil { return "", fmt.Errorf("error marshalling request: %v", error) } + utils.Logger.Info("Complete GPT Request JSON: %s", string(requestJson)) + headers := map[string]string{ "Authorization": "Bearer " + configurations.GetGPTConfig().APIKey, "Content-Type": "application/json", diff --git a/soc-ai/processor/alertProcessor.go b/soc-ai/processor/alertProcessor.go index e63eaeed7..113a0c8a6 100644 --- a/soc-ai/processor/alertProcessor.go +++ b/soc-ai/processor/alertProcessor.go @@ -10,11 +10,14 @@ import ( func (p *Processor) processAlertsInfo() { for alert := range p.AlertInfoQueue { + utils.Logger.Info("Processing alert info for ID: %s", alert.AlertID) + alertInfo, err := elastic.GetAlertsInfo(alert.AlertID) if err != nil { p.RegisterError(fmt.Sprintf("error while getting alert %s info: %v", alert.AlertID, err), alert.AlertID) continue } + utils.Logger.Info("Alert info retrieved successfully for ID: %s", alert.AlertID) correlation, err := elastic.FindRelatedAlerts(alertInfo) if err != nil { From d89e0335efd25489cd5d5cc6dd5cc3211698b01e Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Thu, 1 May 2025 19:50:32 -0400 Subject: [PATCH 12/56] fix: update to return schema.Alert and adjust related logic --- soc-ai/elastic/alerts.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/soc-ai/elastic/alerts.go b/soc-ai/elastic/alerts.go index 6f91673f6..bacb9889c 100644 --- a/soc-ai/elastic/alerts.go +++ b/soc-ai/elastic/alerts.go @@ -73,7 +73,7 @@ type AlertCorrelation struct { Classifications []string } -func GetRelatedAlerts() ([]schema.GPTAlertResponse, error) { +func GetRelatedAlerts() ([]schema.Alert, error) { // Debug log utils.Logger.Info("Getting historical alerts from Elasticsearch") @@ -82,7 +82,7 @@ func GetRelatedAlerts() ([]schema.GPTAlertResponse, error) { return nil, fmt.Errorf("error getting historical alerts: %v", err) } - var alerts []schema.GPTAlertResponse + var alerts []schema.Alert err = json.Unmarshal(result, &alerts) if err != nil { return nil, fmt.Errorf("error unmarshalling alerts: %v", err) @@ -110,7 +110,7 @@ func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { var alertIDs []string for _, resp := range historicalResponses { - alertIDs = append(alertIDs, resp.ActivityID) + alertIDs = append(alertIDs, resp.ID) } for _, id := range alertIDs { @@ -123,8 +123,8 @@ func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { correlation.RelatedAlerts = append(correlation.RelatedAlerts, alert) for _, resp := range historicalResponses { - if resp.ActivityID == alert.ID { - correlation.Classifications = append(correlation.Classifications, resp.Classification) + if resp.ID == alert.ID { + correlation.Classifications = append(correlation.Classifications, resp.Tags...) break } } From b6bb38e098035938dd102deb7740fb9199d07b4d Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Fri, 2 May 2025 09:43:22 -0400 Subject: [PATCH 13/56] refactor: simplify body creation in ElasticSearch function and remove unnecessary debug logs --- soc-ai/elastic/alerts.go | 23 ++++------------------- soc-ai/elastic/index.go | 13 ++++++++----- 2 files changed, 12 insertions(+), 24 deletions(-) diff --git a/soc-ai/elastic/alerts.go b/soc-ai/elastic/alerts.go index bacb9889c..ccbe37222 100644 --- a/soc-ai/elastic/alerts.go +++ b/soc-ai/elastic/alerts.go @@ -74,10 +74,7 @@ type AlertCorrelation struct { } func GetRelatedAlerts() ([]schema.Alert, error) { - // Debug log - utils.Logger.Info("Getting historical alerts from Elasticsearch") - - result, err := ElasticSearch(configurations.ALERT_INDEX_PATTERN, "*", "*") + result, err := ElasticSearch(configurations.ALERT_INDEX_PATTERN, "", "") if err != nil { return nil, fmt.Errorf("error getting historical alerts: %v", err) } @@ -92,9 +89,6 @@ func GetRelatedAlerts() ([]schema.Alert, error) { } func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { - // Debug log - utils.Logger.Info("Finding related alerts for alert %s", currentAlert.ID) - correlation := &AlertCorrelation{ CurrentAlert: currentAlert, RelatedAlerts: []schema.Alert{}, @@ -106,8 +100,6 @@ func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { return nil, err } - utils.Logger.Info("Found %d historical alerts to analyze", len(historicalResponses)) - var alertIDs []string for _, resp := range historicalResponses { alertIDs = append(alertIDs, resp.ID) @@ -138,43 +130,36 @@ func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { } func isAlertRelated(current, historical schema.Alert) bool { - utils.Logger.Info("Checking relation between alerts - Current: %s, Historical: %s", current.ID, historical.ID) + if current.ID == historical.ID { + return false + } if current.Destination.IP != "" && current.Destination.IP == historical.Destination.IP { - utils.Logger.Info("Match found: Destination IP %s", current.Destination.IP) return true } if current.Destination.Port != 0 && current.Destination.Port == historical.Destination.Port { - utils.Logger.Info("Match found: Destination Port %d", current.Destination.Port) return true } if current.Destination.Host != "" && current.Destination.Host == historical.Destination.Host { - utils.Logger.Info("Match found: Destination Host %s", current.Destination.Host) return true } if current.Destination.User != "" && current.Destination.User == historical.Destination.User { - utils.Logger.Info("Match found: Destination User %s", current.Destination.User) return true } if current.Source.IP != "" && current.Source.IP == historical.Source.IP { - utils.Logger.Info("Match found: Source IP %s", current.Source.IP) return true } if current.Source.Port != 0 && current.Source.Port == historical.Source.Port { - utils.Logger.Info("Match found: Source Port %d", current.Source.Port) return true } if current.Source.Host != "" && current.Source.Host == historical.Source.Host { - utils.Logger.Info("Match found: Source Host %s", current.Source.Host) return true } if current.Source.User != "" && current.Source.User == historical.Source.User { - utils.Logger.Info("Match found: Source User %s", current.Source.User) return true } - utils.Logger.Info("No match found between alerts %s and %s", current.ID, historical.ID) return false } diff --git a/soc-ai/elastic/index.go b/soc-ai/elastic/index.go index d1cee0c98..a269923cb 100644 --- a/soc-ai/elastic/index.go +++ b/soc-ai/elastic/index.go @@ -44,12 +44,15 @@ func ElasticSearch(index, field, value string) ([]byte, error) { "Utm-Internal-Key": configurations.GetInternalKey(), } - body := schema.SearchDetailsRequest{{Field: field, Operator: "IS", Value: value}} - bodyBytes, err := json.Marshal(body) - if err != nil { - return nil, fmt.Errorf("error marshalling body: %v", err) + var bodyBytes []byte + var err error + if field != "" && value != "" { + body := schema.SearchDetailsRequest{{Field: field, Operator: "IS", Value: value}} + bodyBytes, err = json.Marshal(body) + if err != nil { + return nil, fmt.Errorf("error marshalling body: %v", err) + } } - resp, statusCode, err := utils.DoReq(url, bodyBytes, "POST", headers, configurations.HTTP_TIMEOUT) if err != nil || statusCode != http.StatusOK { return nil, fmt.Errorf("error while doing request for get Alert Details: %v: %s", err, string(resp)) From ef927210f5bc7d100be51ee0b195438a206f5865 Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Fri, 2 May 2025 15:22:03 -0400 Subject: [PATCH 14/56] fix: optimize alert correlation logic and improve classification handling --- soc-ai/elastic/alerts.go | 37 ++++++++++++++++--------------------- 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/soc-ai/elastic/alerts.go b/soc-ai/elastic/alerts.go index ccbe37222..c47b4d984 100644 --- a/soc-ai/elastic/alerts.go +++ b/soc-ai/elastic/alerts.go @@ -91,8 +91,8 @@ func GetRelatedAlerts() ([]schema.Alert, error) { func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { correlation := &AlertCorrelation{ CurrentAlert: currentAlert, - RelatedAlerts: []schema.Alert{}, - Classifications: []string{}, + RelatedAlerts: make([]schema.Alert, 0), + Classifications: make([]string, 0), } historicalResponses, err := GetRelatedAlerts() @@ -100,26 +100,15 @@ func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { return nil, err } - var alertIDs []string - for _, resp := range historicalResponses { - alertIDs = append(alertIDs, resp.ID) - } - - for _, id := range alertIDs { - alert, err := GetAlertsInfo(id) - if err != nil { - continue - } - - if isAlertRelated(currentAlert, alert) { - correlation.RelatedAlerts = append(correlation.RelatedAlerts, alert) + for _, hist := range historicalResponses { + if isAlertRelated(currentAlert, hist) { + correlation.RelatedAlerts = append(correlation.RelatedAlerts, hist) - for _, resp := range historicalResponses { - if resp.ID == alert.ID { - correlation.Classifications = append(correlation.Classifications, resp.Tags...) - break - } + classification := "This alert has not been classified" + if len(hist.Tags) > 0 { + classification = strings.Join(hist.Tags, ", ") } + correlation.Classifications = append(correlation.Classifications, classification) } } @@ -174,7 +163,13 @@ func BuildCorrelationContext(correlation *AlertCorrelation) string { context.WriteString(fmt.Sprintf("- Name: %s\n", alert.Name)) context.WriteString(fmt.Sprintf("- Severity: %s\n", alert.SeverityLabel)) context.WriteString(fmt.Sprintf("- Category: %s\n", alert.Category)) - context.WriteString(fmt.Sprintf("- Classification: %s\n", correlation.Classifications[i])) + + classification := "This alert has not been classified" + if i < len(correlation.Classifications) { + classification = correlation.Classifications[i] + } + context.WriteString(fmt.Sprintf("- Classification: %s\n", classification)) + context.WriteString(fmt.Sprintf("- Time: %s\n", alert.Timestamp)) if alert.Source.IP != "" { From da77066345d91c737ae80f2255cc322cc7a879c6 Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Sun, 4 May 2025 00:04:13 -0400 Subject: [PATCH 15/56] fix: update of the logic of correlation of alerts and construction of the historical context based on counts --- soc-ai/configurations/const.go | 2 +- soc-ai/elastic/alerts.go | 238 +++++++++++++++++++++------------ 2 files changed, 150 insertions(+), 90 deletions(-) diff --git a/soc-ai/configurations/const.go b/soc-ai/configurations/const.go index aad503873..6a9073de0 100644 --- a/soc-ai/configurations/const.go +++ b/soc-ai/configurations/const.go @@ -61,7 +61,7 @@ var ( } GPT_INSTRUCTION = "You are an expert security engineer. Perform a deep analysis of an alert created by a SIEM and the logs related to it. Determine if the alert could be an actual potential threat or not and explain why. Provide a description that shows a deep understanding of the alert based on a deep analysis of its logs and estimate the risk to the systems affected. Classify the alert in the following manner: if the alert information is sufficient to determine that the security, availability, confidentiality, or integrity of the systems has being compromised, then classify it as \"possible incident\". If the alert does not pose a security risk to the organization or has no security relevance, classify it as \"possible false positive\". If the alert does not pose an imminent risk to the systems, requires no urgent action from an administrator, or requires not urgent review by an administrator, it should be classified as a \"standard alert\". You will also provide context-specific instructions for remediation, mitigation, or further investigation, related to the alert and logs analyzed. Your answer should be provided using the following JSON format and the total number of characters in your answer must not exceed 1500 words. Your entire answer must be inside this json format. {\"activity_id\":\"\",\"classification\":\"\",\"reasoning\":[\"\"],\"nextSteps\":[{\"step\":1,\"action\":\"\",\"details\":\"\"},{\"step\":2,\"action\":\"\",\"details\":\"\"},{\"step\":3,\"action\":\"\"]}Ensure that your entire answer adheres to the provided JSON format. The response should be valid JSON syntax and schema." GPT_FALSE_POSITIVE = "This alert is categorized as a potential false positive due to two key factors. Firstly, it originates from an automated system, which may occasionally produce alerts without direct human validation. Additionally, the absence of any correlated logs further raises suspicion, as a genuine incident typically leaves a trail of relevant log entries. Hence, the combination of its system-generated nature and the lack of associated logs suggests a likelihood of being a false positive rather than a genuine security incident." - CORRELATION_CONTEXT = "\n\nAlert Context: The current alert has historical correlation with previous alerts:\n%s" + CORRELATION_CONTEXT = "\n\nThe current alert has historical correlation with previous alerts:\n%s" ) func GetInternalKey() string { diff --git a/soc-ai/elastic/alerts.go b/soc-ai/elastic/alerts.go index c47b4d984..0003fa8e6 100644 --- a/soc-ai/elastic/alerts.go +++ b/soc-ai/elastic/alerts.go @@ -4,6 +4,7 @@ import ( "encoding/json" "fmt" "net/http" + "sort" "strings" "github.com/utmstack/soc-ai/configurations" @@ -67,136 +68,195 @@ func ChangeAlertStatus(id string, status int, observations string) error { return nil } +type AlertCounts struct { + Incidents int + FalsePositive int + Standard int + Unclassified int +} + +type MatchTypeCounts struct { + SourceIP AlertCounts + DestinationIP AlertCounts + SourceUser AlertCounts + DestinationUser AlertCounts +} + type AlertCorrelation struct { - CurrentAlert schema.Alert - RelatedAlerts []schema.Alert - Classifications []string + CurrentAlert schema.Alert + RelatedAlerts []schema.Alert + Counts MatchTypeCounts } -func GetRelatedAlerts() ([]schema.Alert, error) { - result, err := ElasticSearch(configurations.ALERT_INDEX_PATTERN, "", "") +func GetRelatedAlerts(alertName string) ([]schema.Alert, error) { + result, err := ElasticSearch(configurations.ALERT_INDEX_PATTERN, "name", alertName) if err != nil { return nil, fmt.Errorf("error getting historical alerts: %v", err) } var alerts []schema.Alert - err = json.Unmarshal(result, &alerts) - if err != nil { + if err := json.Unmarshal(result, &alerts); err != nil { return nil, fmt.Errorf("error unmarshalling alerts: %v", err) } return alerts, nil } -func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) { - correlation := &AlertCorrelation{ - CurrentAlert: currentAlert, - RelatedAlerts: make([]schema.Alert, 0), - Classifications: make([]string, 0), - } - - historicalResponses, err := GetRelatedAlerts() +func FindRelatedAlerts(current schema.Alert) (*AlertCorrelation, error) { + alerts, err := GetRelatedAlerts(current.Name) if err != nil { return nil, err } - for _, hist := range historicalResponses { - if isAlertRelated(currentAlert, hist) { - correlation.RelatedAlerts = append(correlation.RelatedAlerts, hist) - - classification := "This alert has not been classified" - if len(hist.Tags) > 0 { - classification = strings.Join(hist.Tags, ", ") + corr := &AlertCorrelation{CurrentAlert: current} + for _, hist := range alerts { + if hist.ID == current.ID { + continue + } + if related, matches := isAlertRelated(current, hist); related { + classif := getAlertClassification(hist) + for _, m := range matches { + incrementCount(&corr.Counts, m, classif) } - correlation.Classifications = append(correlation.Classifications, classification) + corr.RelatedAlerts = append(corr.RelatedAlerts, hist) } } - - utils.Logger.Info("Completed related alerts search. Found %d related alerts for ID: %s", - len(correlation.RelatedAlerts), currentAlert.ID) - - return correlation, nil + return corr, nil } -func isAlertRelated(current, historical schema.Alert) bool { - if current.ID == historical.ID { - return false +func isAlertRelated(current, historical schema.Alert) (bool, []string) { + if current.ID == historical.ID || current.Name != historical.Name { + return false, nil } - if current.Destination.IP != "" && current.Destination.IP == historical.Destination.IP { - return true + var matches []string + + if current.Source.IP != "" && current.Source.IP == historical.Source.IP { + matches = append(matches, "SourceIP") } - if current.Destination.Port != 0 && current.Destination.Port == historical.Destination.Port { - return true + if current.Destination.IP != "" && current.Destination.IP == historical.Destination.IP { + matches = append(matches, "DestinationIP") } - if current.Destination.Host != "" && current.Destination.Host == historical.Destination.Host { - return true + if current.Source.User != "" && current.Source.User == historical.Source.User { + matches = append(matches, "SourceUser") } if current.Destination.User != "" && current.Destination.User == historical.Destination.User { - return true + matches = append(matches, "DestinationUser") } - if current.Source.IP != "" && current.Source.IP == historical.Source.IP { - return true + sort.Strings(matches) + return len(matches) > 0, matches +} + +func getAlertClassification(alert schema.Alert) string { + if len(alert.Tags) == 0 { + return "Unclassified alert" } - if current.Source.Port != 0 && current.Source.Port == historical.Source.Port { - return true + switch strings.ToLower(alert.Tags[0]) { + case "possible incident": + return "Possible incident" + case "false positive": + return "False positive" + case "standard alert": + return "Standard alert" + default: + return "Unclassified alert" } - if current.Source.Host != "" && current.Source.Host == historical.Source.Host { - return true +} + +func incrementCount(cnts *MatchTypeCounts, matchType, classif string) { + var ac *AlertCounts + + switch matchType { + case "SourceIP": + ac = &cnts.SourceIP + case "DestinationIP": + ac = &cnts.DestinationIP + case "SourceUser": + ac = &cnts.SourceUser + case "DestinationUser": + ac = &cnts.DestinationUser } - if current.Source.User != "" && current.Source.User == historical.Source.User { - return true + switch classif { + case "Possible incident": + ac.Incidents++ + case "False positive": + ac.FalsePositive++ + case "Standard Alert": + ac.Standard++ + default: + ac.Unclassified++ } - - return false } -func BuildCorrelationContext(correlation *AlertCorrelation) string { - var context strings.Builder - - context.WriteString("\nHistorical Context:\n") - context.WriteString(fmt.Sprintf("Found %d related alerts with similar characteristics:\n", len(correlation.RelatedAlerts))) - - for i, alert := range correlation.RelatedAlerts { - context.WriteString(fmt.Sprintf("\nRelated Alert %d:\n", i+1)) - context.WriteString(fmt.Sprintf("- Name: %s\n", alert.Name)) - context.WriteString(fmt.Sprintf("- Severity: %s\n", alert.SeverityLabel)) - context.WriteString(fmt.Sprintf("- Category: %s\n", alert.Category)) - - classification := "This alert has not been classified" - if i < len(correlation.Classifications) { - classification = correlation.Classifications[i] - } - context.WriteString(fmt.Sprintf("- Classification: %s\n", classification)) - - context.WriteString(fmt.Sprintf("- Time: %s\n", alert.Timestamp)) - - if alert.Source.IP != "" { - context.WriteString(fmt.Sprintf("- Source IP: %s\n", alert.Source.IP)) - } - if alert.Destination.IP != "" { - context.WriteString(fmt.Sprintf("- Destination IP: %s\n", alert.Destination.IP)) - } - if alert.Source.Host != "" { - context.WriteString(fmt.Sprintf("- Source Host: %s\n", alert.Source.Host)) - } - if alert.Destination.Host != "" { - context.WriteString(fmt.Sprintf("- Destination Host: %s\n", alert.Destination.Host)) - } - if alert.Source.User != "" { - context.WriteString(fmt.Sprintf("- Source User: %s\n", alert.Source.User)) +func BuildCorrelationContext(corr *AlertCorrelation) string { + if corr == nil || len(corr.RelatedAlerts) == 0 { + return "No related alerts exist" + } + // Group alerts by matches and classifications + // Example: "SourceIP+DestinationIP" -> { "Possible incident": 2, "False positive": 1 } + groups := make(map[string]map[string]int) + for _, alert := range corr.RelatedAlerts { + if rel, mts := isAlertRelated(corr.CurrentAlert, alert); rel { + key := strings.Join(mts, "+") + if _, ok := groups[key]; !ok { + groups[key] = make(map[string]int) + } + classif := getAlertClassification(alert) + groups[key][classif]++ } - if alert.Destination.User != "" { - context.WriteString(fmt.Sprintf("- Destination User: %s\n", alert.Destination.User)) + } + // Ordered summary + var sb strings.Builder + total := len(corr.RelatedAlerts) + sb.WriteString("\nHistorical Context: ") + sb.WriteString(fmt.Sprintf("In the past, there are %d alerts with the same name", total)) + + // Ordered keys + keys := make([]string, 0, len(groups)) + for k := range groups { + keys = append(keys, k) + } + sort.Strings(keys) + + for _, k := range keys { + sub := groups[k] + // Count total for this group + n := 0 + for _, v := range sub { + n += v } - if alert.Source.Port != 0 { - context.WriteString(fmt.Sprintf("- Source Port: %d\n", alert.Source.Port)) + sb.WriteString(fmt.Sprintf("\n- %d match the same %s", n, translateMatchTypes(strings.Split(k, "+")))) + if n > 0 { + sb.WriteString(" and of these " + formatClassifications(sub)) } - if alert.Destination.Port != 0 { - context.WriteString(fmt.Sprintf("- Destination Port: %d\n", alert.Destination.Port)) + } + return sb.String() +} + +var matchTypeNames = map[string]string{ + "SourceIP": "Source IP", + "DestinationIP": "Destination IP", + "SourceUser": "Source User", + "DestinationUser": "Destination User", +} + +func translateMatchTypes(types []string) string { + sort.Strings(types) + var out []string + for _, t := range types { + if name, ok := matchTypeNames[t]; ok { + out = append(out, name) } } + return strings.Join(out, " and ") +} - return context.String() +func formatClassifications(m map[string]int) string { + parts := make([]string, 0, len(m)) + for classif, cnt := range m { + parts = append(parts, fmt.Sprintf("%d were classified as %s", cnt, classif)) + } + sort.Strings(parts) + return strings.Join(parts, ", ") } From 8976ad5eeae4bc14bba8e60237a4a42675a65d13 Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Mon, 5 May 2025 11:09:16 -0400 Subject: [PATCH 16/56] fix: improve log handling in GPT request and ensure last log entry is used --- soc-ai/elastic/alerts.go | 19 ++++++++++--------- soc-ai/gpt/client.go | 8 ++++++++ 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/soc-ai/elastic/alerts.go b/soc-ai/elastic/alerts.go index 0003fa8e6..d68eed9c7 100644 --- a/soc-ai/elastic/alerts.go +++ b/soc-ai/elastic/alerts.go @@ -234,19 +234,20 @@ func BuildCorrelationContext(corr *AlertCorrelation) string { return sb.String() } -var matchTypeNames = map[string]string{ - "SourceIP": "Source IP", - "DestinationIP": "Destination IP", - "SourceUser": "Source User", - "DestinationUser": "Destination User", -} - func translateMatchTypes(types []string) string { sort.Strings(types) var out []string + for _, t := range types { - if name, ok := matchTypeNames[t]; ok { - out = append(out, name) + switch t { + case "SourceIP": + out = append(out, "Source IP") + case "DestinationIP": + out = append(out, "Destination IP") + case "SourceUser": + out = append(out, "Source User") + case "DestinationUser": + out = append(out, "Destination User") } } return strings.Join(out, " and ") diff --git a/soc-ai/gpt/client.go b/soc-ai/gpt/client.go index c4611a47a..bf994297e 100644 --- a/soc-ai/gpt/client.go +++ b/soc-ai/gpt/client.go @@ -39,6 +39,14 @@ func (c *GPTClient) Request(alert schema.AlertGPTDetails) (string, error) { if alert.Logs == "" || alert.Logs == " " { content += content + ". " + configurations.GPT_FALSE_POSITIVE } + + if alert.Logs != "" && alert.Logs != " " { + logs := strings.Split(alert.Logs, configurations.LOGS_SEPARATOR) + if len(logs) > 0 { + alert.Logs = logs[len(logs)-1] + } + } + jsonContent, err := json.Marshal(alert) if err != nil { return "", fmt.Errorf("error marshalling alert: %v", err) From 743fb1913983404b59a1ea8ccb6eaf9e656a7eeb Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 6 May 2025 14:50:31 -0500 Subject: [PATCH 17/56] feat: update macOS install steps with `utmstack-macos-agent.pkg` --- .../guide-macos-agent.component.html | 2 +- .../guide-macos-agent/guide-macos-agent.component.ts | 6 ++++-- .../app-module/guides/guide-macos-agent/mac.steps.ts | 12 ++++++++---- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.html b/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.html index 7da832f9c..466256cb7 100644 --- a/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.html +++ b/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.html @@ -21,7 +21,7 @@

- + diff --git a/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.ts b/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.ts index 292c51d07..e0f2d911e 100644 --- a/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.ts +++ b/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.ts @@ -42,14 +42,16 @@ export class GuideMacosAgentComponent implements OnInit { getCommandARM(installerName: string): string { const ip = window.location.host.includes(':') ? window.location.host.split(':')[0] : window.location.host; - return `sudo bash -c "./${installerName} ${ip} ${this.token} yes"`; + return `sudo bash -c "/opt/utmstack/${installerName} ${ip} ${this.token} yes"`; } getUninstallCommand(installerName: string): string { - return `sudo bash -c "./utmstack_agent_service uninstall"`; + // tslint:disable-next-line:max-line-length + return `sudo bash -c "/opt/utmstack/${installerName} uninstall; launchctl bootout system /Library/LaunchDaemons/UTMStackAgent.plist 2>/dev/null; rm /Library/LaunchDaemons/UTMStackAgent.plist; rm -rf /opt/utmstack"`; } + private loadArchitectures() { this.architectures = [ { diff --git a/frontend/src/app/app-module/guides/guide-macos-agent/mac.steps.ts b/frontend/src/app/app-module/guides/guide-macos-agent/mac.steps.ts index cdb6558f9..e9119f8f4 100644 --- a/frontend/src/app/app-module/guides/guide-macos-agent/mac.steps.ts +++ b/frontend/src/app/app-module/guides/guide-macos-agent/mac.steps.ts @@ -2,13 +2,17 @@ import {Step} from '../shared/step'; export const MAC_STEPS: Step[] = [ {id: '1', - name: 'Reach out to support to request the installation dependencies for macOS. ' + - 'These are required to proceed with the installation or uninstallation process.', + name: 'Contact UTMStack support to obtain the `utmstack-macos-agent.pkg` file. ' + + 'This package is required to download and install the necessary dependencies.' }, - {id: '2', + { + id: '2', + name: 'Run the `utmstack-macos-agent.pkg` file. This will download and install the required components for the UTMStack agent.' + }, + {id: '3', name: 'Use the following command according to the action you wish to perform (install or uninstall):', content: { - id: 'stepContent2' + id: 'stepContent3' } }, ]; From a372e3db552423b2ca2605d49242b90427ec68ed Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Wed, 7 May 2025 13:30:29 -0500 Subject: [PATCH 18/56] fix: add pipeline for aws, sophos-central and o365 integrations --- .../20250507001_add_aws_pipeline.xml | 25 ++++++++++++++++++ ...0250507002_add_sophos_central_pipeline.xml | 26 +++++++++++++++++++ .../20250507003_add_o365_pipeline.xml | 26 +++++++++++++++++++ .../resources/config/liquibase/master.xml | 6 +++++ 4 files changed, 83 insertions(+) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250507001_add_aws_pipeline.xml create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20250507001_add_aws_pipeline.xml b/backend/src/main/resources/config/liquibase/changelog/20250507001_add_aws_pipeline.xml new file mode 100644 index 000000000..cf2ad961b --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250507001_add_aws_pipeline.xml @@ -0,0 +1,25 @@ + + + + + + + INSERT INTO utm_logstash_pipeline (id, pipeline_id, pipeline_name, parent_pipeline, pipeline_status, module_name, system_owner, pipeline_description, pipeline_internal, events_in, events_filtered, events_out, reloads_successes, reloads_failures, reloads_last_failure_timestamp, reloads_last_error, reloads_last_success_timestamp) + VALUES (55, 'aws', 'AWS', null, 'up', 'AWS', true, null, false, 0, 0, 0, 0, 0, null, null, null); + + INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation) + VALUES (101, 55, 'PIPELINE_FILTER'); + + INSERT INTO utm_logstash_input (id, pipeline_id, input_pretty_name, input_plugin, input_with_ssl, system_owner) + VALUES (68, 55, 'HTTP', 'http', false, true); + + INSERT INTO utm_logstash_input_configuration (id, input_id, conf_key, conf_value, conf_type, conf_required, conf_validation_regex, system_owner) + VALUES (68, 68, 'http_port', '10048', 'port', true, '^((6553[0-5])|(655[0-2][0-9])|(65[0-4][0-9]{2})|(6[0-4][0-9]{3})|([1-5][0-9]{4})|([0-5]{0,5})|([0-9]{1,4}))$', true); + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml b/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml new file mode 100644 index 000000000..06155e674 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml @@ -0,0 +1,26 @@ + + + + + + + INSERT INTO utm_logstash_pipeline (id, pipeline_id, pipeline_name, parent_pipeline, pipeline_status, module_name, system_owner, pipeline_description, pipeline_internal, events_in, events_filtered, events_out, reloads_successes, reloads_failures, reloads_last_failure_timestamp, reloads_last_error, reloads_last_success_timestamp) + VALUES (56, 'sophos-central', 'Sophos Central', null, 'up', 'AWS', true, null, false, 0, 0, 0, 0, 0, null, null, null); + + INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation) + VALUES (102, 56, 'PIPELINE_FILTER'); + + INSERT INTO utm_logstash_input (id, pipeline_id, input_pretty_name, input_plugin, input_with_ssl, system_owner) + VALUES (69, 56, 'HTTP', 'http', false, true); + + INSERT INTO utm_logstash_input_configuration (id, input_id, conf_key, conf_value, conf_type, conf_required, conf_validation_regex, system_owner) + VALUES (69, 69, 'http_port', '10049', 'port', true, '^((6553[0-5])|(655[0-2][0-9])|(65[0-4][0-9]{2})|(6[0-4][0-9]{3})|([1-5][0-9]{4})|([0-5]{0,5})|([0-9]{1,4}))$', true); + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml b/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml new file mode 100644 index 000000000..5c3d4a003 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml @@ -0,0 +1,26 @@ + + + + + + + INSERT INTO utm_logstash_pipeline (id, pipeline_id, pipeline_name, parent_pipeline, pipeline_status, module_name, system_owner, pipeline_description, pipeline_internal, events_in, events_filtered, events_out, reloads_successes, reloads_failures, reloads_last_failure_timestamp, reloads_last_error, reloads_last_success_timestamp) + VALUES (57, 'o365', 'Office 365', null, 'up', 'AWS', true, null, false, 0, 0, 0, 0, 0, null, null, null); + + INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation) + VALUES (103, 57, 'PIPELINE_FILTER'); + + INSERT INTO utm_logstash_input (id, pipeline_id, input_pretty_name, input_plugin, input_with_ssl, system_owner) + VALUES (70, 57, 'HTTP', 'http', false, true); + + INSERT INTO utm_logstash_input_configuration (id, input_id, conf_key, conf_value, conf_type, conf_required, conf_validation_regex, system_owner) + VALUES (70, 70, 'http_port', '10050', 'port', true, '^((6553[0-5])|(655[0-2][0-9])|(65[0-4][0-9]{2})|(6[0-4][0-9]{3})|([1-5][0-9]{4})|([0-5]{0,5})|([0-9]{1,4}))$', true); + + + + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index e4508e78c..6d4791f13 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -91,5 +91,11 @@ + + + + + + From eb3ea526710aec3f673499bacc2543595fc381f3 Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Wed, 7 May 2025 14:42:42 -0400 Subject: [PATCH 19/56] fix: remove logging of debug --- soc-ai/gpt/client.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/soc-ai/gpt/client.go b/soc-ai/gpt/client.go index bf994297e..45c704eb0 100644 --- a/soc-ai/gpt/client.go +++ b/soc-ai/gpt/client.go @@ -71,8 +71,6 @@ func (c *GPTClient) Request(alert schema.AlertGPTDetails) (string, error) { return "", fmt.Errorf("error marshalling request: %v", error) } - utils.Logger.Info("Complete GPT Request JSON: %s", string(requestJson)) - headers := map[string]string{ "Authorization": "Bearer " + configurations.GetGPTConfig().APIKey, "Content-Type": "application/json", From ca8ab95eda49011e7b2515edbb8f67ebbc5f3d88 Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Thu, 8 May 2025 10:24:22 -0400 Subject: [PATCH 20/56] Migrate from correlation service to direct Logstash connection in aws integration. --- aws/configuration/const.go | 11 +++++++- aws/processor/pull.go | 2 +- aws/processor/sendData.go | 55 ++++++++++++++++++++++++++++++++------ 3 files changed, 58 insertions(+), 10 deletions(-) diff --git a/aws/configuration/const.go b/aws/configuration/const.go index 253d338a6..66df516c6 100644 --- a/aws/configuration/const.go +++ b/aws/configuration/const.go @@ -3,8 +3,9 @@ package configuration import "github.com/utmstack/UTMStack/aws/utils" const ( - CORRELATIONURL = "http://correlation:8080/v1/newlog" URL_CHECK_CONNECTION = "https://sts.amazonaws.com" + LogstashEndpoint = "http://%s:%s" + UTMLogSeparator = "" ) func GetInternalKey() string { @@ -14,3 +15,11 @@ func GetInternalKey() string { func GetPanelServiceName() string { return utils.Getenv("PANEL_SERV_NAME") } + +func GetLogstashHost() string { + return utils.Getenv("UTM_LOGSTASH_HOST") +} + +func GetLogstashPort() string { + return utils.Getenv("UTM_LOGSTASH_PORT") +} diff --git a/aws/processor/pull.go b/aws/processor/pull.go index f131cfd4d..11808b0a2 100644 --- a/aws/processor/pull.go +++ b/aws/processor/pull.go @@ -18,7 +18,7 @@ func PullLogs(startTime time.Time, endTime time.Time, group types.ModuleGroup) * return err } - err = SendToCorrelation(logs) + err = SendToLogstash(logs) if err != nil { return err } diff --git a/aws/processor/sendData.go b/aws/processor/sendData.go index 0ebd41b57..ce7c4aedd 100644 --- a/aws/processor/sendData.go +++ b/aws/processor/sendData.go @@ -1,32 +1,71 @@ package processor import ( + "bytes" + "crypto/tls" "encoding/json" + "fmt" "net/http" + "strings" + "time" "github.com/threatwinds/logger" "github.com/utmstack/UTMStack/aws/configuration" "github.com/utmstack/UTMStack/aws/utils" ) -func SendToCorrelation(data []TransformedLog) *logger.Error { +var transport = &http.Transport{ + MaxIdleConns: 100, + IdleConnTimeout: 2 * time.Second, + ResponseHeaderTimeout: 2 * time.Second, + ForceAttemptHTTP2: true, + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, +} + +var client = &http.Client{Transport: transport, Timeout: 2 * time.Second} + +func SendToLogstash(data []TransformedLog) *logger.Error { + var logStrings []string for _, log := range data { body, err := json.Marshal(log) if err != nil { utils.Logger.ErrorF("error encoding log to JSON: %v", err) continue } + logStrings = append(logStrings, string(body)) + } - _, status, e := utils.DoReq[map[string]interface{}](configuration.CORRELATIONURL, body, http.MethodPost, map[string]string{}) - if e != nil { - utils.Logger.ErrorF("error sending log to correlation engine: %v", e) - continue - } else if status != http.StatusOK && status != http.StatusCreated { - utils.Logger.ErrorF("error sending log to correlation engine: status %v", status) - continue + if len(logStrings) == 0 { + return nil + } + + var logs string + for _, str := range logStrings { + logs += str + configuration.UTMLogSeparator + } + + url := fmt.Sprintf(configuration.LogstashEndpoint, configuration.GetLogstashHost(), configuration.GetLogstashPort()) + + req, err := http.NewRequest("POST", url, bytes.NewBufferString(logs)) + if err != nil { + return utils.Logger.ErrorF("error creating request: %v", err.Error()) + } + + resp, err := client.Do(req) + if err != nil { + if !strings.Contains(err.Error(), "Client.Timeout exceeded while awaiting headers") { + utils.Logger.ErrorF("error sending logs with error: %v", err.Error()) } + return utils.Logger.ErrorF("error sending logs: %v", err.Error()) + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + return utils.Logger.ErrorF("error sending logs with http code %d", resp.StatusCode) } + utils.Logger.Info("successfully sent %d logs to Logstash", len(logStrings)) return nil } From 861fa603f3d356c05ec2202b3b57d1de4ecc4af8 Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Thu, 8 May 2025 10:24:56 -0400 Subject: [PATCH 21/56] Migrate from correlation service to direct Logstash connection in office365 integration. --- office365/configuration/const.go | 11 +++++- office365/processor/processor.go | 4 +-- office365/processor/sendData.go | 58 ++++++++++++++++++++++++++------ 3 files changed, 59 insertions(+), 14 deletions(-) diff --git a/office365/configuration/const.go b/office365/configuration/const.go index 05dca1fec..3a5cd7dc3 100644 --- a/office365/configuration/const.go +++ b/office365/configuration/const.go @@ -14,7 +14,8 @@ const ( endPointStartSubscription = "/activity/feed/subscriptions/start" endPointContent = "/activity/feed/subscriptions/content" BASEURL = "https://manage.office.com/api/v1.0/" - CORRELATIONURL = "http://correlation:8080/v1/newlog" + LogstashEndpoint = "http://%s:%s" + UTMLogSeparator = "" ) func GetInternalKey() string { @@ -36,3 +37,11 @@ func GetStartSubscriptionLink(tenant string) string { func GetContentLink(tenant string) string { return fmt.Sprintf("%s%s%s", BASEURL, tenant, endPointContent) } + +func GetLogstashHost() string { + return utils.Getenv("UTM_LOGSTASH_HOST") +} + +func GetLogstashPort() string { + return utils.Getenv("UTM_LOGSTASH_PORT") +} diff --git a/office365/processor/processor.go b/office365/processor/processor.go index fe4291c4c..f5ac20831 100644 --- a/office365/processor/processor.go +++ b/office365/processor/processor.go @@ -146,9 +146,9 @@ func (o *OfficeProcessor) GetLogs(startTime string, endTime string, group types. if len(details) > 0 { logsCounter += len(details) cleanLogs := ETLProcess(details, group) - err = SendToCorrelation(cleanLogs) + err := SendToLogstash(cleanLogs) if err != nil { - utils.Logger.ErrorF("error sending logs to correlation: %v", err) // Debug + utils.Logger.ErrorF("error sending logs to logstash: %v", err) // Debug continue } } diff --git a/office365/processor/sendData.go b/office365/processor/sendData.go index 329e3f4d4..467e7746a 100644 --- a/office365/processor/sendData.go +++ b/office365/processor/sendData.go @@ -1,35 +1,71 @@ package processor import ( + "bytes" + "crypto/tls" "encoding/json" + "fmt" "net/http" + "strings" + "time" + "github.com/threatwinds/logger" "github.com/utmstack/UTMStack/office365/configuration" "github.com/utmstack/UTMStack/office365/utils" ) -func SendToCorrelation(data []TransformedLog) error { - utils.Logger.Info("uploading %d logs...", len(data)) +var transport = &http.Transport{ + MaxIdleConns: 100, + IdleConnTimeout: 2 * time.Second, + ResponseHeaderTimeout: 2 * time.Second, + ForceAttemptHTTP2: true, + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, +} + +var client = &http.Client{Transport: transport, Timeout: 2 * time.Second} +func SendToLogstash(data []TransformedLog) *logger.Error { + var logStrings []string for _, log := range data { body, err := json.Marshal(log) if err != nil { utils.Logger.ErrorF("error encoding log to JSON: %v", err) continue } + logStrings = append(logStrings, string(body)) + } - _, status, e := utils.DoReq[map[string]interface{}](configuration.CORRELATIONURL, body, http.MethodPost, map[string]string{}) - if e != nil { - utils.Logger.ErrorF("error sending log to correlation engine: %v", e) - continue - } else if status != http.StatusOK && status != http.StatusCreated { - utils.Logger.ErrorF("error sending log to correlation engine: status code %d", status) - continue + if len(logStrings) == 0 { + return nil + } + + var logs string + for _, str := range logStrings { + logs += str + configuration.UTMLogSeparator + } + + url := fmt.Sprintf(configuration.LogstashEndpoint, configuration.GetLogstashHost(), configuration.GetLogstashPort()) + + req, err := http.NewRequest("POST", url, bytes.NewBufferString(logs)) + if err != nil { + return utils.Logger.ErrorF("error creating request: %v", err.Error()) + } + + resp, err := client.Do(req) + if err != nil { + if !strings.Contains(err.Error(), "Client.Timeout exceeded while awaiting headers") { + utils.Logger.ErrorF("error sending logs with error: %v", err.Error()) } + return utils.Logger.ErrorF("error sending logs: %v", err.Error()) + } + defer resp.Body.Close() - utils.Logger.Info("log successfully sent to correlation engine") + if resp.StatusCode != http.StatusOK { + return utils.Logger.ErrorF("error sending logs with http code %d", resp.StatusCode) } - utils.Logger.Info("all logs were sent to correlation") + utils.Logger.Info("successfully sent %d logs to Logstash", len(logStrings)) return nil } From fdbc29b8ea6c7b5fc2d6b056e1732c71baf9490d Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Thu, 8 May 2025 10:25:22 -0400 Subject: [PATCH 22/56] Migrate from correlation service to direct Logstash connection in sophos integration. --- sophos/configuration/const.go | 17 ++++++++--- sophos/processor/pull.go | 2 +- sophos/processor/sendData.go | 55 ++++++++++++++++++++++++++++++----- 3 files changed, 61 insertions(+), 13 deletions(-) diff --git a/sophos/configuration/const.go b/sophos/configuration/const.go index 769ab4f6c..ba94ea9fa 100644 --- a/sophos/configuration/const.go +++ b/sophos/configuration/const.go @@ -3,10 +3,11 @@ package configuration import "github.com/utmstack/UTMStack/sophos/utils" const ( - CORRELATIONURL = "http://correlation:8080/v1/newlog" - AUTHURL = "https://id.sophos.com/api/v2/oauth2/token" - WHOAMIURL = "https://api.central.sophos.com/whoami/v1" - CHECKCON = "https://id.sophos.com" + AUTHURL = "https://id.sophos.com/api/v2/oauth2/token" + WHOAMIURL = "https://api.central.sophos.com/whoami/v1" + CHECKCON = "https://id.sophos.com" + LogstashEndpoint = "http://%s:%s" + UTMLogSeparator = "" ) func GetInternalKey() string { @@ -16,3 +17,11 @@ func GetInternalKey() string { func GetPanelServiceName() string { return utils.Getenv("PANEL_SERV_NAME") } + +func GetLogstashHost() string { + return utils.Getenv("UTM_LOGSTASH_HOST") +} + +func GetLogstashPort() string { + return utils.Getenv("UTM_LOGSTASH_PORT") +} diff --git a/sophos/processor/pull.go b/sophos/processor/pull.go index c694bab8b..176110695 100644 --- a/sophos/processor/pull.go +++ b/sophos/processor/pull.go @@ -36,7 +36,7 @@ func PullLogs(group types.ModuleGroup) *logger.Error { nextKeys[group.ModuleID] = newNextKey - err = SendToCorrelation(logs) + err = SendToLogstash(logs) if err != nil { return err } diff --git a/sophos/processor/sendData.go b/sophos/processor/sendData.go index e33437b6c..49bb1feea 100644 --- a/sophos/processor/sendData.go +++ b/sophos/processor/sendData.go @@ -1,32 +1,71 @@ package processor import ( + "bytes" + "crypto/tls" "encoding/json" + "fmt" "net/http" + "strings" + "time" "github.com/threatwinds/logger" "github.com/utmstack/UTMStack/sophos/configuration" "github.com/utmstack/UTMStack/sophos/utils" ) -func SendToCorrelation(data []TransformedLog) *logger.Error { +var transport = &http.Transport{ + MaxIdleConns: 100, + IdleConnTimeout: 2 * time.Second, + ResponseHeaderTimeout: 2 * time.Second, + ForceAttemptHTTP2: true, + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, +} + +var client = &http.Client{Transport: transport, Timeout: 2 * time.Second} + +func SendToLogstash(data []TransformedLog) *logger.Error { + var logStrings []string for _, log := range data { body, err := json.Marshal(log) if err != nil { utils.Logger.ErrorF("error encoding log to JSON: %v", err) continue } + logStrings = append(logStrings, string(body)) + } - _, status, e := utils.DoReq[map[string]interface{}](configuration.CORRELATIONURL, body, http.MethodPost, map[string]string{}) - if e != nil { - utils.Logger.ErrorF("error sending log to correlation engine: %v", e) - continue - } else if status != http.StatusOK && status != http.StatusCreated { - utils.Logger.ErrorF("error sending log to correlation engine: status %v", status) - continue + if len(logStrings) == 0 { + return nil + } + + var logs string + for _, str := range logStrings { + logs += str + configuration.UTMLogSeparator + } + + url := fmt.Sprintf(configuration.LogstashEndpoint, configuration.GetLogstashHost(), configuration.GetLogstashPort()) + + req, err := http.NewRequest("POST", url, bytes.NewBufferString(logs)) + if err != nil { + return utils.Logger.ErrorF("error creating request: %v", err.Error()) + } + + resp, err := client.Do(req) + if err != nil { + if !strings.Contains(err.Error(), "Client.Timeout exceeded while awaiting headers") { + utils.Logger.ErrorF("error sending logs with error: %v", err.Error()) } + return utils.Logger.ErrorF("error sending logs: %v", err.Error()) + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + return utils.Logger.ErrorF("error sending logs with http code %d", resp.StatusCode) } + utils.Logger.Info("successfully sent %d logs to Logstash", len(logStrings)) return nil } From adb56a713d9c19a8004d8b9089c82b8db865c435 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 8 May 2025 09:34:35 -0500 Subject: [PATCH 23/56] fix: add pipeline for aws, sophos-central and o365 integrations --- backend/src/main/resources/config/liquibase/master.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index 6d4791f13..aa975f298 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -93,9 +93,9 @@ - + From 331a7af0ff8ca4cc32bda9577ffc54e5e19cd826 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 8 May 2025 10:18:27 -0500 Subject: [PATCH 24/56] chore: resolve merge conflicts --- frontend/src/environments/environment.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/src/environments/environment.ts b/frontend/src/environments/environment.ts index 586cb5a3b..43fa0a00e 100644 --- a/frontend/src/environments/environment.ts +++ b/frontend/src/environments/environment.ts @@ -5,7 +5,7 @@ export const environment = { production: false, // SERVER_API_URL: 'https://192.168.1.18/', - SERVER_API_URL: 'http://localhost:8080/', + SERVER_API_URL: 'https://192.168.1.22/', SERVER_API_CONTEXT: '', SESSION_AUTH_TOKEN: window.location.host.split(':')[0].toLocaleUpperCase(), WEBSOCKET_URL: '//localhost:8080', From 3104a3d47591bcda5c3180040ed9dda71ef08939 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Thu, 8 May 2025 10:23:19 -0500 Subject: [PATCH 25/56] chore: integrate recent UI improvements --- frontend/src/environments/environment.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/src/environments/environment.ts b/frontend/src/environments/environment.ts index 43fa0a00e..586cb5a3b 100644 --- a/frontend/src/environments/environment.ts +++ b/frontend/src/environments/environment.ts @@ -5,7 +5,7 @@ export const environment = { production: false, // SERVER_API_URL: 'https://192.168.1.18/', - SERVER_API_URL: 'https://192.168.1.22/', + SERVER_API_URL: 'http://localhost:8080/', SERVER_API_CONTEXT: '', SESSION_AUTH_TOKEN: window.location.host.split(':')[0].toLocaleUpperCase(), WEBSOCKET_URL: '//localhost:8080', From e7456b8ac1c2236832170b5aa0bf980ae9840daa Mon Sep 17 00:00:00 2001 From: Kbayero Date: Thu, 8 May 2025 13:02:39 -0400 Subject: [PATCH 26/56] add datasource in macos agent logs --- agent/collectors/macos.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/agent/collectors/macos.go b/agent/collectors/macos.go index 001e07842..313fc4d1b 100644 --- a/agent/collectors/macos.go +++ b/agent/collectors/macos.go @@ -5,6 +5,7 @@ package collectors import ( "bufio" + "os" "os/exec" "path/filepath" @@ -29,6 +30,11 @@ func getCollectorsInstances() []Collector { func (d Darwin) SendLogs() { path := utils.GetMyPath() collectorPath := filepath.Join(path, "utmstack-collector-mac") + host, err := os.Hostname() + if err != nil { + utils.Logger.ErrorF("error getting hostname: %v", err) + host = "unknown" + } cmd := exec.Command(collectorPath) @@ -62,9 +68,11 @@ func (d Darwin) SendLogs() { continue } + messageWithHost := config.GetMessageFormated(host, validatedLog) + logservice.LogQueue <- logservice.LogPipe{ Src: string(config.DataTypeMacOs), - Logs: []string{validatedLog}, + Logs: []string{messageWithHost}, } } From db73c5bba081019b3c110182fa0eb0ead19050a4 Mon Sep 17 00:00:00 2001 From: Kbayero Date: Thu, 8 May 2025 13:18:21 -0400 Subject: [PATCH 27/56] include logstash ports in installer for aws, o365 and sophos --- installer/types/compose.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/installer/types/compose.go b/installer/types/compose.go index 7af90fe91..91d61a385 100644 --- a/installer/types/compose.go +++ b/installer/types/compose.go @@ -249,6 +249,8 @@ func (c *Compose) Populate(conf *Config, stack *StackConfig) *Compose { Environment: []string{ "PANEL_SERV_NAME=backend:8080", "INTERNAL_KEY=" + conf.InternalKey, + "UTM_LOGSTASH_HOST=logstash", + "UTM_LOGSTASH_PORT=10048", "LOG_LEVEL=200", }, Logging: &dLogging, @@ -277,6 +279,8 @@ func (c *Compose) Populate(conf *Config, stack *StackConfig) *Compose { Environment: []string{ "PANEL_SERV_NAME=backend:8080", "INTERNAL_KEY=" + conf.InternalKey, + "UTM_LOGSTASH_HOST=logstash", + "UTM_LOGSTASH_PORT=10050", "LOG_LEVEL=200", }, Logging: &dLogging, @@ -304,6 +308,8 @@ func (c *Compose) Populate(conf *Config, stack *StackConfig) *Compose { Environment: []string{ "PANEL_SERV_NAME=backend:8080", "INTERNAL_KEY=" + conf.InternalKey, + "UTM_LOGSTASH_HOST=logstash", + "UTM_LOGSTASH_PORT=10049", "LOG_LEVEL=200", }, Logging: &dLogging, From e558a785c4ee24402a927b46bc0326fd113bdfbb Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Thu, 8 May 2025 16:47:51 -0400 Subject: [PATCH 28/56] fix: update TagRulesApplied field type to slice and join in conversion --- soc-ai/schema/convert.go | 2 +- soc-ai/schema/schema.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/soc-ai/schema/convert.go b/soc-ai/schema/convert.go index a97ed08ef..cf726dfbd 100644 --- a/soc-ai/schema/convert.go +++ b/soc-ai/schema/convert.go @@ -14,7 +14,7 @@ func ConvertFromAlertToAlertDB(alert Alert) AlertGPTDetails { return AlertGPTDetails{ AlertID: alert.ID, Severity: alert.Severity, - TagRulesApplied: alert.TagRulesApplied, + TagRulesApplied: strings.Join(alert.TagRulesApplied, ","), SeverityLabel: alert.SeverityLabel, Notes: alert.Notes, DataType: alert.DataType, diff --git a/soc-ai/schema/schema.go b/soc-ai/schema/schema.go index 08f59b9a4..6b2d44a7e 100644 --- a/soc-ai/schema/schema.go +++ b/soc-ai/schema/schema.go @@ -102,7 +102,7 @@ type AlertDetails []Alert type Alert struct { ID string `json:"id"` Severity int `json:"severity"` - TagRulesApplied string `json:"TagRulesApplied,omitempty"` + TagRulesApplied []string `json:"TagRulesApplied,omitempty"` SeverityLabel string `json:"severityLabel"` Notes string `json:"notes"` DataType string `json:"dataType"` From 2d9213229c9d659e3e65420103f7d27b17eeb25e Mon Sep 17 00:00:00 2001 From: Yadian Llada Lopez Date: Thu, 8 May 2025 17:31:17 -0400 Subject: [PATCH 29/56] fix: change TagRulesApplied field type from string to slice of int --- soc-ai/schema/convert.go | 2 +- soc-ai/schema/models.go | 2 +- soc-ai/schema/schema.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/soc-ai/schema/convert.go b/soc-ai/schema/convert.go index cf726dfbd..a97ed08ef 100644 --- a/soc-ai/schema/convert.go +++ b/soc-ai/schema/convert.go @@ -14,7 +14,7 @@ func ConvertFromAlertToAlertDB(alert Alert) AlertGPTDetails { return AlertGPTDetails{ AlertID: alert.ID, Severity: alert.Severity, - TagRulesApplied: strings.Join(alert.TagRulesApplied, ","), + TagRulesApplied: alert.TagRulesApplied, SeverityLabel: alert.SeverityLabel, Notes: alert.Notes, DataType: alert.DataType, diff --git a/soc-ai/schema/models.go b/soc-ai/schema/models.go index 98bc3f4fd..4560027f2 100644 --- a/soc-ai/schema/models.go +++ b/soc-ai/schema/models.go @@ -3,7 +3,7 @@ package schema type AlertGPTDetails struct { AlertID string `json:"alert_id,omitempty"` Severity int `json:"severity,omitempty"` - TagRulesApplied string `json:"tag_rules_applied,omitempty"` + TagRulesApplied []int `json:"tag_rules_applied,omitempty"` SeverityLabel string `json:"severity_label,omitempty"` Notes string `json:"notes,omitempty"` DataType string `json:"data_type,omitempty"` diff --git a/soc-ai/schema/schema.go b/soc-ai/schema/schema.go index 6b2d44a7e..0c316b8ef 100644 --- a/soc-ai/schema/schema.go +++ b/soc-ai/schema/schema.go @@ -102,7 +102,7 @@ type AlertDetails []Alert type Alert struct { ID string `json:"id"` Severity int `json:"severity"` - TagRulesApplied []string `json:"TagRulesApplied,omitempty"` + TagRulesApplied []int `json:"TagRulesApplied,omitempty"` SeverityLabel string `json:"severityLabel"` Notes string `json:"notes"` DataType string `json:"dataType"` From 34a1c4f7d10ee7060332b1ed5d7a7142ae468c39 Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Fri, 9 May 2025 15:28:24 -0400 Subject: [PATCH 30/56] Refactoring the event sending format to Logstash in the AWS plugin. --- aws/processor/sendData.go | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/aws/processor/sendData.go b/aws/processor/sendData.go index ce7c4aedd..87092dc51 100644 --- a/aws/processor/sendData.go +++ b/aws/processor/sendData.go @@ -6,7 +6,6 @@ import ( "encoding/json" "fmt" "net/http" - "strings" "time" "github.com/threatwinds/logger" @@ -27,37 +26,30 @@ var transport = &http.Transport{ var client = &http.Client{Transport: transport, Timeout: 2 * time.Second} func SendToLogstash(data []TransformedLog) *logger.Error { - var logStrings []string - for _, log := range data { - body, err := json.Marshal(log) + for _, str := range data { + body, err := json.Marshal(str) if err != nil { utils.Logger.ErrorF("error encoding log to JSON: %v", err) continue } - logStrings = append(logStrings, string(body)) - } - - if len(logStrings) == 0 { - return nil - } - - var logs string - for _, str := range logStrings { - logs += str + configuration.UTMLogSeparator + if err := sendLogs(body); err != nil { + utils.Logger.ErrorF("error sending logs to logstach: %v", err) + continue + } } + return nil +} +func sendLogs(log []byte) error { url := fmt.Sprintf(configuration.LogstashEndpoint, configuration.GetLogstashHost(), configuration.GetLogstashPort()) - req, err := http.NewRequest("POST", url, bytes.NewBufferString(logs)) + req, err := http.NewRequest("POST", url, bytes.NewBuffer(log)) if err != nil { return utils.Logger.ErrorF("error creating request: %v", err.Error()) } resp, err := client.Do(req) if err != nil { - if !strings.Contains(err.Error(), "Client.Timeout exceeded while awaiting headers") { - utils.Logger.ErrorF("error sending logs with error: %v", err.Error()) - } return utils.Logger.ErrorF("error sending logs: %v", err.Error()) } defer resp.Body.Close() @@ -65,7 +57,5 @@ func SendToLogstash(data []TransformedLog) *logger.Error { if resp.StatusCode != http.StatusOK { return utils.Logger.ErrorF("error sending logs with http code %d", resp.StatusCode) } - - utils.Logger.Info("successfully sent %d logs to Logstash", len(logStrings)) return nil } From ce11b6e6b8aa675a49816a8e87024e4712b1257a Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Sat, 10 May 2025 19:47:18 -0400 Subject: [PATCH 31/56] Refactoring the event sending format to Logstash in the Sophos plugin. --- sophos/processor/sendData.go | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/sophos/processor/sendData.go b/sophos/processor/sendData.go index 49bb1feea..007a2a845 100644 --- a/sophos/processor/sendData.go +++ b/sophos/processor/sendData.go @@ -6,7 +6,6 @@ import ( "encoding/json" "fmt" "net/http" - "strings" "time" "github.com/threatwinds/logger" @@ -27,37 +26,30 @@ var transport = &http.Transport{ var client = &http.Client{Transport: transport, Timeout: 2 * time.Second} func SendToLogstash(data []TransformedLog) *logger.Error { - var logStrings []string - for _, log := range data { - body, err := json.Marshal(log) + for _, str := range data { + body, err := json.Marshal(str) if err != nil { utils.Logger.ErrorF("error encoding log to JSON: %v", err) continue } - logStrings = append(logStrings, string(body)) - } - - if len(logStrings) == 0 { - return nil - } - - var logs string - for _, str := range logStrings { - logs += str + configuration.UTMLogSeparator + if err := sendLogs(body); err != nil { + utils.Logger.ErrorF("error sending logs to logstach: %v", err) + continue + } } + return nil +} +func sendLogs(log []byte) error { url := fmt.Sprintf(configuration.LogstashEndpoint, configuration.GetLogstashHost(), configuration.GetLogstashPort()) - req, err := http.NewRequest("POST", url, bytes.NewBufferString(logs)) + req, err := http.NewRequest("POST", url, bytes.NewBuffer(log)) if err != nil { return utils.Logger.ErrorF("error creating request: %v", err.Error()) } resp, err := client.Do(req) if err != nil { - if !strings.Contains(err.Error(), "Client.Timeout exceeded while awaiting headers") { - utils.Logger.ErrorF("error sending logs with error: %v", err.Error()) - } return utils.Logger.ErrorF("error sending logs: %v", err.Error()) } defer resp.Body.Close() @@ -65,7 +57,5 @@ func SendToLogstash(data []TransformedLog) *logger.Error { if resp.StatusCode != http.StatusOK { return utils.Logger.ErrorF("error sending logs with http code %d", resp.StatusCode) } - - utils.Logger.Info("successfully sent %d logs to Logstash", len(logStrings)) return nil } From 9785a94aacde4a9723b06366c1f57c97e6976e97 Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Sat, 10 May 2025 19:47:54 -0400 Subject: [PATCH 32/56] Refactoring the event sending format to Logstash in the office365 plugin. --- office365/processor/sendData.go | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/office365/processor/sendData.go b/office365/processor/sendData.go index 467e7746a..99d92d2af 100644 --- a/office365/processor/sendData.go +++ b/office365/processor/sendData.go @@ -6,7 +6,6 @@ import ( "encoding/json" "fmt" "net/http" - "strings" "time" "github.com/threatwinds/logger" @@ -27,37 +26,30 @@ var transport = &http.Transport{ var client = &http.Client{Transport: transport, Timeout: 2 * time.Second} func SendToLogstash(data []TransformedLog) *logger.Error { - var logStrings []string - for _, log := range data { - body, err := json.Marshal(log) + for _, str := range data { + body, err := json.Marshal(str) if err != nil { utils.Logger.ErrorF("error encoding log to JSON: %v", err) continue } - logStrings = append(logStrings, string(body)) - } - - if len(logStrings) == 0 { - return nil - } - - var logs string - for _, str := range logStrings { - logs += str + configuration.UTMLogSeparator + if err := sendLogs(body); err != nil { + utils.Logger.ErrorF("error sending logs to logstach: %v", err) + continue + } } + return nil +} +func sendLogs(log []byte) error { url := fmt.Sprintf(configuration.LogstashEndpoint, configuration.GetLogstashHost(), configuration.GetLogstashPort()) - req, err := http.NewRequest("POST", url, bytes.NewBufferString(logs)) + req, err := http.NewRequest("POST", url, bytes.NewBuffer(log)) if err != nil { return utils.Logger.ErrorF("error creating request: %v", err.Error()) } resp, err := client.Do(req) if err != nil { - if !strings.Contains(err.Error(), "Client.Timeout exceeded while awaiting headers") { - utils.Logger.ErrorF("error sending logs with error: %v", err.Error()) - } return utils.Logger.ErrorF("error sending logs: %v", err.Error()) } defer resp.Body.Close() @@ -65,7 +57,5 @@ func SendToLogstash(data []TransformedLog) *logger.Error { if resp.StatusCode != http.StatusOK { return utils.Logger.ErrorF("error sending logs with http code %d", resp.StatusCode) } - - utils.Logger.Info("successfully sent %d logs to Logstash", len(logStrings)) return nil } From c2f5795996eb88edcf49a4493dd7628e70e35435 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 12 May 2025 14:56:35 -0500 Subject: [PATCH 33/56] fix: add pipeline for aws, sophos-central and o365 integrations --- .../liquibase/changelog/20250507003_add_o365_pipeline.xml | 2 +- backend/src/main/resources/config/liquibase/master.xml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml b/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml index 5c3d4a003..96f301704 100644 --- a/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml +++ b/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml @@ -11,7 +11,7 @@ VALUES (57, 'o365', 'Office 365', null, 'up', 'AWS', true, null, false, 0, 0, 0, 0, 0, null, null, null); INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation) - VALUES (103, 57, 'PIPELINE_FILTER'); + VALUES (601, 57, 'PIPELINE_FILTER'); INSERT INTO utm_logstash_input (id, pipeline_id, input_pretty_name, input_plugin, input_with_ssl, system_owner) VALUES (70, 57, 'HTTP', 'http', false, true); diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index aa975f298..5cbc89191 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -93,9 +93,9 @@ - - --> + From 78515a458b4eeb6a90f003b1964192c46c82df3f Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Tue, 13 May 2025 12:46:16 +0300 Subject: [PATCH 34/56] "Update blocklist processing to support severity levels and enhance IP threat intelligence integration." --- correlation/Dockerfile | 8 ++++---- correlation/ti/bases.go | 13 ++++++++++--- correlation/ti/ti.go | 12 ++++++------ 3 files changed, 20 insertions(+), 13 deletions(-) diff --git a/correlation/Dockerfile b/correlation/Dockerfile index cd8f537d3..3497ee62c 100644 --- a/correlation/Dockerfile +++ b/correlation/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:24.04 RUN apt-get update RUN apt-get install -y ca-certificates git wget -COPY correlation /app/ +COPY c /app/correlation COPY docs/swagger.json /app/docs/ COPY docs/swagger.yaml /app/docs/ COPY config.yml.prod /app/config.yml @@ -14,8 +14,8 @@ RUN wget -O /app/asn-blocks-v6.csv https://cdn.utmstack.com/geoip/asn-blocks-v6. RUN wget -O /app/blocks-v4.csv https://cdn.utmstack.com/geoip/blocks-v4.csv RUN wget -O /app/blocks-v6.csv https://cdn.utmstack.com/geoip/blocks-v6.csv RUN wget -O /app/locations-en.csv https://cdn.utmstack.com/geoip/locations-en.csv -RUN wget -O /app/ip_blocklist.list https://intelligence.threatwinds.com/feeds/public/ip/cumulative.list -RUN wget -O /app/domain_blocklist.list https://intelligence.threatwinds.com/feeds/public/domain/cumulative.list -RUN wget -O /app/hostname_blocklist.list https://intelligence.threatwinds.com/feeds/public/hostname/cumulative.list +RUN wget -O /app/ip_level1.list.tar.gz https://intelligence.threatwinds.com/api/feeds/v1/download/list/level1/accumulative/ip && cd /app && tar -xf ip_level1.list.tar.gz +RUN wget -O /app/ip_level2.list.tar.gz https://intelligence.threatwinds.com/api/feeds/v1/download/list/level2/accumulative/ip && cd /app && tar -xf ip_level2.list.tar.gz +RUN wget -O /app/ip_level3.list.tar.gz https://intelligence.threatwinds.com/api/feeds/v1/download/list/level3/accumulative/ip && cd /app && tar -xf ip_level3.list.tar.gz RUN mkdir -p /app/rulesets && git clone --depth 1 https://github.com/utmstack/rules.git /app/rulesets/system ENTRYPOINT [ "/run.sh" ] \ No newline at end of file diff --git a/correlation/ti/bases.go b/correlation/ti/bases.go index 5c4734215..aa3c64deb 100644 --- a/correlation/ti/bases.go +++ b/correlation/ti/bases.go @@ -11,15 +11,22 @@ func Load() { log.Printf("Loading Threat Intelligence Feeds") var files = []string{ - "ip_blocklist.list", + "ip_level1.list", + "ip_level2.list", + "ip_level3.list", } for _, file := range files { var t string switch file { - case "ip_blocklist.list": - t = "IP" + case "ip_level1.list": + t = "Low" + case "ip_level2.list": + t = "Medium" + case "ip_level3.list": + t = "High" + default: } f, err := os.Open(filepath.Join("/app", file)) diff --git a/correlation/ti/ti.go b/correlation/ti/ti.go index e1ca56823..c3924f7d5 100644 --- a/correlation/ti/ti.go +++ b/correlation/ti/ti.go @@ -103,10 +103,10 @@ func IsBlocklisted() { destinationIp := gjson.Get(log, "logx.*.dest_ip") if !cache.IsCached(sourceIp.String()) { - if _, ok := blockList[sourceIp.String()]; ok && !blocked(log) { + if severity, ok := blockList[sourceIp.String()]; ok && !blocked(log) { correlation.Alert( - "Connection attempt from a malicious IP", - "Low", + "Connection from a malicious IP", + severity, "A blocklisted element has been identified in the logs. Further investigation is recommended.", "", "Threat Intelligence", @@ -123,10 +123,10 @@ func IsBlocklisted() { } if !cache.IsCached(destinationIp.String()) { - if _, ok := blockList[destinationIp.String()]; ok && !blocked(log) { + if severity, ok := blockList[destinationIp.String()]; ok && !blocked(log) { correlation.Alert( - "Connection attempt from a malicious IP", - "Low", + "Connection to a malicious IP", + severity, "A blocklisted element has been identified in the logs. Further investigation is recommended.", "", "Threat Intelligence", From 531a2763e8e547b542ed18be9c327aad4541cac2 Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Tue, 13 May 2025 12:50:57 +0300 Subject: [PATCH 35/56] "Add IP validation using net.ParseIP to ensure proper processing of source and destination IPs." --- correlation/ti/ti.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/correlation/ti/ti.go b/correlation/ti/ti.go index c3924f7d5..876dd25a9 100644 --- a/correlation/ti/ti.go +++ b/correlation/ti/ti.go @@ -4,6 +4,7 @@ import ( "github.com/tidwall/gjson" "github.com/utmstack/UTMStack/correlation/correlation" "github.com/utmstack/UTMStack/correlation/utils" + "net" "runtime" "strings" "sync" @@ -99,10 +100,12 @@ func IsBlocklisted() { for { log := <-channel - sourceIp := gjson.Get(log, "logx.*.src_ip") - destinationIp := gjson.Get(log, "logx.*.dest_ip") + sourceIpStr := gjson.Get(log, "logx.*.src_ip") + destinationIpStr := gjson.Get(log, "logx.*.dest_ip") + sourceIp := net.ParseIP(sourceIpStr.String()) + destinationIp := net.ParseIP(destinationIpStr.String()) - if !cache.IsCached(sourceIp.String()) { + if sourceIp != nil && !cache.IsCached(sourceIp.String()) { if severity, ok := blockList[sourceIp.String()]; ok && !blocked(log) { correlation.Alert( "Connection from a malicious IP", @@ -122,7 +125,7 @@ func IsBlocklisted() { cache.Add(sourceIp.String()) } - if !cache.IsCached(destinationIp.String()) { + if destinationIp != nil && !cache.IsCached(destinationIp.String()) { if severity, ok := blockList[destinationIp.String()]; ok && !blocked(log) { correlation.Alert( "Connection to a malicious IP", From 3ab8c943b00eb589b673dbd0ff023181a6dba79e Mon Sep 17 00:00:00 2001 From: Osmany Montero Date: Tue, 13 May 2025 12:53:52 +0300 Subject: [PATCH 36/56] "Fix path in Dockerfile COPY command for the correlation binary." --- correlation/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/correlation/Dockerfile b/correlation/Dockerfile index 3497ee62c..3b021601b 100644 --- a/correlation/Dockerfile +++ b/correlation/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:24.04 RUN apt-get update RUN apt-get install -y ca-certificates git wget -COPY c /app/correlation +COPY correlation /app/correlation COPY docs/swagger.json /app/docs/ COPY docs/swagger.yaml /app/docs/ COPY config.yml.prod /app/config.yml From 08b7d7c4402670e8dc7dfc93a0598409d89f3dce Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 13 May 2025 13:45:38 -0500 Subject: [PATCH 37/56] fix: add pipeline for aws, sophos-central and o365 integrations --- ...0250507002_add_sophos_central_pipeline.xml | 19 ++++++++++++++++++- .../resources/config/liquibase/master.xml | 2 +- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml b/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml index 06155e674..592b09ee2 100644 --- a/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml +++ b/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml @@ -6,12 +6,29 @@ + "message" + terminator => "" + } +}', 'sophos-central', null, true, 'SOPHOS', false, '2.0.1'); + ]]> + + + + + INSERT INTO utm_logstash_pipeline (id, pipeline_id, pipeline_name, parent_pipeline, pipeline_status, module_name, system_owner, pipeline_description, pipeline_internal, events_in, events_filtered, events_out, reloads_successes, reloads_failures, reloads_last_failure_timestamp, reloads_last_error, reloads_last_success_timestamp) VALUES (56, 'sophos-central', 'Sophos Central', null, 'up', 'AWS', true, null, false, 0, 0, 0, 0, 0, null, null, null); INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation) - VALUES (102, 56, 'PIPELINE_FILTER'); + VALUES (1527, 56, 'PIPELINE_FILTER'); INSERT INTO utm_logstash_input (id, pipeline_id, input_pretty_name, input_plugin, input_with_ssl, system_owner) VALUES (69, 56, 'HTTP', 'http', false, true); diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index 5cbc89191..6d4791f13 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -93,7 +93,7 @@ - + From fac42da30ce55ace756ee884634c1ff8b7577191 Mon Sep 17 00:00:00 2001 From: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> Date: Wed, 14 May 2025 13:52:46 -0400 Subject: [PATCH 38/56] Update correlation Dockerfile --- correlation/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/correlation/Dockerfile b/correlation/Dockerfile index 3b021601b..a68677b51 100644 --- a/correlation/Dockerfile +++ b/correlation/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:24.04 RUN apt-get update RUN apt-get install -y ca-certificates git wget -COPY correlation /app/correlation +COPY correlation /app/ COPY docs/swagger.json /app/docs/ COPY docs/swagger.yaml /app/docs/ COPY config.yml.prod /app/config.yml @@ -18,4 +18,4 @@ RUN wget -O /app/ip_level1.list.tar.gz https://intelligence.threatwinds.com/api/ RUN wget -O /app/ip_level2.list.tar.gz https://intelligence.threatwinds.com/api/feeds/v1/download/list/level2/accumulative/ip && cd /app && tar -xf ip_level2.list.tar.gz RUN wget -O /app/ip_level3.list.tar.gz https://intelligence.threatwinds.com/api/feeds/v1/download/list/level3/accumulative/ip && cd /app && tar -xf ip_level3.list.tar.gz RUN mkdir -p /app/rulesets && git clone --depth 1 https://github.com/utmstack/rules.git /app/rulesets/system -ENTRYPOINT [ "/run.sh" ] \ No newline at end of file +ENTRYPOINT [ "/run.sh" ] From c92e253ae81078cbb9b27b8276e805ce2a9adf42 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 16 May 2025 07:12:03 -0500 Subject: [PATCH 39/56] fix: add pipeline for aws, sophos-central and o365 integrations --- ...0250507002_add_sophos_central_pipeline.xml | 18 +++++- .../20250515001_update_filter_aws.xml | 58 +++++++++++++++++++ .../20250515003_update_filter_o365.xml | 37 ++++++++++++ .../resources/config/liquibase/master.xml | 4 ++ 4 files changed, 114 insertions(+), 3 deletions(-) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250515001_update_filter_aws.xml create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250515003_update_filter_o365.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml b/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml index 592b09ee2..0e2b469a3 100644 --- a/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml +++ b/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml @@ -12,9 +12,21 @@ # Sophos_Central version 1.0.0 - split { - field => "message" - terminator => "" + json { + source => "message" + } + + if ([dataType] == "sophos-central") { + + mutate { + rename => { "[logx][sophos_central][source_info][ip]" => "[logx][sophos_central][source_ip]"} + rename => { "[logx][sophos_central][when]" => "[logx][sophos_central][timestamp_occurred_at]"} + rename => { "[logx][sophos_central][created_at]" => "[logx][sophos_central][timestamp_generated_at]"} + } + + mutate { + remove_field => ["headers", "@version", "global", "[logx][sophos_central][core_remedy_items][totalItems]"] + } } }', 'sophos-central', null, true, 'SOPHOS', false, '2.0.1'); ]]> diff --git a/backend/src/main/resources/config/liquibase/changelog/20250515001_update_filter_aws.xml b/backend/src/main/resources/config/liquibase/changelog/20250515001_update_filter_aws.xml new file mode 100644 index 000000000..ad833bdee --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250515001_update_filter_aws.xml @@ -0,0 +1,58 @@ + + + + + + + "message" + target => "parsed_message" + } + + if ([parsed_message][logx][type] == "aws") { + mutate { + add_field => { + "dataType" => "aws" + "dataSource" => "%{[parsed_message][logx][tenant]}" + } + } + + json { + source => "[parsed_message][logx][aws][message]" + target => "[logx][aws]" + } + + mutate { + rename => { "[logx][aws][eventVersion]" => "[logx][aws][eventVersion]"} + rename => { "[logx][aws][userIdentity][accountId]" => "[logx][aws][accountId]"} + rename => { "[logx][aws][userIdentity][sessionContext][attributes][creationDate]" => "[logx][aws][creationDate]"} + rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][accountId]" => "[logx][aws][sessionIssuerAccountId]"} + rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][arn]" => "[logx][aws][sessionIssuerArn]"} + rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][principalId]" => "[logx][aws][sessionIssuerPrincipalId]"} + rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][type]" => "[logx][aws][sessionIssuerType]"} + rename => { "[logx][aws][additionalEventData][SignatureVersion]" => "[logx][aws][SignatureVersion]"} + rename => { "[logx][aws][additionalEventData][x-amz-id-2]" => "[logx][aws][xamzId2]"} + rename => { "[logx][aws][responseElements][x-amz-expiration]" => "[logx][aws][xAmzExpiration]"} + } + + mutate { + remove_field => ["headers", "parsed_message", "@version"] + } + } +}' + WHERE id=101; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/changelog/20250515003_update_filter_o365.xml b/backend/src/main/resources/config/liquibase/changelog/20250515003_update_filter_o365.xml new file mode 100644 index 000000000..a581bc8a2 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250515003_update_filter_o365.xml @@ -0,0 +1,37 @@ + + + + + + + "message" + } + + if ([dataType] == "o365") { + + mutate { + rename => {"[logx][tenant]" => "[logx][o365][tenant]"} + } + + mutate { + remove_field => ["headers", "@version", "global"] + } + } +}' + WHERE id=601; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index 6d4791f13..601b64a77 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -97,5 +97,9 @@ + + + + From 31eb7e9620bac4c3437c653abf35beb72e8d5866 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 16 May 2025 07:18:13 -0500 Subject: [PATCH 40/56] fix: add pipeline for aws, sophos-central and o365 integrations --- .../changelog/20250507002_add_sophos_central_pipeline.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml b/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml index 0e2b469a3..6d5514d9b 100644 --- a/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml +++ b/backend/src/main/resources/config/liquibase/changelog/20250507002_add_sophos_central_pipeline.xml @@ -37,7 +37,7 @@ INSERT INTO utm_logstash_pipeline (id, pipeline_id, pipeline_name, parent_pipeline, pipeline_status, module_name, system_owner, pipeline_description, pipeline_internal, events_in, events_filtered, events_out, reloads_successes, reloads_failures, reloads_last_failure_timestamp, reloads_last_error, reloads_last_success_timestamp) - VALUES (56, 'sophos-central', 'Sophos Central', null, 'up', 'AWS', true, null, false, 0, 0, 0, 0, 0, null, null, null); + VALUES (56, 'sophos-central', 'Sophos Central', null, 'up', 'SOPHOS', true, null, false, 0, 0, 0, 0, 0, null, null, null); INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation) VALUES (1527, 56, 'PIPELINE_FILTER'); From 350b77baefc55905f28fd2c3a307b75c989783b5 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 16 May 2025 09:49:59 -0500 Subject: [PATCH 41/56] fix: filter only valid IPs when parsing coordinate map chart data --- .../ResponseParserForCoordinateMapChart.java | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/backend/src/main/java/com/park/utmstack/util/chart_builder/elasticsearch_dsl/responses/impl/coordinate_map/ResponseParserForCoordinateMapChart.java b/backend/src/main/java/com/park/utmstack/util/chart_builder/elasticsearch_dsl/responses/impl/coordinate_map/ResponseParserForCoordinateMapChart.java index 8d164bd74..580fa06ab 100644 --- a/backend/src/main/java/com/park/utmstack/util/chart_builder/elasticsearch_dsl/responses/impl/coordinate_map/ResponseParserForCoordinateMapChart.java +++ b/backend/src/main/java/com/park/utmstack/util/chart_builder/elasticsearch_dsl/responses/impl/coordinate_map/ResponseParserForCoordinateMapChart.java @@ -45,7 +45,9 @@ public List parse(UtmVisualization visualization, Sear if (bucket != null) { List entries = TermAggregateParser.parse(result.aggregations().get(bucket.getId())); - entries = entries.stream().filter(e -> StringUtils.hasText(e.getKey())).collect(Collectors.toList()); + entries = entries.stream().filter(e -> isValidIP(e.getKey())) + .collect(Collectors.toList()); + for (BucketAggregation entry : entries) { GeoIp ipV4Info; @@ -88,4 +90,25 @@ public List parse(UtmVisualization visualization, Sear throw new RuntimeException(ctx + ": " + e.getMessage()); } } + + public static boolean isValidIP(String ip) { + return isValidIPv4(ip) || isValidIPv6(ip); + } + + + public static boolean isValidIPv4(String ip) { + if (ip == null || ip.isEmpty()) return false; + String regex = + "^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)(\\.|$)){4}$"; + return ip.matches(regex); + } + + public static boolean isValidIPv6(String ip) { + if (ip == null || ip.isEmpty()) return false; + String regex = + "^(?:[\\da-fA-F]{1,4}:){7}[\\da-fA-F]{1,4}$"; + return ip.matches(regex); + } + + } From 56360af501c22b0edc91f2aada7ab0dcf07ac9ba Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 16 May 2025 10:02:37 -0500 Subject: [PATCH 42/56] fix: update display name for Sophos integration --- .../changelog/20250516001_udpate_sophos_name.xml | 15 +++++++++++++++ .../main/resources/config/liquibase/master.xml | 2 ++ 2 files changed, 17 insertions(+) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250516001_udpate_sophos_name.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20250516001_udpate_sophos_name.xml b/backend/src/main/resources/config/liquibase/changelog/20250516001_udpate_sophos_name.xml new file mode 100644 index 000000000..2bf452c5a --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250516001_udpate_sophos_name.xml @@ -0,0 +1,15 @@ + + + + + + UPDATE utm_module + set pretty_name = 'Sophos Firewall' + WHERE id = 30; + + + + diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index 601b64a77..084fca2b4 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -101,5 +101,7 @@ + + From 8405c6354d3843feadee4df6ecae430f3a8d2b77 Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Fri, 16 May 2025 14:06:13 -0400 Subject: [PATCH 43/56] Implement Sophos Central filter (v1.0.0). --- filters/sophos/sophos_central.conf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 filters/sophos/sophos_central.conf diff --git a/filters/sophos/sophos_central.conf b/filters/sophos/sophos_central.conf new file mode 100644 index 000000000..ac70c7f6d --- /dev/null +++ b/filters/sophos/sophos_central.conf @@ -0,0 +1,21 @@ +filter { + +# Sophos_Central version 1.0.0 + + json { + source => "message" + } + + if ([dataType] == "sophos-central") { + + mutate { + rename => { "[logx][sophos_central][source_info][ip]" => "[logx][sophos_central][source_ip]"} + rename => { "[logx][sophos_central][when]" => "[logx][sophos_central][timestamp_occurred_at]"} + rename => { "[logx][sophos_central][created_at]" => "[logx][sophos_central][timestamp_generated_at]"} + } + + mutate { + remove_field => ["headers", "@version", "global", "[logx][sophos_central][core_remedy_items][totalItems]"] + } + } +} \ No newline at end of file From 30dc1158765f9dd7cc27248426de43890369b329 Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Fri, 16 May 2025 14:06:49 -0400 Subject: [PATCH 44/56] Refactor AWS filter (v2.0.0) to use JSON instead of Grok. --- filters/aws/aws.conf | 86 +++++++++++++++----------------------------- 1 file changed, 29 insertions(+), 57 deletions(-) diff --git a/filters/aws/aws.conf b/filters/aws/aws.conf index 2c4520970..7efc4cac6 100644 --- a/filters/aws/aws.conf +++ b/filters/aws/aws.conf @@ -1,68 +1,40 @@ filter { - if ([logx][type] and [logx][type] == "aws") { + +# Amazon Web Service version 2.0.0 + + json { + source => "message" + target => "parsed_message" + } + + if ([parsed_message][logx][type] == "aws") { mutate { add_field => { "dataType" => "aws" - } - add_field => { - "dataSource" => "aws" + "dataSource" => "%{[parsed_message][logx][tenant]}" } } - if [logx][aws][message] { - - grok { - match => {"[logx][aws][message]" => "%{GREEDYDATA:b} %{IP:src_ip} %{IP:dest_ip} %{BASE10NUM:src_port} %{BASE10NUM:dest_port} %{GREEDYDATA:a} %{GREEDYDATA:c} %{WORD:action} %{GREEDYDATA:message_text}"} - } - - if [message_text] { - mutate { - rename => { - "message_text" => "[logx][aws][details][message_text]" - } - } - } - if [action] { - mutate { - rename => { - "action" => "[logx][aws][details][action]" - } - } - } - if [src_port] { - mutate { - rename => { - "src_port" => "[logx][aws][details][src_port]" - } - } - } - if [dest_ip] { - mutate { - rename => { - "dest_ip" => "[logx][aws][details][dest_ip]" - } - } - } - if [src_ip] { - mutate { - rename => { - "src_ip" => "[logx][aws][details][src_ip]" - } - } - } - if [dest_port] { - mutate { - rename => { - "dest_port" => "[logx][aws][details][dest_port]" - } - } - } - - } - + json { + source => "[parsed_message][logx][aws][message]" + target => "[logx][aws]" + } mutate { - remove_field => ["headers", "[logx][type]", "@version", "global", "es_metadata_id","a","b","c"] + rename => { "[logx][aws][eventVersion]" => "[logx][aws][eventVersion]"} + rename => { "[logx][aws][userIdentity][accountId]" => "[logx][aws][accountId]"} + rename => { "[logx][aws][userIdentity][sessionContext][attributes][creationDate]" => "[logx][aws][creationDate]"} + rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][accountId]" => "[logx][aws][sessionIssuerAccountId]"} + rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][arn]" => "[logx][aws][sessionIssuerArn]"} + rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][principalId]" => "[logx][aws][sessionIssuerPrincipalId]"} + rename => { "[logx][aws][userIdentity][sessionContext][sessionIssuer][type]" => "[logx][aws][sessionIssuerType]"} + rename => { "[logx][aws][additionalEventData][SignatureVersion]" => "[logx][aws][SignatureVersion]"} + rename => { "[logx][aws][additionalEventData][x-amz-id-2]" => "[logx][aws][xamzId2]"} + rename => { "[logx][aws][responseElements][x-amz-expiration]" => "[logx][aws][xAmzExpiration]"} + } + + mutate { + remove_field => ["headers", "parsed_message", "@version"] } } -} +} \ No newline at end of file From 1ef1e72a8013f4b3072ee8f0eea30f20d73d5b13 Mon Sep 17 00:00:00 2001 From: JocLRojas Date: Fri, 16 May 2025 14:07:31 -0400 Subject: [PATCH 45/56] Refactor Office 365 filter (v2.0.0) by simplifying the structure. --- filters/office365/o365-all.conf | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/filters/office365/o365-all.conf b/filters/office365/o365-all.conf index 0c96cbc3f..00fe76d22 100644 --- a/filters/office365/o365-all.conf +++ b/filters/office365/o365-all.conf @@ -1,17 +1,19 @@ filter { - if [logx][type] and [logx][type] == "o365" { + +# Office 365 version 2.0.0 + + json { + source => "message" + } + + if ([dataType] == "o365") { + mutate { - add_field => { - "dataType" => "o365" - } - add_field => { - "dataSource" => "o365" - } + rename => {"[logx][tenant]" => "[logx][o365][tenant]"} } mutate { - remove_field => ["headers", "[logx][type]", "@version", "global", "es_metadata_id"] + remove_field => ["headers", "@version", "global"] } - } } \ No newline at end of file From 09ef2644fc3c5a99304597a97f64e58cca4c698a Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 16 May 2025 17:52:16 -0500 Subject: [PATCH 46/56] fix: corrected typo in compliance status label from "Complaint" to "Compliant" --- .../compliance-reports-view.component.html | 6 +++--- .../compliance-report-detail.component.ts | 2 +- .../compliance-status/compliance-status.component.html | 10 +++++----- .../compliance-status/compliance-status.component.ts | 4 ++-- .../compliance/shared/enums/compliance-status.enum.ts | 4 ++-- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/frontend/src/app/compliance/compliance-reports-view/compliance-reports-view.component.html b/frontend/src/app/compliance/compliance-reports-view/compliance-reports-view.component.html index 6eee848a7..712832f7d 100644 --- a/frontend/src/app/compliance/compliance-reports-view/compliance-reports-view.component.html +++ b/frontend/src/app/compliance/compliance-reports-view/compliance-reports-view.component.html @@ -49,8 +49,8 @@
+ [ngClass]="report.configReportStatus === ComplianceStatus.COMPLIANT ? 'border-left-success' : 'border-left-danger'" + [ngStyle]="report.configReportStatus === ComplianceStatus.COMPLIANT ? {'border-left': '5px solid green !important;'} : {'border-left': '5px solid red !important;'}">
@@ -110,7 +110,7 @@
-
diff --git a/frontend/src/app/compliance/compliance-reports-view/components/compliance-report-detail/compliance-report-detail.component.ts b/frontend/src/app/compliance/compliance-reports-view/components/compliance-report-detail/compliance-report-detail.component.ts index bed596c22..219a2639a 100644 --- a/frontend/src/app/compliance/compliance-reports-view/components/compliance-report-detail/compliance-report-detail.component.ts +++ b/frontend/src/app/compliance/compliance-reports-view/components/compliance-report-detail/compliance-report-detail.component.ts @@ -133,7 +133,7 @@ export class ComplianceReportDetailComponent implements OnInit { } isComplaint() { - return this.report.configReportStatus === ComplianceStatusEnum.COMPLAINT + return this.report.configReportStatus === ComplianceStatusEnum.COMPLIANT || (this.report.configReportNote && this.report.configReportNote !== ''); } } diff --git a/frontend/src/app/compliance/compliance-reports-view/components/compliance-status/compliance-status.component.html b/frontend/src/app/compliance/compliance-reports-view/components/compliance-status/compliance-status.component.html index 970bba41a..2e01eb912 100644 --- a/frontend/src/app/compliance/compliance-reports-view/components/compliance-status/compliance-status.component.html +++ b/frontend/src/app/compliance/compliance-reports-view/components/compliance-status/compliance-status.component.html @@ -1,6 +1,6 @@
- {{ isComplaint() ? 'Compliant' : 'Non compliant' }} @@ -10,7 +10,7 @@ @@ -27,11 +27,11 @@ class="menu menu-sub menu-sub-dropdown menu-column menu-rounded menu-gray-600 menu-state-bg-light-primary fw-semibold font-size-sm py-2 px-3" ngbDropdownMenu>
- {{ 'Complaint' }} + (click)="changeStatusTo(ComplianceStatus.COMPLIANT); drop.close()"> + {{ 'Compliant' }}
+ (click)="changeStatusTo(ComplianceStatus.NON_COMPLIANT); drop.close()"> {{ 'Non compliant' }}
diff --git a/frontend/src/app/compliance/compliance-reports-view/components/compliance-status/compliance-status.component.ts b/frontend/src/app/compliance/compliance-reports-view/components/compliance-status/compliance-status.component.ts index d783a9b85..11e288269 100644 --- a/frontend/src/app/compliance/compliance-reports-view/components/compliance-status/compliance-status.component.ts +++ b/frontend/src/app/compliance/compliance-reports-view/components/compliance-status/compliance-status.component.ts @@ -79,7 +79,7 @@ export class ComplianceStatusComponent implements OnInit { getModalMessage(status: ComplianceStatusEnum) { return !this.isComplaint() - ? `You are about to change the compliance status to Complaint (External Tool). + ? `You are about to change the compliance status to Compliant (External Tool).

Please note that you must provide a detailed note explaining where and how this compliance is being fulfilled using the external tool. @@ -95,7 +95,7 @@ export class ComplianceStatusComponent implements OnInit { } isComplaint() { - return this.report.configReportStatus === ComplianceStatusEnum.COMPLAINT + return this.report.configReportStatus === ComplianceStatusEnum.COMPLIANT || (this.report.configReportNote && this.report.configReportNote !== ''); } } diff --git a/frontend/src/app/compliance/shared/enums/compliance-status.enum.ts b/frontend/src/app/compliance/shared/enums/compliance-status.enum.ts index e49f18776..6b6c8f419 100644 --- a/frontend/src/app/compliance/shared/enums/compliance-status.enum.ts +++ b/frontend/src/app/compliance/shared/enums/compliance-status.enum.ts @@ -1,4 +1,4 @@ export enum ComplianceStatusEnum { - COMPLAINT = 'COMPLAINT', - NON_COMPLAINT = 'NON_COMPLAINT' + COMPLIANT = 'COMPLIANT', + NON_COMPLIANT = 'NON_COMPLIANT' } From de09c5733f473d77e14817ce61132a4df436f026 Mon Sep 17 00:00:00 2001 From: Yorjander Hernandez Vergara Date: Tue, 27 May 2025 04:16:58 -0400 Subject: [PATCH 47/56] send logs from new windows channels in arm agent --- agent/collectors/windows_arm64.go | 166 +++++++++++++++++++----------- 1 file changed, 108 insertions(+), 58 deletions(-) diff --git a/agent/collectors/windows_arm64.go b/agent/collectors/windows_arm64.go index cea5dbda0..2daf715da 100644 --- a/agent/collectors/windows_arm64.go +++ b/agent/collectors/windows_arm64.go @@ -7,12 +7,13 @@ import ( "encoding/json" "encoding/xml" "fmt" - "log" "os" "os/signal" "strconv" "strings" + "sync" "syscall" + "time" "unsafe" "github.com/threatwinds/validations" @@ -74,8 +75,10 @@ type EventSubscription struct { Channel string Query string Errors chan error - Callback func(event *Event) winAPIHandle windows.Handle + + mu sync.Mutex + running bool } const ( @@ -90,9 +93,13 @@ var ( procEvtSubscribe = modwevtapi.NewProc("EvtSubscribe") procEvtRender = modwevtapi.NewProc("EvtRender") procEvtClose = modwevtapi.NewProc("EvtClose") + incomingEvents = make(chan string, 1024) ) func (evtSub *EventSubscription) Create() error { + evtSub.mu.Lock() + defer evtSub.mu.Unlock() + if evtSub.winAPIHandle != 0 { return fmt.Errorf("windows_events: subscription has already been created") } @@ -109,8 +116,6 @@ func (evtSub *EventSubscription) Create() error { callback := syscall.NewCallback(evtSub.winAPICallback) - log.Printf("Debug - Subscribing to channel: %s", evtSub.Channel) - handle, _, err := procEvtSubscribe.Call( 0, 0, @@ -131,8 +136,11 @@ func (evtSub *EventSubscription) Create() error { } func (evtSub *EventSubscription) Close() error { + evtSub.mu.Lock() + defer evtSub.mu.Unlock() + if evtSub.winAPIHandle == 0 { - return fmt.Errorf("windows_events: no active subscription to close") + return nil } ret, _, err := procEvtClose.Call(uintptr(evtSub.winAPIHandle)) if ret == 0 { @@ -145,47 +153,101 @@ func (evtSub *EventSubscription) Close() error { func (evtSub *EventSubscription) winAPICallback(action, userContext, event uintptr) uintptr { switch action { case evtSubscribeActionError: - evtSub.Errors <- fmt.Errorf("windows_events: error in callback, code: %x", uint16(event)) - case evtSubscribeActionDeliver: - bufferSize := uint32(4096) - for { - renderSpace := make([]uint16, bufferSize/2) - bufferUsed := uint32(0) - propertyCount := uint32(0) - ret, _, err := procEvtRender.Call( - 0, - event, - evtRenderEventXML, - uintptr(bufferSize), - uintptr(unsafe.Pointer(&renderSpace[0])), - uintptr(unsafe.Pointer(&bufferUsed)), - uintptr(unsafe.Pointer(&propertyCount)), - ) - if ret == 0 { - if err == windows.ERROR_INSUFFICIENT_BUFFER { - bufferSize *= 2 - continue + err := fmt.Errorf("windows_events: error in callback, code: %x", uint16(event)) + evtSub.Errors <- err + + go func(channel string) { + utils.Logger.LogF(100, "Attempting to resubscribe to channel: %s after error: %v", channel, err) + evtSub.mu.Lock() + defer evtSub.mu.Unlock() + + _ = evtSub.Close() + + for { + time.Sleep(5 * time.Second) + if err := evtSub.Create(); err != nil { + utils.Logger.ErrorF("Retry failed for channel %s: %s", channel, err) + } else { + utils.Logger.LogF(100, "Resubscribed to channel: %s", channel) + break } - evtSub.Errors <- fmt.Errorf("windows_events: failed to render event: %w", err) - return 0 - } - xmlStr := windows.UTF16ToString(renderSpace) - xmlStr = cleanXML(xmlStr) - - dataParsed := new(Event) - if err := xml.Unmarshal([]byte(xmlStr), dataParsed); err != nil { - evtSub.Errors <- fmt.Errorf("windows_events: failed to parse XML: %s", err) - } else { - evtSub.Callback(dataParsed) } + }(evtSub.Channel) + + case evtSubscribeActionDeliver: + utils.Logger.LogF(100, "Received event from channel: %s", evtSub.Channel) + xmlStr, err := quickRenderXML(event) + if err != nil { + evtSub.Errors <- fmt.Errorf("render in callback: %v", err) break } + select { + case incomingEvents <- xmlStr: + default: + utils.Logger.ErrorF("incomingEvents lleno: evento descartado") + } default: evtSub.Errors <- fmt.Errorf("windows_events: unsupported action in callback: %x", uint16(action)) } return 0 } +func eventWorker() { + for xmlStr := range incomingEvents { + ev := new(Event) + if err := xml.Unmarshal([]byte(xmlStr), ev); err != nil { + utils.Logger.ErrorF("unmarshal error: %v", err) + continue + } + + eventJSON, err := convertEventToJSON(ev) + if err != nil { + utils.Logger.ErrorF("toJSON error: %v", err) + continue + } + + validatedLog, _, err := validations.ValidateString(eventJSON, false) + if err != nil { + utils.Logger.LogF(100, "validation error: %s: %v", eventJSON, err) + continue + } + + select { + case logservice.LogQueue <- logservice.LogPipe{ + Src: string(config.DataTypeWindowsAgent), + Logs: []string{validatedLog}, + }: + default: + utils.Logger.LogF(100, "LogQueue full: event discarded") + } + } +} + +func quickRenderXML(h uintptr) (string, error) { + bufSize := uint32(4096) + for { + space := make([]uint16, bufSize/2) + used := uint32(0) + prop := uint32(0) + + ret, _, err := procEvtRender.Call( + 0, h, evtRenderEventXML, + uintptr(bufSize), + uintptr(unsafe.Pointer(&space[0])), + uintptr(unsafe.Pointer(&used)), + uintptr(unsafe.Pointer(&prop)), + ) + if ret == 0 { + if err == windows.ERROR_INSUFFICIENT_BUFFER { + bufSize *= 2 + continue + } + return "", err + } + return cleanXML(windows.UTF16ToString(space)), nil + } +} + func cleanXML(xmlStr string) string { xmlStr = strings.TrimSpace(xmlStr) if idx := strings.Index(xmlStr, " 0 { @@ -210,36 +272,23 @@ func getCollectorsInstances() []Collector { func (w Windows) SendLogs() { errorsChan := make(chan error, 10) + go eventWorker() - callback := func(event *Event) { - eventJSON, err := convertEventToJSON(event) - if err != nil { - utils.Logger.ErrorF("error converting event to JSON: %v", err) - return - } - validatedLog, _, err := validations.ValidateString(eventJSON, false) - if err != nil { - utils.Logger.LogF(100, "error validating log: %s: %v", eventJSON, err) - return - } - logservice.LogQueue <- logservice.LogPipe{ - Src: string(config.DataTypeWindowsAgent), - Logs: []string{validatedLog}, - } + channels := []string{ + "Security", "Application", "System", "Microsoft-Windows-Sysmon/Operational", "Windows Powershell", + "Microsoft-Windows-Powershell/Operational", "ForwardedEvents", "Microsoft-Windows-WinLogon/Operational", + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", "Microsoft-Windows-Windows Defender/Operational", } - - channels := []string{"Security", "Application", "System"} var subscriptions []*EventSubscription for _, channel := range channels { sub := &EventSubscription{ - Channel: channel, - Query: "*", - Errors: errorsChan, - Callback: callback, + Channel: channel, + Query: "*", + Errors: errorsChan, } if err := sub.Create(); err != nil { - utils.Logger.ErrorF("Error subscribing to channel %s: %s", channel, err) + utils.Logger.LogF(100, "Error subscribing to channel %s: %s", channel, err) continue } subscriptions = append(subscriptions, sub) @@ -255,6 +304,7 @@ func (w Windows) SendLogs() { exitChan := make(chan os.Signal, 1) signal.Notify(exitChan, os.Interrupt) <-exitChan + close(incomingEvents) utils.Logger.LogF(100, "Interrupt received, closing subscriptions...") for _, sub := range subscriptions { if err := sub.Close(); err != nil { From 5513508b51603e8e7e2072c6adf0fcfaf4890899 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 27 May 2025 10:38:19 -0500 Subject: [PATCH 48/56] fix: hide sorting action for assets filters --- .../asset-generic-filter.component.html | 2 +- .../asset-generic-filter/asset-generic-filter.component.ts | 6 ++++++ frontend/src/environments/environment.ts | 4 ++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/frontend/src/app/assets-discover/shared/components/filters/asset-generic-filter/asset-generic-filter.component.html b/frontend/src/app/assets-discover/shared/components/filters/asset-generic-filter/asset-generic-filter.component.html index 926e6be19..f3a86c6c7 100644 --- a/frontend/src/app/assets-discover/shared/components/filters/asset-generic-filter/asset-generic-filter.component.html +++ b/frontend/src/app/assets-discover/shared/components/filters/asset-generic-filter/asset-generic-filter.component.html @@ -3,7 +3,7 @@ {{fieldFilter.label ? fieldFilter.label : fieldFilter.field}} - +
Date: Tue, 27 May 2025 14:30:08 -0500 Subject: [PATCH 49/56] fix: improve CSV export limit parameters --- .../shared/components/save-report/save-report.component.html | 2 +- .../shared/components/save-report/save-report.component.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.html b/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.html index 649007e50..a54ae7a97 100644 --- a/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.html +++ b/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.html @@ -23,7 +23,7 @@
diff --git a/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.ts b/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.ts index 248956dbb..33c2be55e 100644 --- a/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.ts +++ b/frontend/src/app/data-management/alert-management/alert-reports/shared/components/save-report/save-report.component.ts @@ -76,7 +76,7 @@ export class SaveAlertReportComponent implements OnInit { columns: this.fields, indexPattern: ALERT_INDEX_PATTERN, filters: this.filters, - top: LOG_ANALYZER_TOTAL_ITEMS + top: this.limit }; this.elasticDataExportService.exportCsv(params, 'UTM ALERTS').then(() => { this.generateReport = false; From 965735efc0135987b688d38d4fa417aac459fc45 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 27 May 2025 15:04:05 -0500 Subject: [PATCH 50/56] fix: correct uninstalling command for macOs agent --- .../guides/guide-macos-agent/guide-macos-agent.component.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.ts b/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.ts index e0f2d911e..d9e1b22c8 100644 --- a/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.ts +++ b/frontend/src/app/app-module/guides/guide-macos-agent/guide-macos-agent.component.ts @@ -48,7 +48,7 @@ export class GuideMacosAgentComponent implements OnInit { getUninstallCommand(installerName: string): string { // tslint:disable-next-line:max-line-length - return `sudo bash -c "/opt/utmstack/${installerName} uninstall; launchctl bootout system /Library/LaunchDaemons/UTMStackAgent.plist 2>/dev/null; rm /Library/LaunchDaemons/UTMStackAgent.plist; rm -rf /opt/utmstack"`; + return `sudo bash -c "/opt/utmstack/${installerName}; launchctl bootout system /Library/LaunchDaemons/UTMStackAgent.plist 2>/dev/null; rm /Library/LaunchDaemons/UTMStackAgent.plist; rm -rf /opt/utmstack"`; } @@ -57,7 +57,7 @@ export class GuideMacosAgentComponent implements OnInit { { id: 1, name: 'ARM64', install: this.getCommandARM('utmstack_agent_service install'), - uninstall: this.getUninstallCommand('utmstack_agent_service install'), + uninstall: this.getUninstallCommand('utmstack_agent_service uninstall'), shell: '' }, ]; From 243141854870b06aa79b6915b6fe599923d84054 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Wed, 28 May 2025 09:22:50 -0500 Subject: [PATCH 51/56] feat: add Windows ARM64 support to agent installation platforms --- .../components/agent-install-selector.component.ts | 1 - .../guides/shared/components/log-collector.component.ts | 9 +++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/frontend/src/app/app-module/guides/shared/components/agent-install-selector.component.ts b/frontend/src/app/app-module/guides/shared/components/agent-install-selector.component.ts index 6954ce64c..389dc5797 100644 --- a/frontend/src/app/app-module/guides/shared/components/agent-install-selector.component.ts +++ b/frontend/src/app/app-module/guides/shared/components/agent-install-selector.component.ts @@ -97,7 +97,6 @@ export class AgentInstallSelectorComponent { } onChangeAction(action: any) { - console.log(action); if (this.selectedPlatform && action.name === 'UNINSTALL') { this.openModal(); } diff --git a/frontend/src/app/app-module/guides/shared/components/log-collector.component.ts b/frontend/src/app/app-module/guides/shared/components/log-collector.component.ts index 54c2c50d8..2294c1a47 100644 --- a/frontend/src/app/app-module/guides/shared/components/log-collector.component.ts +++ b/frontend/src/app/app-module/guides/shared/components/log-collector.component.ts @@ -61,12 +61,17 @@ export class LogCollectorComponent { platforms = [ { - id: 1, name: 'WINDOWS', + id: 1, name: 'WINDOWS (ARM64)', + command: 'Start-Process "C:\\Program Files\\UTMStack\\UTMStack Agent\\utmstack_agent_service_arm64.exe" -ArgumentList \'ACTION\', \'AGENTNAME\', \'PORT\' -NoNewWindow -Wait\n', + shell: 'Windows Powershell terminal as “ADMINISTRATOR”' + }, + { + id: 2, name: 'WINDOWS (AMD64)', command: 'Start-Process "C:\\Program Files\\UTMStack\\UTMStack Agent\\utmstack_agent_service.exe" -ArgumentList \'ACTION\', \'AGENTNAME\', \'PORT\' -NoNewWindow -Wait\n', shell: 'Windows Powershell terminal as “ADMINISTRATOR”' }, { - id: 2, + id: 3, name: 'LINUX', command: 'sudo bash -c "/opt/utmstack-linux-agent/utmstack_agent_service ACTION AGENTNAME PORT"', shell: 'Linux bash terminal' } From 125560cfb89c6364ba8dcecd60a5363dcfe01fc3 Mon Sep 17 00:00:00 2001 From: Yorjander Hernandez Vergara Date: Thu, 29 May 2025 04:07:44 -0400 Subject: [PATCH 52/56] set correct api url environment --- frontend/src/environments/environment.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/frontend/src/environments/environment.ts b/frontend/src/environments/environment.ts index c14489291..586cb5a3b 100644 --- a/frontend/src/environments/environment.ts +++ b/frontend/src/environments/environment.ts @@ -4,8 +4,8 @@ export const environment = { production: false, - SERVER_API_URL: 'https://192.168.1.18/', - //SERVER_API_URL: 'http://localhost:8080/', + // SERVER_API_URL: 'https://192.168.1.18/', + SERVER_API_URL: 'http://localhost:8080/', SERVER_API_CONTEXT: '', SESSION_AUTH_TOKEN: window.location.host.split(':')[0].toLocaleUpperCase(), WEBSOCKET_URL: '//localhost:8080', From 2cca1e3492bb8f1f5dd1d199bfe55b8a28cc7cf5 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 27 May 2025 14:08:27 -0500 Subject: [PATCH 53/56] fix: update filter for winevent log agent --- .../20250527001_update_filter_wineventlog.xml | 2839 +++++++++++++++++ .../resources/config/liquibase/master.xml | 2 + 2 files changed, 2841 insertions(+) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_wineventlog.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_wineventlog.xml b/backend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_wineventlog.xml new file mode 100644 index 000000000..5f53f66c8 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_wineventlog.xml @@ -0,0 +1,2839 @@ + + + + + + + "message" + terminator => "" + } + json { + source => "message" + } + + if [channel] { + mutate { + add_field => { "dataType" => "wineventlog" } + + rename => { + "channel" => "[logx][wineventlog][channel]" + "computer" => "dataSource" + "correlation" => "[logx][wineventlog][correlation]" + "data" => "[logx][wineventlog][event_data]" + "eventCode" => "[logx][wineventlog][event_id]" + "execution" => "[logx][wineventlog][execution]" + "keywords" => "[logx][wineventlog][keywords]" + "level" => "[logx][wineventlog][level]" + "opcode" => "[logx][wineventlog][opcode]" + "providerGuid" => "[logx][wineventlog][provider_guid]" + "providerName" => "[logx][wineventlog][provider_name]" + "recordId" => "[logx][wineventlog][record_id]" + "task" => "[logx][wineventlog][task]" + "timeCreated" => "[logx][wineventlog][time_created]" + "timestamp" => "[logx][wineventlog][timestamp]" + "version" => "[logx][wineventlog][version]" + } + } + + mutate { convert => { "[logx][wineventlog][event_id]" => "integer" }} + } + + if ([winlog][api] and [winlog][api] == "wineventlog") or ([type] and [type] == "wineventlog") { + + mutate { + add_field => { "dataType" => "wineventlog" } + + add_field => {"[global][type]" => "logx"} + remove_field => ["fileset"] + remove_field => ["fields"] + } + + #If winlogbeat is of old version + if [type] and [type] == "wineventlog"{ + mutate { + rename => { "[beat][name]" => "[dataSource]" } + rename => {"[type]" => "[logx][type]"} + + rename => {"[activity_id]" => "[logx][wineventlog][activity_id]"} + rename => {"[beat]" => "[logx][wineventlog][beat]"} + rename => {"[event_data]" => "[logx][wineventlog][event_data]"} + rename => {"[event_id]" => "[logx][wineventlog][event_id]"} + rename => {"[keywords]" => "[logx][wineventlog][keywords]"} + rename => {"[level]" => "[logx][wineventlog][level]"} + rename => {"[log]" => "[logx][wineventlog][log]"} + rename => {"[log_name]" => "[logx][wineventlog][log_name]"} + rename => {"[opcode]" => "[logx][wineventlog][opcode]"} + rename => {"[process_id]" => "[logx][wineventlog][process_id]"} + rename => {"[provider_guid]" => "[logx][wineventlog][provider_guid]"} + rename => {"[record_number]" => "[logx][wineventlog][record_number]"} + rename => {"[source_name]" => "[logx][wineventlog][source_name]"} + rename => {"[task]" => "[logx][wineventlog][task]"} + rename => {"[thread_id]" => "[logx][wineventlog][thread_id]"} + rename => {"[user]" => "[logx][wineventlog][user]"} + rename => {"[user_data]" => "[logx][wineventlog][user_data]"} + rename => {"[version]" => "[logx][wineventlog][version]"} + + rename => {"[meta]" => "[logx][wineventlog][meta]"} + rename => {"[docker]" => "[logx][wineventlog][docker]"} + rename => {"[related_activity_id]" => "[logx][wineventlog][related_activity_id]"} + } + } + + #If winlogbeat is of version 8.5.1 + if [winlog][api] and [winlog][api] == "wineventlog"{ + mutate { + rename => { "[host][hostname]" => "[dataSource]" } + rename => {"[winlog][api]" => "[logx][type]"} + + rename => {"[winlog][activity_id]" => "[logx][wineventlog][activity_id]"} + rename => {"[event][timezone]" => "[logx][wineventlog][beat][timezone]"} + rename => {"[agent][name]" => "[logx][wineventlog][beat][hostname]"} + rename => {"[agent][version]" => "[logx][wineventlog][beat][version]"} + rename => {"[event][original]" => "[xml]"} + rename => {"[winlog][event_data]" => "[logx][wineventlog][event_data]"} + rename => {"[winlog][event_id]" => "[logx][wineventlog][event_id]"} + rename => {"[winlog][keywords]" => "[logx][wineventlog][keywords]"} + rename => {"[log][level]" => "[logx][wineventlog][level]"} + rename => {"[winlog][channel]" => "[logx][wineventlog][log_name]"} + rename => {"[winlog][opcode]" => "[logx][wineventlog][opcode]"} + rename => {"[winlog][process][pid]" => "[logx][wineventlog][process_id]"} + rename => {"[winlog][provider_guid]" => "[logx][wineventlog][provider_guid]"} + rename => {"[winlog][record_id]" => "[logx][wineventlog][record_number]"} + rename => {"[winlog][provider_name]" => "[logx][wineventlog][source_name]"} + rename => {"[winlog][task]" => "[logx][wineventlog][task]"} + rename => {"[winlog][process][thread][id]" => "[logx][wineventlog][thread_id]"} + rename => {"[winlog][user]" => "[logx][wineventlog][user]"} + rename => {"[winlog][user_data]" => "[logx][wineventlog][user_data]"} + rename => {"[winlog][version]" => "[logx][wineventlog][version]"} + + rename => {"[cloud]" => "[logx][wineventlog][meta][cloud]"} + rename => {"[container]" => "[logx][wineventlog][docker][container]"} + rename => {"[winlog][computer_name]" => "[computer_name]"} + rename => {"[winlog][related_activity_id]" => "[logx][wineventlog][related_activity_id]"} + rename => {"[ecs]" => "[logx][wineventlog][ecs]"} + rename => {"[winlog][computerObject]" => "[logx][wineventlog][computerObject]"} + rename => {"[winlog][time_created]" => "[logx][wineventlog][time_created]"} + rename => {"[winlog][trustAttribute]" => "[logx][wineventlog][trustAttribute]"} + rename => {"[winlog][trustDirection]" => "[logx][wineventlog][trustDirection]"} + rename => {"[winlog][trustType]" => "[logx][wineventlog][trustType]"} + } + + mutate { convert => { "[logx][wineventlog][event_id]" => "integer" }} + } + + mutate { + rename => {"[clienthost]" => "[logx][wineventlog][clienthost]"} + rename => {"[geoip]" => "[logx][wineventlog][geoip]"} + rename => {"[host]" => "[logx][wineventlog][host]"} + rename => {"[input]" => "[logx][wineventlog][input]"} + rename => {"[log_timestamp]" => "[logx][wineventlog][log_timestamp]"} + rename => {"[message]" => "[logx][wineventlog][message]"} + rename => {"[method]" => "[logx][wineventlog][method]"} + rename => {"[offset]" => "[logx][wineventlog][offset]"} + rename => {"[page]" => "[logx][wineventlog][page]"} + rename => {"[port]" => "[logx][wineventlog][port]"} + rename => {"[prospector]" => "[logx][wineventlog][prospector]"} + rename => {"[querystring]" => "[logx][wineventlog][querystring]"} + rename => {"[referer]" => "[logx][wineventlog][referer]"} + rename => {"[response]" => "[logx][wineventlog][response]"} + rename => {"[scstatus]" => "[logx][wineventlog][scstatus]"} + rename => {"[site]" => "[logx][wineventlog][site]"} + rename => {"[source]" => "[logx][wineventlog][source]"} + rename => {"[subresponse]" => "[logx][wineventlog][subresponse]"} + rename => {"[tags]" => "[logx][wineventlog][tags]"} + rename => {"[timetaken]" => "[logx][wineventlog][timetaken]"} + rename => {"[user_agent]" => "[logx][wineventlog][useragent]"} + rename => {"[username]" => "[logx][wineventlog][username]"} + rename => {"[error]" => "[logx][wineventlog][error]"} + rename => {"[timeseries]" => "[logx][wineventlog][timeseries]"} + rename => {"[event]" => "[logx][wineventlog][event]"} + rename => {"[agent]" => "[logx][wineventlog][agent]"} + rename => {"[as]" => "[logx][wineventlog][as]"} + rename => {"[client]" => "[logx][wineventlog][client]"} + rename => {"[code_signature]" => "[logx][wineventlog][code_signature]"} + rename => {"[data_stream]" => "[logx][wineventlog][data_stream]"} + rename => {"[destination]" => "[logx][wineventlog][destination]"} + rename => {"[dll]" => "[logx][wineventlog][dll]"} + rename => {"[dns]" => "[logx][wineventlog][dns]"} + rename => {"[els]" => "[logx][wineventlog][els]"} + rename => {"[faas]" => "[logx][wineventlog][faas]"} + rename => {"[file]" => "[logx][wineventlog][file]"} + rename => {"[geo]" => "[logx][wineventlog][geo]"} + rename => {"[group]" => "[logx][wineventlog][group]"} + rename => {"[http]" => "[logx][wineventlog][http]"} + rename => {"[interface]" => "[logx][wineventlog][interface]"} + rename => {"[network]" => "[logx][wineventlog][network]"} + rename => {"[observer]" => "[logx][wineventlog][observer]"} + rename => {"[orchestrator]" => "[logx][wineventlog][orchestrator]"} + rename => {"[os]" => "[logx][wineventlog][os]"} + rename => {"[package]" => "[logx][wineventlog][package]"} + rename => {"[pe]" => "[logx][wineventlog][pe]"} + rename => {"[registry]" => "[logx][wineventlog][registry]"} + rename => {"[related]" => "[logx][wineventlog][related]"} + rename => {"[rule]" => "[logx][wineventlog][rule]"} + rename => {"[server]" => "[logx][wineventlog][server]"} + rename => {"[service]" => "[logx][wineventlog][service]"} + rename => {"[threat]" => "[logx][wineventlog][threat]"} + rename => {"[tls]" => "[logx][wineventlog][tls]"} + rename => {"[url]" => "[logx][wineventlog][url]"} + rename => {"[vlan]" => "[logx][wineventlog][vlan]"} + rename => {"[vulnerability]" => "[logx][wineventlog][vulnerability]"} + rename => {"[x509]" => "[logx][wineventlog][x509]"} + rename => {"[process]" => "[logx][wineventlog][process]"} + rename => {"[powershell]" => "[logx][wineventlog][powershell]"} + } + + mutate { + remove_field => ["winlog"] + remove_field => ["log"] + } + + if [logx][wineventlog][event_id] { + if [logx][wineventlog][event_id] == 1100 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The event logging service has shut down"} + } + } + else if [logx][wineventlog][event_id] == 1101 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Audit events have been dropped by the transport."} + } + } + else if [logx][wineventlog][event_id] == 1102 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The audit log was cleared"} + } + } + else if [logx][wineventlog][event_id] == 1104 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The security Log is now full"} + } + } + else if [logx][wineventlog][event_id] == 1105 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Event log automatic backup"} + } + } + else if [logx][wineventlog][event_id] == 1108 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The event logging service encountered an error"} + } + } + else if [logx][wineventlog][event_id] == 4608 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows is starting up"} + } + } + else if [logx][wineventlog][event_id] == 4609 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows is shutting down"} + } + } + else if [logx][wineventlog][event_id] == 4610 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An authentication package has been loaded by the Local Security Authority"} + } + } + else if [logx][wineventlog][event_id] == 4611 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trusted logon process has been registered with the Local Security Authority"} + } + } + else if [logx][wineventlog][event_id] == 4612 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Internal resources allocated for the queuing of audit messages have been exhausted: leading to the loss of some audits."} + } + } + else if [logx][wineventlog][event_id] == 4614 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A notification package has been loaded by the Security Account Manager."} + } + } + else if [logx][wineventlog][event_id] == 4615 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Invalid use of LPC port"} + } + } + else if [logx][wineventlog][event_id] == 4616 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The system time was changed."} + } + } + else if [logx][wineventlog][event_id] == 4618 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A monitored security event pattern has occurred"} + } + } + else if [logx][wineventlog][event_id] == 4621 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Administrator recovered system from CrashOnAuditFail"} + } + } + else if [logx][wineventlog][event_id] == 4622 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security package has been loaded by the Local Security Authority."} + } + } + else if [logx][wineventlog][event_id] == 4624 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account was successfully logged on"} + } + } + else if [logx][wineventlog][event_id] == 4625 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account failed to log on"} + } + } + else if [logx][wineventlog][event_id] == 4626 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "User/Device claims information"} + } + } + else if [logx][wineventlog][event_id] == 4627 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Group membership information."} + } + } + else if [logx][wineventlog][event_id] == 4634 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account was logged off"} + } + } + else if [logx][wineventlog][event_id] == 4646 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IKE DoS-prevention mode started"} + } + } + else if [logx][wineventlog][event_id] == 4647 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "User initiated logoff"} + } + } + else if [logx][wineventlog][event_id] == 4648 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A logon was attempted using explicit credentials"} + } + } + else if [logx][wineventlog][event_id] == 4649 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A replay attack was detected"} + } + } + else if [logx][wineventlog][event_id] == 4650 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode security association was established"} + } + } + else if [logx][wineventlog][event_id] == 4651 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode security association was established"} + } + } + else if [logx][wineventlog][event_id] == 4652 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4653 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4654 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Quick Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4655 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode security association ended"} + } + } + else if [logx][wineventlog][event_id] == 4656 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A handle to an object was requested"} + } + } + else if [logx][wineventlog][event_id] == 4657 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A registry value was modified"} + } + } + else if [logx][wineventlog][event_id] == 4658 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The handle to an object was closed"} + } + } + else if [logx][wineventlog][event_id] == 4659 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A handle to an object was requested with intent to delete"} + } + } + else if [logx][wineventlog][event_id] == 4660 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An object was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4661 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A handle to an object was requested"} + } + } + else if [logx][wineventlog][event_id] == 4662 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An operation was performed on an object"} + } + } + else if [logx][wineventlog][event_id] == 4663 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to access an object"} + } + } + else if [logx][wineventlog][event_id] == 4664 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to create a hard link"} + } + } + else if [logx][wineventlog][event_id] == 4665 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to create an application client context."} + } + } + else if [logx][wineventlog][event_id] == 4666 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An application attempted an operation"} + } + } + else if [logx][wineventlog][event_id] == 4667 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An application client context was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4668 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An application was initialized"} + } + } + else if [logx][wineventlog][event_id] == 4670 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Permissions on an object were changed"} + } + } + else if [logx][wineventlog][event_id] == 4671 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An application attempted to access a blocked ordinal through the TBS"} + } + } + else if [logx][wineventlog][event_id] == 4672 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Special privileges assigned to new logon"} + } + } + else if [logx][wineventlog][event_id] == 4673 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A privileged service was called"} + } + } + else if [logx][wineventlog][event_id] == 4674 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An operation was attempted on a privileged object"} + } + } + else if [logx][wineventlog][event_id] == 4675 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "SIDs were filtered"} + } + } + else if [logx][wineventlog][event_id] == 4688 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A new process has been created"} + } + } + else if [logx][wineventlog][event_id] == 4689 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A process has exited"} + } + } + else if [logx][wineventlog][event_id] == 4690 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to duplicate a handle to an object"} + } + } + else if [logx][wineventlog][event_id] == 4691 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Indirect access to an object was requested"} + } + } + else if [logx][wineventlog][event_id] == 4692 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Backup of data protection master key was attempted"} + } + } + else if [logx][wineventlog][event_id] == 4693 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Recovery of data protection master key was attempted"} + } + } + else if [logx][wineventlog][event_id] == 4694 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Protection of auditable protected data was attempted"} + } + } + else if [logx][wineventlog][event_id] == 4695 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Unprotection of auditable protected data was attempted"} + } + } + else if [logx][wineventlog][event_id] == 4696 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A primary token was assigned to process"} + } + } + else if [logx][wineventlog][event_id] == 4697 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A service was installed in the system"} + } + } + else if [logx][wineventlog][event_id] == 4698 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was created"} + } + } + else if [logx][wineventlog][event_id] == 4699 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4700 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was enabled"} + } + } + else if [logx][wineventlog][event_id] == 4701 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was disabled"} + } + } + else if [logx][wineventlog][event_id] == 4702 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was updated"} + } + } + else if [logx][wineventlog][event_id] == 4703 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A token right was adjusted"} + } + } + else if [logx][wineventlog][event_id] == 4704 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user right was assigned"} + } + } + else if [logx][wineventlog][event_id] == 4705 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user right was removed"} + } + } + else if [logx][wineventlog][event_id] == 4706 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A new trust was created to a domain"} + } + } + else if [logx][wineventlog][event_id] == 4707 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trust to a domain was removed"} + } + } + else if [logx][wineventlog][event_id] == 4709 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services was started"} + } + } + else if [logx][wineventlog][event_id] == 4710 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services was disabled"} + } + } + else if [logx][wineventlog][event_id] == 4711 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine (1%)"} + } + } + else if [logx][wineventlog][event_id] == 4712 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services encountered a potentially serious failure"} + } + } + else if [logx][wineventlog][event_id] == 4713 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Kerberos policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4714 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Encrypted data recovery policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4715 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The audit policy (SACL) on an object was changed"} + } + } + else if [logx][wineventlog][event_id] == 4716 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Trusted domain information was modified"} + } + } + else if [logx][wineventlog][event_id] == 4717 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "System security access was granted to an account"} + } + } + else if [logx][wineventlog][event_id] == 4718 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "System security access was removed from an account"} + } + } + else if [logx][wineventlog][event_id] == 4719 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "System audit policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4720 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was created"} + } + } + else if [logx][wineventlog][event_id] == 4722 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was enabled"} + } + } + else if [logx][wineventlog][event_id] == 4723 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to change an account''s password"} + } + } + else if [logx][wineventlog][event_id] == 4724 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to reset an accounts password"} + } + } + else if [logx][wineventlog][event_id] == 4725 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was disabled"} + } + } + else if [logx][wineventlog][event_id] == 4726 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4727 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled global group was created"} + } + } + else if [logx][wineventlog][event_id] == 4728 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-enabled global group"} + } + } + else if [logx][wineventlog][event_id] == 4729 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-enabled global group"} + } + } + else if [logx][wineventlog][event_id] == 4730 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled global group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4731 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group was created"} + } + } + else if [logx][wineventlog][event_id] == 4732 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-enabled local group"} + } + } + else if [logx][wineventlog][event_id] == 4733 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-enabled local group"} + } + } + else if [logx][wineventlog][event_id] == 4734 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4735 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4737 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled global group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4738 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was changed"} + } + } + else if [logx][wineventlog][event_id] == 4739 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Domain Policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4740 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was locked out"} + } + } + else if [logx][wineventlog][event_id] == 4741 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A computer account was created"} + } + } + else if [logx][wineventlog][event_id] == 4742 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A computer account was changed"} + } + } + else if [logx][wineventlog][event_id] == 4743 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A computer account was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4744 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled local group was created"} + } + } + else if [logx][wineventlog][event_id] == 4745 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled local group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4746 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-disabled local group"} + } + } + else if [logx][wineventlog][event_id] == 4747 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-disabled local group"} + } + } + else if [logx][wineventlog][event_id] == 4748 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled local group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4749 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled global group was created"} + } + } + else if [logx][wineventlog][event_id] == 4750 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled global group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4751 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-disabled global group"} + } + } + else if [logx][wineventlog][event_id] == 4752 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-disabled global group"} + } + } + else if [logx][wineventlog][event_id] == 4753 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled global group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4754 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled universal group was created"} + } + } + else if [logx][wineventlog][event_id] == 4755 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled universal group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4756 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-enabled universal group"} + } + } + else if [logx][wineventlog][event_id] == 4757 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-enabled universal group"} + } + } + else if [logx][wineventlog][event_id] == 4758 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled universal group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4759 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled universal group was created"} + } + } + else if [logx][wineventlog][event_id] == 4760 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled universal group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4761 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-disabled universal group"} + } + } + else if [logx][wineventlog][event_id] == 4762 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-disabled universal group"} + } + } + else if [logx][wineventlog][event_id] == 4763 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled universal group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4764 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A groups type was changed"} + } + } + else if [logx][wineventlog][event_id] == 4765 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "SID History was added to an account"} + } + } + else if [logx][wineventlog][event_id] == 4766 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt to add SID History to an account failed"} + } + } + else if [logx][wineventlog][event_id] == 4767 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was unlocked"} + } + } + else if [logx][wineventlog][event_id] == 4768 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos authentication ticket (TGT) was requested"} + } + } + else if [logx][wineventlog][event_id] == 4769 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket was requested"} + } + } + else if [logx][wineventlog][event_id] == 4770 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket was renewed"} + } + } + else if [logx][wineventlog][event_id] == 4771 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Kerberos pre-authentication failed"} + } + } + else if [logx][wineventlog][event_id] == 4772 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos authentication ticket request failed"} + } + } + else if [logx][wineventlog][event_id] == 4773 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket request failed"} + } + } + else if [logx][wineventlog][event_id] == 4774 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account was mapped for logon"} + } + } + else if [logx][wineventlog][event_id] == 4775 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account could not be mapped for logon"} + } + } + else if [logx][wineventlog][event_id] == 4776 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The domain controller attempted to validate the credentials for an account"} + } + } + else if [logx][wineventlog][event_id] == 4777 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The domain controller failed to validate the credentials for an account"} + } + } + else if [logx][wineventlog][event_id] == 4778 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A session was reconnected to a Window Station"} + } + } + else if [logx][wineventlog][event_id] == 4779 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A session was disconnected from a Window Station"} + } + } + else if [logx][wineventlog][event_id] == 4780 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The ACL was set on accounts which are members of administrators groups"} + } + } + else if [logx][wineventlog][event_id] == 4781 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The name of an account was changed"} + } + } + else if [logx][wineventlog][event_id] == 4782 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The password hash an account was accessed"} + } + } + else if [logx][wineventlog][event_id] == 4783 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A basic application group was created"} + } + } + else if [logx][wineventlog][event_id] == 4784 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A basic application group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4785 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a basic application group"} + } + } + else if [logx][wineventlog][event_id] == 4786 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a basic application group"} + } + } + else if [logx][wineventlog][event_id] == 4787 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A non-member was added to a basic application group"} + } + } + else if [logx][wineventlog][event_id] == 4788 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A non-member was removed from a basic application group."} + } + } + else if [logx][wineventlog][event_id] == 4789 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A basic application group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4790 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An LDAP query group was created"} + } + } + else if [logx][wineventlog][event_id] == 4791 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A basic application group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4792 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An LDAP query group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4793 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Password Policy Checking API was called"} + } + } + else if [logx][wineventlog][event_id] == 4794 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to set the Directory Services Restore Mode administrator password"} + } + } + else if [logx][wineventlog][event_id] == 4797 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to query the existence of a blank password for an account"} + } + } + else if [logx][wineventlog][event_id] == 4798 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user''s local group membership was enumerated."} + } + } + else if [logx][wineventlog][event_id] == 4799 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group membership was enumerated"} + } + } + else if [logx][wineventlog][event_id] == 4800 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The workstation was locked"} + } + } + else if [logx][wineventlog][event_id] == 4801 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The workstation was unlocked"} + } + } + else if [logx][wineventlog][event_id] == 4802 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The screen saver was invoked"} + } + } + else if [logx][wineventlog][event_id] == 4803 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The screen saver was dismissed"} + } + } + else if [logx][wineventlog][event_id] == 4816 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "RPC detected an integrity violation while decrypting an incoming message"} + } + } + else if [logx][wineventlog][event_id] == 4817 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Auditing settings on object were changed."} + } + } + else if [logx][wineventlog][event_id] == 4818 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy"} + } + } + else if [logx][wineventlog][event_id] == 4819 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Central Access Policies on the machine have been changed"} + } + } + else if [logx][wineventlog][event_id] == 4820 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions"} + } + } + else if [logx][wineventlog][event_id] == 4821 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket was denied because the user: device: or both does not meet the access control restrictions"} + } + } + else if [logx][wineventlog][event_id] == 4822 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "NTLM authentication failed because the account was a member of the Protected User group"} + } + } + else if [logx][wineventlog][event_id] == 4823 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "NTLM authentication failed because access control restrictions are required"} + } + } + else if [logx][wineventlog][event_id] == 4824 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group"} + } + } + else if [logx][wineventlog][event_id] == 4825 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user was denied the access to Remote Desktop. By default: users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group"} + } + } + else if [logx][wineventlog][event_id] == 4826 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Boot Configuration Data loaded"} + } + } + else if [logx][wineventlog][event_id] == 4830 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "SID History was removed from an account"} + } + } + else if [logx][wineventlog][event_id] == 4864 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A namespace collision was detected"} + } + } + else if [logx][wineventlog][event_id] == 4865 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trusted forest information entry was added"} + } + } + else if [logx][wineventlog][event_id] == 4866 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trusted forest information entry was removed"} + } + } + else if [logx][wineventlog][event_id] == 4867 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trusted forest information entry was modified"} + } + } + else if [logx][wineventlog][event_id] == 4868 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The certificate manager denied a pending certificate request"} + } + } + else if [logx][wineventlog][event_id] == 4869 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a resubmitted certificate request"} + } + } + else if [logx][wineventlog][event_id] == 4870 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services revoked a certificate"} + } + } + else if [logx][wineventlog][event_id] == 4871 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a request to publish the certificate revocation list (CRL)"} + } + } + else if [logx][wineventlog][event_id] == 4872 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services published the certificate revocation list (CRL)"} + } + } + else if [logx][wineventlog][event_id] == 4873 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A certificate request extension changed"} + } + } + else if [logx][wineventlog][event_id] == 4874 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "One or more certificate request attributes changed."} + } + } + else if [logx][wineventlog][event_id] == 4875 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a request to shut down"} + } + } + else if [logx][wineventlog][event_id] == 4876 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services backup started"} + } + } + else if [logx][wineventlog][event_id] == 4877 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services backup completed"} + } + } + else if [logx][wineventlog][event_id] == 4878 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services restore started"} + } + } + else if [logx][wineventlog][event_id] == 4879 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services restore completed"} + } + } + else if [logx][wineventlog][event_id] == 4880 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services started"} + } + } + else if [logx][wineventlog][event_id] == 4881 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services stopped"} + } + } + else if [logx][wineventlog][event_id] == 4882 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The security permissions for Certificate Services changed"} + } + } + else if [logx][wineventlog][event_id] == 4883 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services retrieved an archived key"} + } + } + else if [logx][wineventlog][event_id] == 4884 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services imported a certificate into its database"} + } + } + else if [logx][wineventlog][event_id] == 4885 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The audit filter for Certificate Services changed"} + } + } + else if [logx][wineventlog][event_id] == 4886 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a certificate request"} + } + } + else if [logx][wineventlog][event_id] == 4887 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services approved a certificate request and issued a certificate"} + } + } + else if [logx][wineventlog][event_id] == 4888 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services denied a certificate request"} + } + } + else if [logx][wineventlog][event_id] == 4889 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services set the status of a certificate request to pending"} + } + } + else if [logx][wineventlog][event_id] == 4890 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The certificate manager settings for Certificate Services changed."} + } + } + else if [logx][wineventlog][event_id] == 4891 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A configuration entry changed in Certificate Services"} + } + } + else if [logx][wineventlog][event_id] == 4892 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A property of Certificate Services changed"} + } + } + else if [logx][wineventlog][event_id] == 4893 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services archived a key"} + } + } + else if [logx][wineventlog][event_id] == 4894 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services imported and archived a key"} + } + } + else if [logx][wineventlog][event_id] == 4895 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services published the CA certificate to Active Directory Domain Services"} + } + } + else if [logx][wineventlog][event_id] == 4896 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "One or more rows have been deleted from the certificate database"} + } + } + else if [logx][wineventlog][event_id] == 4897 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Role separation enabled"} + } + } + else if [logx][wineventlog][event_id] == 4898 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services loaded a template"} + } + } + else if [logx][wineventlog][event_id] == 4899 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Certificate Services template was updated"} + } + } + else if [logx][wineventlog][event_id] == 4900 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services template security was updated"} + } + } + else if [logx][wineventlog][event_id] == 4902 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Per-user audit policy table was created"} + } + } + else if [logx][wineventlog][event_id] == 4904 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to register a security event source"} + } + } + else if [logx][wineventlog][event_id] == 4905 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to unregister a security event source"} + } + } + else if [logx][wineventlog][event_id] == 4906 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The CrashOnAuditFail value has changed"} + } + } + else if [logx][wineventlog][event_id] == 4907 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Auditing settings on object were changed"} + } + } + else if [logx][wineventlog][event_id] == 4908 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Special Groups Logon table modified"} + } + } + else if [logx][wineventlog][event_id] == 4909 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The local policy settings for the TBS were changed"} + } + } + else if [logx][wineventlog][event_id] == 4910 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The group policy settings for the TBS were changed"} + } + } + else if [logx][wineventlog][event_id] == 4911 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Resource attributes of the object were changed"} + } + } + else if [logx][wineventlog][event_id] == 4912 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Per User Audit Policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4913 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Central Access Policy on the object was changed"} + } + } + else if [logx][wineventlog][event_id] == 4928 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica source naming context was established"} + } + } + else if [logx][wineventlog][event_id] == 4929 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica source naming context was removed"} + } + } + else if [logx][wineventlog][event_id] == 4930 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica source naming context was modified"} + } + } + else if [logx][wineventlog][event_id] == 4931 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica destination naming context was modified"} + } + } + else if [logx][wineventlog][event_id] == 4932 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Synchronization of a replica of an Active Directory naming context has begun"} + } + } + else if [logx][wineventlog][event_id] == 4933 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Synchronization of a replica of an Active Directory naming context has ended"} + } + } + else if [logx][wineventlog][event_id] == 4934 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Attributes of an Active Directory object were replicated"} + } + } + else if [logx][wineventlog][event_id] == 4935 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Replication failure begins"} + } + } + else if [logx][wineventlog][event_id] == 4936 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Replication failure ends"} + } + } + else if [logx][wineventlog][event_id] == 4937 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A lingering object was removed from a replica"} + } + } + else if [logx][wineventlog][event_id] == 4944 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following policy was active when the Windows Firewall started"} + } + } + else if [logx][wineventlog][event_id] == 4945 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A rule was listed when the Windows Firewall started"} + } + } + else if [logx][wineventlog][event_id] == 4946 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to Windows Firewall exception list. A rule was added"} + } + } + else if [logx][wineventlog][event_id] == 4947 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to Windows Firewall exception list. A rule was modified"} + } + } + else if [logx][wineventlog][event_id] == 4948 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to Windows Firewall exception list. A rule was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4949 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall settings were restored to the default values"} + } + } + else if [logx][wineventlog][event_id] == 4950 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Firewall setting has changed"} + } + } + else if [logx][wineventlog][event_id] == 4951 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A rule has been ignored because its major version number was not recognized by Windows Firewall"} + } + } + else if [logx][wineventlog][event_id] == 4952 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall"} + } + } + else if [logx][wineventlog][event_id] == 4953 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A rule has been ignored by Windows Firewall because it could not parse the rule"} + } + } + else if [logx][wineventlog][event_id] == 4954 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall Group Policy settings has changed. The new settings have been applied"} + } + } + else if [logx][wineventlog][event_id] == 4956 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall has changed the active profile"} + } + } + else if [logx][wineventlog][event_id] == 4957 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall did not apply the following rule"} + } + } + else if [logx][wineventlog][event_id] == 4958 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer"} + } + } + else if [logx][wineventlog][event_id] == 4960 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound packet that failed an integrity check"} + } + } + else if [logx][wineventlog][event_id] == 4961 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound packet that failed a replay check"} + } + } + else if [logx][wineventlog][event_id] == 4962 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound packet that failed a replay check"} + } + } + else if [logx][wineventlog][event_id] == 4963 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound clear text packet that should have been secured"} + } + } + else if [logx][wineventlog][event_id] == 4964 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Special groups have been assigned to a new logon"} + } + } + else if [logx][wineventlog][event_id] == 4965 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)."} + } + } + else if [logx][wineventlog][event_id] == 4976 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "During Main Mode negotiation: IPsec received an invalid negotiation packet."} + } + } + else if [logx][wineventlog][event_id] == 4977 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "During Quick Mode negotiation: IPsec received an invalid negotiation packet."} + } + } + else if [logx][wineventlog][event_id] == 4978 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "During Extended Mode negotiation: IPsec received an invalid negotiation packet."} + } + } + else if [logx][wineventlog][event_id] == 4979 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established."} + } + } + else if [logx][wineventlog][event_id] == 4980 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established"} + } + } + else if [logx][wineventlog][event_id] == 4981 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established"} + } + } + else if [logx][wineventlog][event_id] == 4982 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established"} + } + } + else if [logx][wineventlog][event_id] == 4983 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Extended Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4984 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Extended Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4985 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The state of a transaction has changed"} + } + } + else if [logx][wineventlog][event_id] == 5024 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service has started successfully"} + } + } + else if [logx][wineventlog][event_id] == 5025 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service has been stopped"} + } + } + else if [logx][wineventlog][event_id] == 5027 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service was unable to retrieve the security policy from the local storage"} + } + } + else if [logx][wineventlog][event_id] == 5028 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service was unable to parse the new security policy."} + } + } + else if [logx][wineventlog][event_id] == 5029 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service failed to initialize the driver"} + } + } + else if [logx][wineventlog][event_id] == 5030 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service failed to start"} + } + } + else if [logx][wineventlog][event_id] == 5031 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service blocked an application from accepting incoming connections on the network."} + } + } + else if [logx][wineventlog][event_id] == 5032 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network"} + } + } + else if [logx][wineventlog][event_id] == 5033 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver has started successfully"} + } + } + else if [logx][wineventlog][event_id] == 5034 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver has been stopped"} + } + } + else if [logx][wineventlog][event_id] == 5035 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver failed to start"} + } + } + else if [logx][wineventlog][event_id] == 5037 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver detected critical runtime error. Terminating"} + } + } + else if [logx][wineventlog][event_id] == 5038 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Code integrity determined that the image hash of a file is not valid"} + } + } + else if [logx][wineventlog][event_id] == 5039 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A registry key was virtualized."} + } + } + else if [logx][wineventlog][event_id] == 5040 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. An Authentication Set was added."} + } + } + else if [logx][wineventlog][event_id] == 5041 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. An Authentication Set was modified"} + } + } + else if [logx][wineventlog][event_id] == 5042 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. An Authentication Set was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5043 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Connection Security Rule was added"} + } + } + else if [logx][wineventlog][event_id] == 5044 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Connection Security Rule was modified"} + } + } + else if [logx][wineventlog][event_id] == 5045 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Connection Security Rule was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5046 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Crypto Set was added"} + } + } + else if [logx][wineventlog][event_id] == 5047 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Crypto Set was modified"} + } + } + else if [logx][wineventlog][event_id] == 5048 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Crypto Set was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5049 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Security Association was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5050 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE)"} + } + } + else if [logx][wineventlog][event_id] == 5051 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A file was virtualized"} + } + } + else if [logx][wineventlog][event_id] == 5056 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic self test was performed"} + } + } + else if [logx][wineventlog][event_id] == 5057 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic primitive operation failed"} + } + } + else if [logx][wineventlog][event_id] == 5058 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Key file operation"} + } + } + else if [logx][wineventlog][event_id] == 5059 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Key migration operation"} + } + } + else if [logx][wineventlog][event_id] == 5060 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Verification operation failed"} + } + } + else if [logx][wineventlog][event_id] == 5061 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Cryptographic operation"} + } + } + else if [logx][wineventlog][event_id] == 5062 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A kernel-mode cryptographic self test was performed"} + } + } + else if [logx][wineventlog][event_id] == 5063 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic provider operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5064 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic context operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5065 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic context modification was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5066 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5067 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function modification was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5068 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function provider operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5069 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function property operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5070 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function property operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5071 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Key access denied by Microsoft key distribution service"} + } + } + else if [logx][wineventlog][event_id] == 5120 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "OCSP Responder Service Started"} + } + } + else if [logx][wineventlog][event_id] == 5121 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "OCSP Responder Service Stopped"} + } + } + else if [logx][wineventlog][event_id] == 5122 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Configuration entry changed in the OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5123 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A configuration entry changed in the OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5124 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security setting was updated on OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5125 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was submitted to OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5126 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Signing Certificate was automatically updated by the OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5127 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The OCSP Revocation Provider successfully updated the revocation information"} + } + } + else if [logx][wineventlog][event_id] == 5136 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was modified"} + } + } + else if [logx][wineventlog][event_id] == 5137 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was created"} + } + } + else if [logx][wineventlog][event_id] == 5138 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was undeleted"} + } + } + else if [logx][wineventlog][event_id] == 5139 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was moved"} + } + } + else if [logx][wineventlog][event_id] == 5140 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was accessed"} + } + } + else if [logx][wineventlog][event_id] == 5141 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5142 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was added."} + } + } + else if [logx][wineventlog][event_id] == 5143 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was modified"} + } + } + else if [logx][wineventlog][event_id] == 5144 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was deleted."} + } + } + else if [logx][wineventlog][event_id] == 5145 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was checked to see whether client can be granted desired access"} + } + } + else if [logx][wineventlog][event_id] == 5146 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a packet"} + } + } + else if [logx][wineventlog][event_id] == 5147 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A more restrictive Windows Filtering Platform filter has blocked a packet"} + } + } + else if [logx][wineventlog][event_id] == 5148 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded."} + } + } + else if [logx][wineventlog][event_id] == 5149 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The DoS attack has subsided and normal processing is being resumed."} + } + } + else if [logx][wineventlog][event_id] == 5150 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a packet."} + } + } + else if [logx][wineventlog][event_id] == 5151 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A more restrictive Windows Filtering Platform filter has blocked a packet."} + } + } + else if [logx][wineventlog][event_id] == 5152 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform blocked a packet"} + } + } + else if [logx][wineventlog][event_id] == 5153 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A more restrictive Windows Filtering Platform filter has blocked a packet"} + } + } + else if [logx][wineventlog][event_id] == 5154 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections"} + } + } + else if [logx][wineventlog][event_id] == 5155 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections"} + } + } + else if [logx][wineventlog][event_id] == 5156 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has allowed a connection"} + } + } + else if [logx][wineventlog][event_id] == 5157 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a connection"} + } + } + else if [logx][wineventlog][event_id] == 5158 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has permitted a bind to a local port"} + } + } + else if [logx][wineventlog][event_id] == 5159 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a bind to a local port"} + } + } + else if [logx][wineventlog][event_id] == 5168 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Spn check for SMB/SMB2 fails."} + } + } + else if [logx][wineventlog][event_id] == 5169 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was modified"} + } + } + else if [logx][wineventlog][event_id] == 5170 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was modified during a background cleanup task"} + } + } + else if [logx][wineventlog][event_id] == 5376 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Credential Manager credentials were backed up"} + } + } + else if [logx][wineventlog][event_id] == 5377 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Credential Manager credentials were restored from a backup"} + } + } + else if [logx][wineventlog][event_id] == 5378 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The requested credentials delegation was disallowed by policy"} + } + } + else if [logx][wineventlog][event_id] == 5379 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Credential Manager credentials were read"} + } + } + else if [logx][wineventlog][event_id] == 5380 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Vault Find Credential"} + } + } + else if [logx][wineventlog][event_id] == 5381 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Vault credentials were read"} + } + } + else if [logx][wineventlog][event_id] == 5382 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Vault credentials were read"} + } + } + else if [logx][wineventlog][event_id] == 5440 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following callout was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5441 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following filter was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5442 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following provider was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5443 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following provider context was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5444 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5446 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform callout has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5447 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform filter has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5448 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform provider has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5449 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform provider context has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5450 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform sub-layer has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5451 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Quick Mode security association was established"} + } + } + else if [logx][wineventlog][event_id] == 5452 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Quick Mode security association ended"} + } + } + else if [logx][wineventlog][event_id] == 5453 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started"} + } + } + else if [logx][wineventlog][event_id] == 5456 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine applied Active Directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5457 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply Active Directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5458 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5459 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5460 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine applied local registry storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5461 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply local registry storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5462 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply some rules of the active IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5463 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the active IPsec policy and detected no changes"} + } + } + else if [logx][wineventlog][event_id] == 5464 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the active IPsec policy: detected changes: and applied them to IPsec Services"} + } + } + else if [logx][wineventlog][event_id] == 5465 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully"} + } + } + else if [logx][wineventlog][event_id] == 5466 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the Active Directory IPsec policy: determined that Active Directory cannot be reached: and will use the cached copy of the Active Directory IPsec policy instead"} + } + } + else if [logx][wineventlog][event_id] == 5467 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the Active Directory IPsec policy: determined that Active Directory can be reached: and found no changes to the policy"} + } + } + else if [logx][wineventlog][event_id] == 5468 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the Active Directory IPsec policy: determined that Active Directory can be reached: found changes to the policy: and applied those changes"} + } + } + else if [logx][wineventlog][event_id] == 5471 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine loaded local storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5472 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to load local storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5473 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine loaded directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5474 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to load directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5477 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to add quick mode filter"} + } + } + else if [logx][wineventlog][event_id] == 5478 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services has started successfully"} + } + } + else if [logx][wineventlog][event_id] == 5479 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services has been shut down successfully"} + } + } + else if [logx][wineventlog][event_id] == 5480 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services failed to get the complete list of network interfaces on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5483 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services failed to initialize RPC server. IPsec Services could not be started"} + } + } + else if [logx][wineventlog][event_id] == 5484 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services has experienced a critical failure and has been shut down"} + } + } + else if [logx][wineventlog][event_id] == 5485 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces"} + } + } + else if [logx][wineventlog][event_id] == 5632 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was made to authenticate to a wireless network"} + } + } + else if [logx][wineventlog][event_id] == 5633 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was made to authenticate to a wired network"} + } + } + else if [logx][wineventlog][event_id] == 5712 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Remote Procedure Call (RPC) was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5888 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An object in the COM+ Catalog was modified"} + } + } + else if [logx][wineventlog][event_id] == 5889 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An object was deleted from the COM+ Catalog"} + } + } + else if [logx][wineventlog][event_id] == 5890 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An object was added to the COM+ Catalog"} + } + } + else if [logx][wineventlog][event_id] == 6144 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Security policy in the group policy objects has been applied successfully"} + } + } + else if [logx][wineventlog][event_id] == 6145 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "One or more errors occured while processing security policy in the group policy objects"} + } + } + else if [logx][wineventlog][event_id] == 6272 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server granted access to a user"} + } + } + else if [logx][wineventlog][event_id] == 6273 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server denied access to a user"} + } + } + else if [logx][wineventlog][event_id] == 6274 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server discarded the request for a user"} + } + } + else if [logx][wineventlog][event_id] == 6275 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server discarded the accounting request for a user"} + } + } + else if [logx][wineventlog][event_id] == 6276 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server quarantined a user"} + } + } + else if [logx][wineventlog][event_id] == 6277 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy"} + } + } + else if [logx][wineventlog][event_id] == 6278 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server granted full access to a user because the host met the defined health policy"} + } + } + else if [logx][wineventlog][event_id] == 6279 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server locked the user account due to repeated failed authentication attempts"} + } + } + else if [logx][wineventlog][event_id] == 6280 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server unlocked the user account"} + } + } + else if [logx][wineventlog][event_id] == 6281 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Code Integrity determined that the page hashes of an image file are not valid..."} + } + } + else if [logx][wineventlog][event_id] == 6400 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: Received an incorrectly formatted response while discovering availability of content."} + } + } + else if [logx][wineventlog][event_id] == 6401 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: Received invalid data from a peer. Data discarded."} + } + } + else if [logx][wineventlog][event_id] == 6402 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: The message to the hosted cache offering it data is incorrectly formatted."} + } + } + else if [logx][wineventlog][event_id] == 6403 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: The hosted cache sent an incorrectly formatted response to the client''s message to offer it data."} + } + } + else if [logx][wineventlog][event_id] == 6404 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate."} + } + } + else if [logx][wineventlog][event_id] == 6405 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: %2 instance(s) of event id %1 occurred."} + } + } + else if [logx][wineventlog][event_id] == 6406 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "%1 registered to Windows Firewall to control filtering for the following:"} + } + } + else if [logx][wineventlog][event_id] == 6408 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Registered product %1 failed and Windows Firewall is now controlling the filtering for %2."} + } + } + else if [logx][wineventlog][event_id] == 6409 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: A service connection point object could not be parsed"} + } + } + else if [logx][wineventlog][event_id] == 6410 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues"} + } + } + else if [logx][wineventlog][event_id] == 6416 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A new external device was recognized by the system."} + } + } + else if [logx][wineventlog][event_id] == 6417 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The FIPS mode crypto selftests succeeded"} + } + } + else if [logx][wineventlog][event_id] == 6418 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The FIPS mode crypto selftests failed"} + } + } + else if [logx][wineventlog][event_id] == 6419 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was made to disable a device"} + } + } + else if [logx][wineventlog][event_id] == 6420 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A device was disabled"} + } + } + else if [logx][wineventlog][event_id] == 6421 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was made to enable a device"} + } + } + else if [logx][wineventlog][event_id] == 6422 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A device was enabled"} + } + } + else if [logx][wineventlog][event_id] == 6423 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The installation of this device is forbidden by system policy"} + } + } + else if [logx][wineventlog][event_id] == 6424 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The installation of this device was allowed: after having previously been forbidden by policy"} + } + } + else if [logx][wineventlog][event_id] == 8191 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Highest System-Defined Audit Message Value"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "None"} + } + } + + if [logx][wineventlog][event_id] == 4663 { + if [logx][wineventlog][event_data][AccessMask]{ + if [logx][wineventlog][event_data][AccessMask] == "0x1" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "read"} + add_field => {"[logx][wineventlog][access_description]" => "For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.\n For a directory, the right to list the contents of the directory.\n For registry objects, this is, Query key value."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x2" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write"} + add_field => {"[logx][wineventlog][access_description]" => "For a file object, the right to write data to the file.\n For a directory object, the right to create a file in the directory.\n For registry objects, this is, Set key value."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x4" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "append"} + add_field => {"[logx][wineventlog][access_description]" => "For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.)\n For a directory object, the right to create a subdirectory.\n For a named pipe, the right to create a pipe."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x8" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "read_extended_attributes"} + add_field => {"[logx][wineventlog][access_description]" => "The right to read extended file attributes.\n For registry objects, this is, Enumerate sub-keys."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x10" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write_extended_attributes"} + add_field => {"[logx][wineventlog][access_description]" => "The right to write extended file attributes."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x20" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "execute"} + add_field => {"[logx][wineventlog][access_description]" => "For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.\n For a directory, the right to traverse the directory. By default, users are assigned the BYPASS_TRAVERSE_CHECKING privilege, which ignores the FILE_TRAVERSE access right."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x40" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "delete_child"} + add_field => {"[logx][wineventlog][access_description]" => "For a directory, the right to delete a directory and all the files it contains, including read-only files."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x80" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "read_attributes"} + add_field => {"[logx][wineventlog][access_description]" => "The right to read file attributes."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x100" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write_attributes"} + add_field => {"[logx][wineventlog][access_description]" => "The right to write file attributes."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x10000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "delete"} + add_field => {"[logx][wineventlog][access_description]" => "The right to delete the object."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x20000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "read_control"} + add_field => {"[logx][wineventlog][access_description]" => "The right to read the information in the object''s security descriptor, not including the information in the system access control list (SACL)."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x40000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write_dac"} + add_field => {"[logx][wineventlog][access_description]" => "The right to modify the discretionary access control list (DACL) in the object''s security descriptor."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x80000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write_owner"} + add_field => {"[logx][wineventlog][access_description]" => "The right to change the owner in the object''s security descriptor"} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x100000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "synchronize"} + add_field => {"[logx][wineventlog][access_description]" => "The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x1000000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "access_sys_sec"} + add_field => {"[logx][wineventlog][access_description]" => "The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an object''s security descriptor."} + } + } + } + } + if [logx][wineventlog][event_id] == 4625 { + if [logx][wineventlog][event_data][FailureReason] { + if [logx][wineventlog][event_data][FailureReason] == "%%2305" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "The specified user account has expired."} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2309" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "The specified account''s password has expired"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2310" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "Account currently disabled"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2311" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "Account logon time restriction violation"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2312" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "User not allowed to logon at this computer"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2313" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "Unknown user name or bad password"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2304" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "An Error occurred during Logon"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "None"} + } + } + } + if [logx][wineventlog][event_data][Status] { + if [logx][wineventlog][event_data][Status] == "0xC0000234" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account locked out"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000193" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000133" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Clocks out of sync"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000224" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Password change required"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xc000015b" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "User does not have logon right"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xc000006d" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Logon failure"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xc000006e" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account restriction"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xc00002ee" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "An error occurred during logon"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000071" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Password expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000072" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account disabled"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000413" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Authentication firewall prohibits logon"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "None"} + } + } + } + if [logx][wineventlog][event_data][SubStatus] { + if [logx][wineventlog][event_data][SubStatus] == "0xC0000234" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account locked out"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000193" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account expired"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000133" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Clocks out of sync"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000224" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Password change required"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc000015b" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "User does not have logon right"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc000006d" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Logon failure"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc000006e" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account restriction"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc00002ee" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "An error occurred during logon"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000071" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Password expired"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000072" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account disabled"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000413" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Authentication firewall prohibits logon"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc000006a" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Incorrect password"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc0000064" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account does not exist"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "None"} + } + } + } + } + if [logx][wineventlog][event_id] == 4771 { + if [logx][wineventlog][event_data][Status] { + if [logx][wineventlog][event_data][Status] == "0x1" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client''s entry in database has expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server''s entry in database has expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x3" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Requested protocol version not supported"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x4" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client''s key encrypted in old master key"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x5" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server''s key encrypted in old master key"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x6" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client not found in Kerberos database"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x7" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server not found in Kerberos database"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x8" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Multiple principal entries in database"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x9" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "The client or server has a null key"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xA" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket not eligible for postdating"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xB" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Requested start time is later than end time"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC policy rejects request"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xD" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC cannot accommodate requested option"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xE" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for encryption type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xF" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for checksum type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x10" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for padata type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x11" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for transited type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x12" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Clients credentials have been revoked"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x13" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Credentials for server have been revoked"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x14" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "TGT has been revoked"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x15" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client not yet valid - try again later"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x16" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server not yet valid - try again later"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x17" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Password has expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x18" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Pre-authentication information was invalid"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x19" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Additional pre-authentication required"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x1F" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Integrity check on decrypted field failed"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x20" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x21" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket not yet valid"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x22" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Request is a replay"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x23" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "The ticket isn''t for us"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x24" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket and authenticator don''t match"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x25" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Clock skew too great"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x26" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Incorrect net address"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x27" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Protocol version mismatch"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x28" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Invalid msg type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x29" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Message stream modified"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2A" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Message out of order"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2C" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Specified version of key is not available"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2D" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Service key not available"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2E" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Mutual authentication failed"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2F" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Incorrect message direction"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x30" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Alternative authentication method required"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x31" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Incorrect sequence number in message"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x32" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Inappropriate type of checksum in message"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x3C" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Generic error (description in e-text)"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x3D" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Field is too long for this implementation"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "None"} + } + } + } + } + } + } + # Also, remove unwanted fields if the message not match with conditions + mutate { + remove_field => ["headers"] + } +}' + WHERE id=701; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index 084fca2b4..c8468c2a7 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -103,5 +103,7 @@ + From e0d915e296f6892f0e457572a772ae10e541f356 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 30 May 2025 17:09:38 -0500 Subject: [PATCH 54/56] fix: update wineventlog filter --- .../20250530001_update_filter_wineventlog.xml | 2960 +++++++++++++++++ .../resources/config/liquibase/master.xml | 3 +- 2 files changed, 2961 insertions(+), 2 deletions(-) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250530001_update_filter_wineventlog.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20250530001_update_filter_wineventlog.xml b/backend/src/main/resources/config/liquibase/changelog/20250530001_update_filter_wineventlog.xml new file mode 100644 index 000000000..fb264ae09 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250530001_update_filter_wineventlog.xml @@ -0,0 +1,2960 @@ + + + + + + + "message" + terminator => "" + } + json { + source => "message" + } + + if ([winlog][api] and [winlog][api] == "wineventlog") or ([type] and [type] == "wineventlog") or ([channel]){ + + mutate { + add_field => { "dataType" => "wineventlog" } + + add_field => {"[global][type]" => "logx"} + remove_field => ["fileset"] + remove_field => ["fields"] + } + + # If the architecture is ARM64 + if [channel] and [channel]{ + mutate { + rename => { "channel" => "[logx][wineventlog][log_name]" } + rename => { "computer" => "dataSource" } + rename => { "correlation" => "[logx][wineventlog][correlation]" } + rename => { "data" => "[logx][wineventlog][event_data]" } + rename => { "eventCode" => "[logx][wineventlog][event_id]" } + rename => { "execution" => "[logx][wineventlog][execution]" } + rename => { "keywords" => "[logx][wineventlog][keywords]" } + rename => { "level" => "[logx][wineventlog][level]" } + rename => { "opcode" => "[logx][wineventlog][opcode]" } + rename => { "providerGuid" => "[logx][wineventlog][provider_guid]" } + rename => { "providerName" => "[logx][wineventlog][provider_name]" } + rename => { "recordId" => "[logx][wineventlog][record_number]" } + rename => { "task" => "[logx][wineventlog][task]" } + rename => { "timeCreated" => "[logx][wineventlog][time_created]" } + rename => { "timestamp" => "[logx][wineventlog][timestamp]" } + rename => { "version" => "[logx][wineventlog][version_trash]" } + + rename => {"host" => "[logx][wineventlog][single_host]"} + + rename => {"[logx][wineventlog][execution][ProcessID]" => "[logx][wineventlog][thread_id]"} + rename => {"[logx][wineventlog][execution][ThreadID]" => "[logx][wineventlog][process_id]"} + + rename => {"[logx][wineventlog][provider_name]" => "[logx][wineventlog][source_name]"} + } + + mutate { rename => {"[logx][wineventlog][correlation][ActivityID]" => "[logx][wineventlog][activity_id]"}} + mutate { remove_field => ["[logx][wineventlog][correlation]"]} + + # Convert fields to appropriate types + mutate { convert => { "[logx][wineventlog][event_id]" => "integer" }} + mutate { convert => { "[logx][wineventlog][task]" => "string" }} + mutate { convert => { "[logx][wineventlog][level]" => "string" }} + mutate { convert => { "[logx][wineventlog][opcode]" => "string" }} + mutate { convert => { "[logx][wineventlog][event_data][TargetLogonId]" => "string" }} + mutate { convert => { "[logx][wineventlog][event_data][ProcessId]" => "string" }} + mutate { convert => { "[logx][wineventlog][event_data][SubjectLogonId]" => "string" }} + mutate { convert => { "[logx][wineventlog][event_data][TargetLinkedLogonId]" => "string" }} + mutate { convert => { "[logx][wineventlog][event_data][CallerProcessId]" => "string" }} + + if [logx][wineventlog][keywords]{ + mutate { + remove_field => ["[logx][wineventlog][keywords]"] + } + } + + if [logx][wineventlog][version_trash]{ + mutate { + remove_field => ["[logx][wineventlog][version_trash]"] + } + } + } + + if [logx][wineventlog][level]{ + if [logx][wineventlog][level] == "0" { + mutate { + replace => {"[logx][wineventlog][level]" => "trace"} + } + } + else if [logx][wineventlog][level] == "1" { + mutate { + replace => {"[logx][wineventlog][level]" => "debug"} + } + } + else if [logx][wineventlog][level] == "2" { + mutate { + replace => {"[logx][wineventlog][level]" => "information"} + } + } + else if [logx][wineventlog][level] == "3" { + mutate { + replace => {"[logx][wineventlog][level]" => "warning"} + } + } + else if [logx][wineventlog][level] == "4" { + mutate { + replace => {"[logx][wineventlog][level]" => "error"} + } + } + else if [logx][wineventlog][level] == "5" { + mutate { + replace => {"[logx][wineventlog][level]" => "critical"} + } + } + else { + mutate { + replace => {"[logx][wineventlog][level]" => "none"} + } + } + } + + if [logx][wineventlog][opcode]{ + if [logx][wineventlog][opcode] == "0" { + mutate { + replace => {"[logx][wineventlog][opcode]" => "Info"} + } + } + else if [logx][wineventlog][opcode] == "1" { + mutate { + replace => {"[logx][wineventlog][opcode]" => "Start"} + } + } + else if [logx][wineventlog][opcode] == "2" { + mutate { + replace => {"[logx][wineventlog][opcode]" => "Stop"} + } + } + else if [logx][wineventlog][opcode] == "6" { + mutate { + replace => {"[logx][wineventlog][opcode]" => "Reply"} + } + } + else if [logx][wineventlog][opcode] == "7" { + mutate { + replace => {"[logx][wineventlog][opcode]" => "Resume"} + } + } + else if [logx][wineventlog][opcode] == "8" { + mutate { + replace => {"[logx][wineventlog][opcode]" => "Suspend"} + } + } + else if [logx][wineventlog][opcode] == "9" { + mutate { + replace => {"[logx][wineventlog][opcode]" => "Send"} + } + } + else { + mutate { + replace => {"[logx][wineventlog][opcode]" => "None"} + } + } + } + + #If winlogbeat is of old version + if [type] and [type] == "wineventlog"{ + mutate { + rename => { "[beat][name]" => "[dataSource]" } + rename => {"[type]" => "[logx][type]"} + + rename => {"[activity_id]" => "[logx][wineventlog][activity_id]"} + rename => {"[beat]" => "[logx][wineventlog][beat]"} + rename => {"[event_data]" => "[logx][wineventlog][event_data]"} + rename => {"[event_id]" => "[logx][wineventlog][event_id]"} + rename => {"[keywords]" => "[logx][wineventlog][keywords]"} + rename => {"[level]" => "[logx][wineventlog][level]"} + rename => {"[log]" => "[logx][wineventlog][log]"} + rename => {"[log_name]" => "[logx][wineventlog][log_name]"} + rename => {"[opcode]" => "[logx][wineventlog][opcode]"} + rename => {"[process_id]" => "[logx][wineventlog][process_id]"} + rename => {"[provider_guid]" => "[logx][wineventlog][provider_guid]"} + rename => {"[record_number]" => "[logx][wineventlog][record_number]"} + rename => {"[source_name]" => "[logx][wineventlog][source_name]"} + rename => {"[task]" => "[logx][wineventlog][task]"} + rename => {"[thread_id]" => "[logx][wineventlog][thread_id]"} + rename => {"[user]" => "[logx][wineventlog][user]"} + rename => {"[user_data]" => "[logx][wineventlog][user_data]"} + rename => {"[version]" => "[logx][wineventlog][version]"} + + rename => {"[meta]" => "[logx][wineventlog][meta]"} + rename => {"[docker]" => "[logx][wineventlog][docker]"} + rename => {"[related_activity_id]" => "[logx][wineventlog][related_activity_id]"} + } + + if [logx][wineventlog][keywords]{ + mutate { + remove_field => ["[logx][wineventlog][keywords]"] + } + } + } + + #If winlogbeat is of version 8.5.1 + if [winlog][api] and [winlog][api] == "wineventlog"{ + mutate { + rename => { "[host][hostname]" => "[dataSource]" } + rename => {"[winlog][api]" => "[logx][type]"} + + rename => {"[winlog][activity_id]" => "[logx][wineventlog][activity_id]"} + rename => {"[event][timezone]" => "[logx][wineventlog][beat][timezone]"} + rename => {"[agent][name]" => "[logx][wineventlog][beat][hostname]"} + rename => {"[agent][version]" => "[logx][wineventlog][beat][version]"} + rename => {"[event][original]" => "[xml]"} + rename => {"[winlog][event_data]" => "[logx][wineventlog][event_data]"} + rename => {"[winlog][event_id]" => "[logx][wineventlog][event_id]"} + rename => {"[winlog][keywords]" => "[logx][wineventlog][keywords]"} + rename => {"[log][level]" => "[logx][wineventlog][level]"} + rename => {"[winlog][channel]" => "[logx][wineventlog][log_name]"} + rename => {"[winlog][opcode]" => "[logx][wineventlog][opcode]"} + rename => {"[winlog][process][pid]" => "[logx][wineventlog][process_id]"} + rename => {"[winlog][provider_guid]" => "[logx][wineventlog][provider_guid]"} + rename => {"[winlog][record_id]" => "[logx][wineventlog][record_number]"} + rename => {"[winlog][provider_name]" => "[logx][wineventlog][source_name]"} + rename => {"[winlog][task]" => "[logx][wineventlog][task]"} + rename => {"[winlog][process][thread][id]" => "[logx][wineventlog][thread_id]"} + rename => {"[winlog][user]" => "[logx][wineventlog][user]"} + rename => {"[winlog][user_data]" => "[logx][wineventlog][user_data]"} + rename => {"[winlog][version]" => "[logx][wineventlog][version]"} + + rename => {"[cloud]" => "[logx][wineventlog][meta][cloud]"} + rename => {"[container]" => "[logx][wineventlog][docker][container]"} + rename => {"[winlog][computer_name]" => "[computer_name]"} + rename => {"[winlog][related_activity_id]" => "[logx][wineventlog][related_activity_id]"} + rename => {"[ecs]" => "[logx][wineventlog][ecs]"} + rename => {"[winlog][computerObject]" => "[logx][wineventlog][computerObject]"} + rename => {"[winlog][time_created]" => "[logx][wineventlog][time_created]"} + rename => {"[winlog][trustAttribute]" => "[logx][wineventlog][trustAttribute]"} + rename => {"[winlog][trustDirection]" => "[logx][wineventlog][trustDirection]"} + rename => {"[winlog][trustType]" => "[logx][wineventlog][trustType]"} + } + + mutate { convert => { "[logx][wineventlog][event_id]" => "integer" }} + + if [logx][wineventlog][keywords]{ + mutate { + remove_field => ["[logx][wineventlog][keywords]"] + } + } + } + + mutate { + rename => {"[clienthost]" => "[logx][wineventlog][clienthost]"} + rename => {"[geoip]" => "[logx][wineventlog][geoip]"} + rename => {"[host]" => "[logx][wineventlog][host]"} + rename => {"[input]" => "[logx][wineventlog][input]"} + rename => {"[log_timestamp]" => "[logx][wineventlog][log_timestamp]"} + rename => {"[message]" => "[logx][wineventlog][message]"} + rename => {"[method]" => "[logx][wineventlog][method]"} + rename => {"[offset]" => "[logx][wineventlog][offset]"} + rename => {"[page]" => "[logx][wineventlog][page]"} + rename => {"[port]" => "[logx][wineventlog][port]"} + rename => {"[prospector]" => "[logx][wineventlog][prospector]"} + rename => {"[querystring]" => "[logx][wineventlog][querystring]"} + rename => {"[referer]" => "[logx][wineventlog][referer]"} + rename => {"[response]" => "[logx][wineventlog][response]"} + rename => {"[scstatus]" => "[logx][wineventlog][scstatus]"} + rename => {"[site]" => "[logx][wineventlog][site]"} + rename => {"[source]" => "[logx][wineventlog][source]"} + rename => {"[subresponse]" => "[logx][wineventlog][subresponse]"} + rename => {"[tags]" => "[logx][wineventlog][tags]"} + rename => {"[timetaken]" => "[logx][wineventlog][timetaken]"} + rename => {"[user_agent]" => "[logx][wineventlog][useragent]"} + rename => {"[username]" => "[logx][wineventlog][username]"} + rename => {"[error]" => "[logx][wineventlog][error]"} + rename => {"[timeseries]" => "[logx][wineventlog][timeseries]"} + rename => {"[event]" => "[logx][wineventlog][event]"} + rename => {"[agent]" => "[logx][wineventlog][agent]"} + rename => {"[as]" => "[logx][wineventlog][as]"} + rename => {"[client]" => "[logx][wineventlog][client]"} + rename => {"[code_signature]" => "[logx][wineventlog][code_signature]"} + rename => {"[data_stream]" => "[logx][wineventlog][data_stream]"} + rename => {"[destination]" => "[logx][wineventlog][destination]"} + rename => {"[dll]" => "[logx][wineventlog][dll]"} + rename => {"[dns]" => "[logx][wineventlog][dns]"} + rename => {"[els]" => "[logx][wineventlog][els]"} + rename => {"[faas]" => "[logx][wineventlog][faas]"} + rename => {"[file]" => "[logx][wineventlog][file]"} + rename => {"[geo]" => "[logx][wineventlog][geo]"} + rename => {"[group]" => "[logx][wineventlog][group]"} + rename => {"[http]" => "[logx][wineventlog][http]"} + rename => {"[interface]" => "[logx][wineventlog][interface]"} + rename => {"[network]" => "[logx][wineventlog][network]"} + rename => {"[observer]" => "[logx][wineventlog][observer]"} + rename => {"[orchestrator]" => "[logx][wineventlog][orchestrator]"} + rename => {"[os]" => "[logx][wineventlog][os]"} + rename => {"[package]" => "[logx][wineventlog][package]"} + rename => {"[pe]" => "[logx][wineventlog][pe]"} + rename => {"[registry]" => "[logx][wineventlog][registry]"} + rename => {"[related]" => "[logx][wineventlog][related]"} + rename => {"[rule]" => "[logx][wineventlog][rule]"} + rename => {"[server]" => "[logx][wineventlog][server]"} + rename => {"[service]" => "[logx][wineventlog][service]"} + rename => {"[threat]" => "[logx][wineventlog][threat]"} + rename => {"[tls]" => "[logx][wineventlog][tls]"} + rename => {"[url]" => "[logx][wineventlog][url]"} + rename => {"[vlan]" => "[logx][wineventlog][vlan]"} + rename => {"[vulnerability]" => "[logx][wineventlog][vulnerability]"} + rename => {"[x509]" => "[logx][wineventlog][x509]"} + rename => {"[process]" => "[logx][wineventlog][process]"} + rename => {"[powershell]" => "[logx][wineventlog][powershell]"} + } + + mutate { + remove_field => ["winlog"] + remove_field => ["log"] + } + + if [logx][wineventlog][event_id] { + if [logx][wineventlog][event_id] == 1100 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The event logging service has shut down"} + } + } + else if [logx][wineventlog][event_id] == 1101 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Audit events have been dropped by the transport."} + } + } + else if [logx][wineventlog][event_id] == 1102 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The audit log was cleared"} + } + } + else if [logx][wineventlog][event_id] == 1104 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The security Log is now full"} + } + } + else if [logx][wineventlog][event_id] == 1105 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Event log automatic backup"} + } + } + else if [logx][wineventlog][event_id] == 1108 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The event logging service encountered an error"} + } + } + else if [logx][wineventlog][event_id] == 4608 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows is starting up"} + } + } + else if [logx][wineventlog][event_id] == 4609 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows is shutting down"} + } + } + else if [logx][wineventlog][event_id] == 4610 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An authentication package has been loaded by the Local Security Authority"} + } + } + else if [logx][wineventlog][event_id] == 4611 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trusted logon process has been registered with the Local Security Authority"} + } + } + else if [logx][wineventlog][event_id] == 4612 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Internal resources allocated for the queuing of audit messages have been exhausted: leading to the loss of some audits."} + } + } + else if [logx][wineventlog][event_id] == 4614 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A notification package has been loaded by the Security Account Manager."} + } + } + else if [logx][wineventlog][event_id] == 4615 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Invalid use of LPC port"} + } + } + else if [logx][wineventlog][event_id] == 4616 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The system time was changed."} + } + } + else if [logx][wineventlog][event_id] == 4618 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A monitored security event pattern has occurred"} + } + } + else if [logx][wineventlog][event_id] == 4621 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Administrator recovered system from CrashOnAuditFail"} + } + } + else if [logx][wineventlog][event_id] == 4622 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security package has been loaded by the Local Security Authority."} + } + } + else if [logx][wineventlog][event_id] == 4624 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account was successfully logged on"} + } + } + else if [logx][wineventlog][event_id] == 4625 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account failed to log on"} + } + } + else if [logx][wineventlog][event_id] == 4626 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "User/Device claims information"} + } + } + else if [logx][wineventlog][event_id] == 4627 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Group membership information."} + } + } + else if [logx][wineventlog][event_id] == 4634 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account was logged off"} + } + } + else if [logx][wineventlog][event_id] == 4646 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IKE DoS-prevention mode started"} + } + } + else if [logx][wineventlog][event_id] == 4647 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "User initiated logoff"} + } + } + else if [logx][wineventlog][event_id] == 4648 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A logon was attempted using explicit credentials"} + } + } + else if [logx][wineventlog][event_id] == 4649 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A replay attack was detected"} + } + } + else if [logx][wineventlog][event_id] == 4650 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode security association was established"} + } + } + else if [logx][wineventlog][event_id] == 4651 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode security association was established"} + } + } + else if [logx][wineventlog][event_id] == 4652 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4653 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4654 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Quick Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4655 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode security association ended"} + } + } + else if [logx][wineventlog][event_id] == 4656 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A handle to an object was requested"} + } + } + else if [logx][wineventlog][event_id] == 4657 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A registry value was modified"} + } + } + else if [logx][wineventlog][event_id] == 4658 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The handle to an object was closed"} + } + } + else if [logx][wineventlog][event_id] == 4659 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A handle to an object was requested with intent to delete"} + } + } + else if [logx][wineventlog][event_id] == 4660 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An object was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4661 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A handle to an object was requested"} + } + } + else if [logx][wineventlog][event_id] == 4662 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An operation was performed on an object"} + } + } + else if [logx][wineventlog][event_id] == 4663 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to access an object"} + } + } + else if [logx][wineventlog][event_id] == 4664 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to create a hard link"} + } + } + else if [logx][wineventlog][event_id] == 4665 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to create an application client context."} + } + } + else if [logx][wineventlog][event_id] == 4666 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An application attempted an operation"} + } + } + else if [logx][wineventlog][event_id] == 4667 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An application client context was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4668 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An application was initialized"} + } + } + else if [logx][wineventlog][event_id] == 4670 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Permissions on an object were changed"} + } + } + else if [logx][wineventlog][event_id] == 4671 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An application attempted to access a blocked ordinal through the TBS"} + } + } + else if [logx][wineventlog][event_id] == 4672 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Special privileges assigned to new logon"} + } + } + else if [logx][wineventlog][event_id] == 4673 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A privileged service was called"} + } + } + else if [logx][wineventlog][event_id] == 4674 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An operation was attempted on a privileged object"} + } + } + else if [logx][wineventlog][event_id] == 4675 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "SIDs were filtered"} + } + } + else if [logx][wineventlog][event_id] == 4688 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A new process has been created"} + } + } + else if [logx][wineventlog][event_id] == 4689 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A process has exited"} + } + } + else if [logx][wineventlog][event_id] == 4690 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to duplicate a handle to an object"} + } + } + else if [logx][wineventlog][event_id] == 4691 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Indirect access to an object was requested"} + } + } + else if [logx][wineventlog][event_id] == 4692 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Backup of data protection master key was attempted"} + } + } + else if [logx][wineventlog][event_id] == 4693 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Recovery of data protection master key was attempted"} + } + } + else if [logx][wineventlog][event_id] == 4694 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Protection of auditable protected data was attempted"} + } + } + else if [logx][wineventlog][event_id] == 4695 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Unprotection of auditable protected data was attempted"} + } + } + else if [logx][wineventlog][event_id] == 4696 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A primary token was assigned to process"} + } + } + else if [logx][wineventlog][event_id] == 4697 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A service was installed in the system"} + } + } + else if [logx][wineventlog][event_id] == 4698 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was created"} + } + } + else if [logx][wineventlog][event_id] == 4699 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4700 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was enabled"} + } + } + else if [logx][wineventlog][event_id] == 4701 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was disabled"} + } + } + else if [logx][wineventlog][event_id] == 4702 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was updated"} + } + } + else if [logx][wineventlog][event_id] == 4703 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A token right was adjusted"} + } + } + else if [logx][wineventlog][event_id] == 4704 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user right was assigned"} + } + } + else if [logx][wineventlog][event_id] == 4705 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user right was removed"} + } + } + else if [logx][wineventlog][event_id] == 4706 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A new trust was created to a domain"} + } + } + else if [logx][wineventlog][event_id] == 4707 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trust to a domain was removed"} + } + } + else if [logx][wineventlog][event_id] == 4709 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services was started"} + } + } + else if [logx][wineventlog][event_id] == 4710 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services was disabled"} + } + } + else if [logx][wineventlog][event_id] == 4711 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine (1%)"} + } + } + else if [logx][wineventlog][event_id] == 4712 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services encountered a potentially serious failure"} + } + } + else if [logx][wineventlog][event_id] == 4713 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Kerberos policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4714 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Encrypted data recovery policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4715 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The audit policy (SACL) on an object was changed"} + } + } + else if [logx][wineventlog][event_id] == 4716 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Trusted domain information was modified"} + } + } + else if [logx][wineventlog][event_id] == 4717 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "System security access was granted to an account"} + } + } + else if [logx][wineventlog][event_id] == 4718 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "System security access was removed from an account"} + } + } + else if [logx][wineventlog][event_id] == 4719 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "System audit policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4720 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was created"} + } + } + else if [logx][wineventlog][event_id] == 4722 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was enabled"} + } + } + else if [logx][wineventlog][event_id] == 4723 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to change an account''s password"} + } + } + else if [logx][wineventlog][event_id] == 4724 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to reset an accounts password"} + } + } + else if [logx][wineventlog][event_id] == 4725 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was disabled"} + } + } + else if [logx][wineventlog][event_id] == 4726 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4727 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled global group was created"} + } + } + else if [logx][wineventlog][event_id] == 4728 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-enabled global group"} + } + } + else if [logx][wineventlog][event_id] == 4729 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-enabled global group"} + } + } + else if [logx][wineventlog][event_id] == 4730 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled global group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4731 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group was created"} + } + } + else if [logx][wineventlog][event_id] == 4732 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-enabled local group"} + } + } + else if [logx][wineventlog][event_id] == 4733 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-enabled local group"} + } + } + else if [logx][wineventlog][event_id] == 4734 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4735 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4737 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled global group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4738 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was changed"} + } + } + else if [logx][wineventlog][event_id] == 4739 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Domain Policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4740 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was locked out"} + } + } + else if [logx][wineventlog][event_id] == 4741 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A computer account was created"} + } + } + else if [logx][wineventlog][event_id] == 4742 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A computer account was changed"} + } + } + else if [logx][wineventlog][event_id] == 4743 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A computer account was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4744 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled local group was created"} + } + } + else if [logx][wineventlog][event_id] == 4745 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled local group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4746 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-disabled local group"} + } + } + else if [logx][wineventlog][event_id] == 4747 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-disabled local group"} + } + } + else if [logx][wineventlog][event_id] == 4748 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled local group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4749 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled global group was created"} + } + } + else if [logx][wineventlog][event_id] == 4750 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled global group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4751 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-disabled global group"} + } + } + else if [logx][wineventlog][event_id] == 4752 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-disabled global group"} + } + } + else if [logx][wineventlog][event_id] == 4753 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled global group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4754 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled universal group was created"} + } + } + else if [logx][wineventlog][event_id] == 4755 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled universal group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4756 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-enabled universal group"} + } + } + else if [logx][wineventlog][event_id] == 4757 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-enabled universal group"} + } + } + else if [logx][wineventlog][event_id] == 4758 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled universal group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4759 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled universal group was created"} + } + } + else if [logx][wineventlog][event_id] == 4760 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled universal group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4761 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-disabled universal group"} + } + } + else if [logx][wineventlog][event_id] == 4762 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-disabled universal group"} + } + } + else if [logx][wineventlog][event_id] == 4763 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-disabled universal group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4764 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A groups type was changed"} + } + } + else if [logx][wineventlog][event_id] == 4765 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "SID History was added to an account"} + } + } + else if [logx][wineventlog][event_id] == 4766 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt to add SID History to an account failed"} + } + } + else if [logx][wineventlog][event_id] == 4767 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user account was unlocked"} + } + } + else if [logx][wineventlog][event_id] == 4768 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos authentication ticket (TGT) was requested"} + } + } + else if [logx][wineventlog][event_id] == 4769 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket was requested"} + } + } + else if [logx][wineventlog][event_id] == 4770 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket was renewed"} + } + } + else if [logx][wineventlog][event_id] == 4771 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Kerberos pre-authentication failed"} + } + } + else if [logx][wineventlog][event_id] == 4772 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos authentication ticket request failed"} + } + } + else if [logx][wineventlog][event_id] == 4773 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket request failed"} + } + } + else if [logx][wineventlog][event_id] == 4774 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account was mapped for logon"} + } + } + else if [logx][wineventlog][event_id] == 4775 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An account could not be mapped for logon"} + } + } + else if [logx][wineventlog][event_id] == 4776 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The domain controller attempted to validate the credentials for an account"} + } + } + else if [logx][wineventlog][event_id] == 4777 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The domain controller failed to validate the credentials for an account"} + } + } + else if [logx][wineventlog][event_id] == 4778 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A session was reconnected to a Window Station"} + } + } + else if [logx][wineventlog][event_id] == 4779 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A session was disconnected from a Window Station"} + } + } + else if [logx][wineventlog][event_id] == 4780 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The ACL was set on accounts which are members of administrators groups"} + } + } + else if [logx][wineventlog][event_id] == 4781 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The name of an account was changed"} + } + } + else if [logx][wineventlog][event_id] == 4782 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The password hash an account was accessed"} + } + } + else if [logx][wineventlog][event_id] == 4783 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A basic application group was created"} + } + } + else if [logx][wineventlog][event_id] == 4784 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A basic application group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4785 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was added to a basic application group"} + } + } + else if [logx][wineventlog][event_id] == 4786 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a basic application group"} + } + } + else if [logx][wineventlog][event_id] == 4787 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A non-member was added to a basic application group"} + } + } + else if [logx][wineventlog][event_id] == 4788 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A non-member was removed from a basic application group."} + } + } + else if [logx][wineventlog][event_id] == 4789 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A basic application group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4790 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An LDAP query group was created"} + } + } + else if [logx][wineventlog][event_id] == 4791 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A basic application group was changed"} + } + } + else if [logx][wineventlog][event_id] == 4792 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An LDAP query group was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4793 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Password Policy Checking API was called"} + } + } + else if [logx][wineventlog][event_id] == 4794 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to set the Directory Services Restore Mode administrator password"} + } + } + else if [logx][wineventlog][event_id] == 4797 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to query the existence of a blank password for an account"} + } + } + else if [logx][wineventlog][event_id] == 4798 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user''s local group membership was enumerated."} + } + } + else if [logx][wineventlog][event_id] == 4799 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group membership was enumerated"} + } + } + else if [logx][wineventlog][event_id] == 4800 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The workstation was locked"} + } + } + else if [logx][wineventlog][event_id] == 4801 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The workstation was unlocked"} + } + } + else if [logx][wineventlog][event_id] == 4802 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The screen saver was invoked"} + } + } + else if [logx][wineventlog][event_id] == 4803 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The screen saver was dismissed"} + } + } + else if [logx][wineventlog][event_id] == 4816 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "RPC detected an integrity violation while decrypting an incoming message"} + } + } + else if [logx][wineventlog][event_id] == 4817 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Auditing settings on object were changed."} + } + } + else if [logx][wineventlog][event_id] == 4818 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy"} + } + } + else if [logx][wineventlog][event_id] == 4819 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Central Access Policies on the machine have been changed"} + } + } + else if [logx][wineventlog][event_id] == 4820 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions"} + } + } + else if [logx][wineventlog][event_id] == 4821 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket was denied because the user: device: or both does not meet the access control restrictions"} + } + } + else if [logx][wineventlog][event_id] == 4822 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "NTLM authentication failed because the account was a member of the Protected User group"} + } + } + else if [logx][wineventlog][event_id] == 4823 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "NTLM authentication failed because access control restrictions are required"} + } + } + else if [logx][wineventlog][event_id] == 4824 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group"} + } + } + else if [logx][wineventlog][event_id] == 4825 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A user was denied the access to Remote Desktop. By default: users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group"} + } + } + else if [logx][wineventlog][event_id] == 4826 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Boot Configuration Data loaded"} + } + } + else if [logx][wineventlog][event_id] == 4830 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "SID History was removed from an account"} + } + } + else if [logx][wineventlog][event_id] == 4864 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A namespace collision was detected"} + } + } + else if [logx][wineventlog][event_id] == 4865 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trusted forest information entry was added"} + } + } + else if [logx][wineventlog][event_id] == 4866 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trusted forest information entry was removed"} + } + } + else if [logx][wineventlog][event_id] == 4867 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A trusted forest information entry was modified"} + } + } + else if [logx][wineventlog][event_id] == 4868 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The certificate manager denied a pending certificate request"} + } + } + else if [logx][wineventlog][event_id] == 4869 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a resubmitted certificate request"} + } + } + else if [logx][wineventlog][event_id] == 4870 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services revoked a certificate"} + } + } + else if [logx][wineventlog][event_id] == 4871 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a request to publish the certificate revocation list (CRL)"} + } + } + else if [logx][wineventlog][event_id] == 4872 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services published the certificate revocation list (CRL)"} + } + } + else if [logx][wineventlog][event_id] == 4873 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A certificate request extension changed"} + } + } + else if [logx][wineventlog][event_id] == 4874 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "One or more certificate request attributes changed."} + } + } + else if [logx][wineventlog][event_id] == 4875 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a request to shut down"} + } + } + else if [logx][wineventlog][event_id] == 4876 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services backup started"} + } + } + else if [logx][wineventlog][event_id] == 4877 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services backup completed"} + } + } + else if [logx][wineventlog][event_id] == 4878 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services restore started"} + } + } + else if [logx][wineventlog][event_id] == 4879 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services restore completed"} + } + } + else if [logx][wineventlog][event_id] == 4880 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services started"} + } + } + else if [logx][wineventlog][event_id] == 4881 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services stopped"} + } + } + else if [logx][wineventlog][event_id] == 4882 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The security permissions for Certificate Services changed"} + } + } + else if [logx][wineventlog][event_id] == 4883 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services retrieved an archived key"} + } + } + else if [logx][wineventlog][event_id] == 4884 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services imported a certificate into its database"} + } + } + else if [logx][wineventlog][event_id] == 4885 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The audit filter for Certificate Services changed"} + } + } + else if [logx][wineventlog][event_id] == 4886 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a certificate request"} + } + } + else if [logx][wineventlog][event_id] == 4887 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services approved a certificate request and issued a certificate"} + } + } + else if [logx][wineventlog][event_id] == 4888 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services denied a certificate request"} + } + } + else if [logx][wineventlog][event_id] == 4889 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services set the status of a certificate request to pending"} + } + } + else if [logx][wineventlog][event_id] == 4890 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The certificate manager settings for Certificate Services changed."} + } + } + else if [logx][wineventlog][event_id] == 4891 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A configuration entry changed in Certificate Services"} + } + } + else if [logx][wineventlog][event_id] == 4892 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A property of Certificate Services changed"} + } + } + else if [logx][wineventlog][event_id] == 4893 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services archived a key"} + } + } + else if [logx][wineventlog][event_id] == 4894 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services imported and archived a key"} + } + } + else if [logx][wineventlog][event_id] == 4895 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services published the CA certificate to Active Directory Domain Services"} + } + } + else if [logx][wineventlog][event_id] == 4896 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "One or more rows have been deleted from the certificate database"} + } + } + else if [logx][wineventlog][event_id] == 4897 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Role separation enabled"} + } + } + else if [logx][wineventlog][event_id] == 4898 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services loaded a template"} + } + } + else if [logx][wineventlog][event_id] == 4899 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Certificate Services template was updated"} + } + } + else if [logx][wineventlog][event_id] == 4900 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Certificate Services template security was updated"} + } + } + else if [logx][wineventlog][event_id] == 4902 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Per-user audit policy table was created"} + } + } + else if [logx][wineventlog][event_id] == 4904 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to register a security event source"} + } + } + else if [logx][wineventlog][event_id] == 4905 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to unregister a security event source"} + } + } + else if [logx][wineventlog][event_id] == 4906 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The CrashOnAuditFail value has changed"} + } + } + else if [logx][wineventlog][event_id] == 4907 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Auditing settings on object were changed"} + } + } + else if [logx][wineventlog][event_id] == 4908 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Special Groups Logon table modified"} + } + } + else if [logx][wineventlog][event_id] == 4909 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The local policy settings for the TBS were changed"} + } + } + else if [logx][wineventlog][event_id] == 4910 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The group policy settings for the TBS were changed"} + } + } + else if [logx][wineventlog][event_id] == 4911 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Resource attributes of the object were changed"} + } + } + else if [logx][wineventlog][event_id] == 4912 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Per User Audit Policy was changed"} + } + } + else if [logx][wineventlog][event_id] == 4913 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Central Access Policy on the object was changed"} + } + } + else if [logx][wineventlog][event_id] == 4928 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica source naming context was established"} + } + } + else if [logx][wineventlog][event_id] == 4929 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica source naming context was removed"} + } + } + else if [logx][wineventlog][event_id] == 4930 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica source naming context was modified"} + } + } + else if [logx][wineventlog][event_id] == 4931 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica destination naming context was modified"} + } + } + else if [logx][wineventlog][event_id] == 4932 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Synchronization of a replica of an Active Directory naming context has begun"} + } + } + else if [logx][wineventlog][event_id] == 4933 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Synchronization of a replica of an Active Directory naming context has ended"} + } + } + else if [logx][wineventlog][event_id] == 4934 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Attributes of an Active Directory object were replicated"} + } + } + else if [logx][wineventlog][event_id] == 4935 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Replication failure begins"} + } + } + else if [logx][wineventlog][event_id] == 4936 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Replication failure ends"} + } + } + else if [logx][wineventlog][event_id] == 4937 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A lingering object was removed from a replica"} + } + } + else if [logx][wineventlog][event_id] == 4944 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following policy was active when the Windows Firewall started"} + } + } + else if [logx][wineventlog][event_id] == 4945 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A rule was listed when the Windows Firewall started"} + } + } + else if [logx][wineventlog][event_id] == 4946 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to Windows Firewall exception list. A rule was added"} + } + } + else if [logx][wineventlog][event_id] == 4947 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to Windows Firewall exception list. A rule was modified"} + } + } + else if [logx][wineventlog][event_id] == 4948 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to Windows Firewall exception list. A rule was deleted"} + } + } + else if [logx][wineventlog][event_id] == 4949 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall settings were restored to the default values"} + } + } + else if [logx][wineventlog][event_id] == 4950 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Firewall setting has changed"} + } + } + else if [logx][wineventlog][event_id] == 4951 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A rule has been ignored because its major version number was not recognized by Windows Firewall"} + } + } + else if [logx][wineventlog][event_id] == 4952 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall"} + } + } + else if [logx][wineventlog][event_id] == 4953 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A rule has been ignored by Windows Firewall because it could not parse the rule"} + } + } + else if [logx][wineventlog][event_id] == 4954 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall Group Policy settings has changed. The new settings have been applied"} + } + } + else if [logx][wineventlog][event_id] == 4956 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall has changed the active profile"} + } + } + else if [logx][wineventlog][event_id] == 4957 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall did not apply the following rule"} + } + } + else if [logx][wineventlog][event_id] == 4958 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer"} + } + } + else if [logx][wineventlog][event_id] == 4960 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound packet that failed an integrity check"} + } + } + else if [logx][wineventlog][event_id] == 4961 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound packet that failed a replay check"} + } + } + else if [logx][wineventlog][event_id] == 4962 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound packet that failed a replay check"} + } + } + else if [logx][wineventlog][event_id] == 4963 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound clear text packet that should have been secured"} + } + } + else if [logx][wineventlog][event_id] == 4964 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Special groups have been assigned to a new logon"} + } + } + else if [logx][wineventlog][event_id] == 4965 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)."} + } + } + else if [logx][wineventlog][event_id] == 4976 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "During Main Mode negotiation: IPsec received an invalid negotiation packet."} + } + } + else if [logx][wineventlog][event_id] == 4977 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "During Quick Mode negotiation: IPsec received an invalid negotiation packet."} + } + } + else if [logx][wineventlog][event_id] == 4978 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "During Extended Mode negotiation: IPsec received an invalid negotiation packet."} + } + } + else if [logx][wineventlog][event_id] == 4979 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established."} + } + } + else if [logx][wineventlog][event_id] == 4980 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established"} + } + } + else if [logx][wineventlog][event_id] == 4981 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established"} + } + } + else if [logx][wineventlog][event_id] == 4982 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established"} + } + } + else if [logx][wineventlog][event_id] == 4983 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Extended Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4984 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Extended Mode negotiation failed"} + } + } + else if [logx][wineventlog][event_id] == 4985 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The state of a transaction has changed"} + } + } + else if [logx][wineventlog][event_id] == 5024 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service has started successfully"} + } + } + else if [logx][wineventlog][event_id] == 5025 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service has been stopped"} + } + } + else if [logx][wineventlog][event_id] == 5027 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service was unable to retrieve the security policy from the local storage"} + } + } + else if [logx][wineventlog][event_id] == 5028 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service was unable to parse the new security policy."} + } + } + else if [logx][wineventlog][event_id] == 5029 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service failed to initialize the driver"} + } + } + else if [logx][wineventlog][event_id] == 5030 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service failed to start"} + } + } + else if [logx][wineventlog][event_id] == 5031 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service blocked an application from accepting incoming connections on the network."} + } + } + else if [logx][wineventlog][event_id] == 5032 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network"} + } + } + else if [logx][wineventlog][event_id] == 5033 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver has started successfully"} + } + } + else if [logx][wineventlog][event_id] == 5034 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver has been stopped"} + } + } + else if [logx][wineventlog][event_id] == 5035 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver failed to start"} + } + } + else if [logx][wineventlog][event_id] == 5037 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver detected critical runtime error. Terminating"} + } + } + else if [logx][wineventlog][event_id] == 5038 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Code integrity determined that the image hash of a file is not valid"} + } + } + else if [logx][wineventlog][event_id] == 5039 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A registry key was virtualized."} + } + } + else if [logx][wineventlog][event_id] == 5040 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. An Authentication Set was added."} + } + } + else if [logx][wineventlog][event_id] == 5041 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. An Authentication Set was modified"} + } + } + else if [logx][wineventlog][event_id] == 5042 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. An Authentication Set was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5043 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Connection Security Rule was added"} + } + } + else if [logx][wineventlog][event_id] == 5044 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Connection Security Rule was modified"} + } + } + else if [logx][wineventlog][event_id] == 5045 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Connection Security Rule was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5046 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Crypto Set was added"} + } + } + else if [logx][wineventlog][event_id] == 5047 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Crypto Set was modified"} + } + } + else if [logx][wineventlog][event_id] == 5048 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Crypto Set was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5049 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Security Association was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5050 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE)"} + } + } + else if [logx][wineventlog][event_id] == 5051 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A file was virtualized"} + } + } + else if [logx][wineventlog][event_id] == 5056 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic self test was performed"} + } + } + else if [logx][wineventlog][event_id] == 5057 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic primitive operation failed"} + } + } + else if [logx][wineventlog][event_id] == 5058 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Key file operation"} + } + } + else if [logx][wineventlog][event_id] == 5059 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Key migration operation"} + } + } + else if [logx][wineventlog][event_id] == 5060 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Verification operation failed"} + } + } + else if [logx][wineventlog][event_id] == 5061 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Cryptographic operation"} + } + } + else if [logx][wineventlog][event_id] == 5062 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A kernel-mode cryptographic self test was performed"} + } + } + else if [logx][wineventlog][event_id] == 5063 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic provider operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5064 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic context operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5065 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic context modification was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5066 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5067 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function modification was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5068 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function provider operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5069 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function property operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5070 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function property operation was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5071 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Key access denied by Microsoft key distribution service"} + } + } + else if [logx][wineventlog][event_id] == 5120 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "OCSP Responder Service Started"} + } + } + else if [logx][wineventlog][event_id] == 5121 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "OCSP Responder Service Stopped"} + } + } + else if [logx][wineventlog][event_id] == 5122 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Configuration entry changed in the OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5123 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A configuration entry changed in the OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5124 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A security setting was updated on OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5125 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was submitted to OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5126 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Signing Certificate was automatically updated by the OCSP Responder Service"} + } + } + else if [logx][wineventlog][event_id] == 5127 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The OCSP Revocation Provider successfully updated the revocation information"} + } + } + else if [logx][wineventlog][event_id] == 5136 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was modified"} + } + } + else if [logx][wineventlog][event_id] == 5137 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was created"} + } + } + else if [logx][wineventlog][event_id] == 5138 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was undeleted"} + } + } + else if [logx][wineventlog][event_id] == 5139 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was moved"} + } + } + else if [logx][wineventlog][event_id] == 5140 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was accessed"} + } + } + else if [logx][wineventlog][event_id] == 5141 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was deleted"} + } + } + else if [logx][wineventlog][event_id] == 5142 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was added."} + } + } + else if [logx][wineventlog][event_id] == 5143 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was modified"} + } + } + else if [logx][wineventlog][event_id] == 5144 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was deleted."} + } + } + else if [logx][wineventlog][event_id] == 5145 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A network share object was checked to see whether client can be granted desired access"} + } + } + else if [logx][wineventlog][event_id] == 5146 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a packet"} + } + } + else if [logx][wineventlog][event_id] == 5147 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A more restrictive Windows Filtering Platform filter has blocked a packet"} + } + } + else if [logx][wineventlog][event_id] == 5148 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded."} + } + } + else if [logx][wineventlog][event_id] == 5149 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The DoS attack has subsided and normal processing is being resumed."} + } + } + else if [logx][wineventlog][event_id] == 5150 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a packet."} + } + } + else if [logx][wineventlog][event_id] == 5151 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A more restrictive Windows Filtering Platform filter has blocked a packet."} + } + } + else if [logx][wineventlog][event_id] == 5152 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform blocked a packet"} + } + } + else if [logx][wineventlog][event_id] == 5153 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A more restrictive Windows Filtering Platform filter has blocked a packet"} + } + } + else if [logx][wineventlog][event_id] == 5154 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections"} + } + } + else if [logx][wineventlog][event_id] == 5155 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections"} + } + } + else if [logx][wineventlog][event_id] == 5156 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has allowed a connection"} + } + } + else if [logx][wineventlog][event_id] == 5157 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a connection"} + } + } + else if [logx][wineventlog][event_id] == 5158 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has permitted a bind to a local port"} + } + } + else if [logx][wineventlog][event_id] == 5159 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a bind to a local port"} + } + } + else if [logx][wineventlog][event_id] == 5168 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Spn check for SMB/SMB2 fails."} + } + } + else if [logx][wineventlog][event_id] == 5169 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was modified"} + } + } + else if [logx][wineventlog][event_id] == 5170 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A directory service object was modified during a background cleanup task"} + } + } + else if [logx][wineventlog][event_id] == 5376 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Credential Manager credentials were backed up"} + } + } + else if [logx][wineventlog][event_id] == 5377 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Credential Manager credentials were restored from a backup"} + } + } + else if [logx][wineventlog][event_id] == 5378 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The requested credentials delegation was disallowed by policy"} + } + } + else if [logx][wineventlog][event_id] == 5379 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Credential Manager credentials were read"} + } + } + else if [logx][wineventlog][event_id] == 5380 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Vault Find Credential"} + } + } + else if [logx][wineventlog][event_id] == 5381 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Vault credentials were read"} + } + } + else if [logx][wineventlog][event_id] == 5382 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Vault credentials were read"} + } + } + else if [logx][wineventlog][event_id] == 5440 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following callout was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5441 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following filter was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5442 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following provider was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5443 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following provider context was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5444 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started"} + } + } + else if [logx][wineventlog][event_id] == 5446 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform callout has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5447 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform filter has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5448 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform provider has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5449 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform provider context has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5450 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform sub-layer has been changed"} + } + } + else if [logx][wineventlog][event_id] == 5451 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Quick Mode security association was established"} + } + } + else if [logx][wineventlog][event_id] == 5452 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec Quick Mode security association ended"} + } + } + else if [logx][wineventlog][event_id] == 5453 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started"} + } + } + else if [logx][wineventlog][event_id] == 5456 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine applied Active Directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5457 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply Active Directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5458 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5459 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5460 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine applied local registry storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5461 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply local registry storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5462 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply some rules of the active IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5463 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the active IPsec policy and detected no changes"} + } + } + else if [logx][wineventlog][event_id] == 5464 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the active IPsec policy: detected changes: and applied them to IPsec Services"} + } + } + else if [logx][wineventlog][event_id] == 5465 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully"} + } + } + else if [logx][wineventlog][event_id] == 5466 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the Active Directory IPsec policy: determined that Active Directory cannot be reached: and will use the cached copy of the Active Directory IPsec policy instead"} + } + } + else if [logx][wineventlog][event_id] == 5467 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the Active Directory IPsec policy: determined that Active Directory can be reached: and found no changes to the policy"} + } + } + else if [logx][wineventlog][event_id] == 5468 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the Active Directory IPsec policy: determined that Active Directory can be reached: found changes to the policy: and applied those changes"} + } + } + else if [logx][wineventlog][event_id] == 5471 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine loaded local storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5472 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to load local storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5473 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine loaded directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5474 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to load directory storage IPsec policy on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5477 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to add quick mode filter"} + } + } + else if [logx][wineventlog][event_id] == 5478 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services has started successfully"} + } + } + else if [logx][wineventlog][event_id] == 5479 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services has been shut down successfully"} + } + } + else if [logx][wineventlog][event_id] == 5480 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services failed to get the complete list of network interfaces on the computer"} + } + } + else if [logx][wineventlog][event_id] == 5483 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services failed to initialize RPC server. IPsec Services could not be started"} + } + } + else if [logx][wineventlog][event_id] == 5484 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services has experienced a critical failure and has been shut down"} + } + } + else if [logx][wineventlog][event_id] == 5485 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces"} + } + } + else if [logx][wineventlog][event_id] == 5632 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was made to authenticate to a wireless network"} + } + } + else if [logx][wineventlog][event_id] == 5633 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was made to authenticate to a wired network"} + } + } + else if [logx][wineventlog][event_id] == 5712 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A Remote Procedure Call (RPC) was attempted"} + } + } + else if [logx][wineventlog][event_id] == 5888 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An object in the COM+ Catalog was modified"} + } + } + else if [logx][wineventlog][event_id] == 5889 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An object was deleted from the COM+ Catalog"} + } + } + else if [logx][wineventlog][event_id] == 5890 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "An object was added to the COM+ Catalog"} + } + } + else if [logx][wineventlog][event_id] == 6144 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Security policy in the group policy objects has been applied successfully"} + } + } + else if [logx][wineventlog][event_id] == 6145 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "One or more errors occured while processing security policy in the group policy objects"} + } + } + else if [logx][wineventlog][event_id] == 6272 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server granted access to a user"} + } + } + else if [logx][wineventlog][event_id] == 6273 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server denied access to a user"} + } + } + else if [logx][wineventlog][event_id] == 6274 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server discarded the request for a user"} + } + } + else if [logx][wineventlog][event_id] == 6275 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server discarded the accounting request for a user"} + } + } + else if [logx][wineventlog][event_id] == 6276 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server quarantined a user"} + } + } + else if [logx][wineventlog][event_id] == 6277 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy"} + } + } + else if [logx][wineventlog][event_id] == 6278 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server granted full access to a user because the host met the defined health policy"} + } + } + else if [logx][wineventlog][event_id] == 6279 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server locked the user account due to repeated failed authentication attempts"} + } + } + else if [logx][wineventlog][event_id] == 6280 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server unlocked the user account"} + } + } + else if [logx][wineventlog][event_id] == 6281 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Code Integrity determined that the page hashes of an image file are not valid..."} + } + } + else if [logx][wineventlog][event_id] == 6400 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: Received an incorrectly formatted response while discovering availability of content."} + } + } + else if [logx][wineventlog][event_id] == 6401 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: Received invalid data from a peer. Data discarded."} + } + } + else if [logx][wineventlog][event_id] == 6402 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: The message to the hosted cache offering it data is incorrectly formatted."} + } + } + else if [logx][wineventlog][event_id] == 6403 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: The hosted cache sent an incorrectly formatted response to the client''s message to offer it data."} + } + } + else if [logx][wineventlog][event_id] == 6404 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate."} + } + } + else if [logx][wineventlog][event_id] == 6405 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: %2 instance(s) of event id %1 occurred."} + } + } + else if [logx][wineventlog][event_id] == 6406 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "%1 registered to Windows Firewall to control filtering for the following:"} + } + } + else if [logx][wineventlog][event_id] == 6408 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Registered product %1 failed and Windows Firewall is now controlling the filtering for %2."} + } + } + else if [logx][wineventlog][event_id] == 6409 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "BranchCache: A service connection point object could not be parsed"} + } + } + else if [logx][wineventlog][event_id] == 6410 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues"} + } + } + else if [logx][wineventlog][event_id] == 6416 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A new external device was recognized by the system."} + } + } + else if [logx][wineventlog][event_id] == 6417 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The FIPS mode crypto selftests succeeded"} + } + } + else if [logx][wineventlog][event_id] == 6418 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The FIPS mode crypto selftests failed"} + } + } + else if [logx][wineventlog][event_id] == 6419 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was made to disable a device"} + } + } + else if [logx][wineventlog][event_id] == 6420 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A device was disabled"} + } + } + else if [logx][wineventlog][event_id] == 6421 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A request was made to enable a device"} + } + } + else if [logx][wineventlog][event_id] == 6422 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "A device was enabled"} + } + } + else if [logx][wineventlog][event_id] == 6423 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The installation of this device is forbidden by system policy"} + } + } + else if [logx][wineventlog][event_id] == 6424 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "The installation of this device was allowed: after having previously been forbidden by policy"} + } + } + else if [logx][wineventlog][event_id] == 8191 { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "Highest System-Defined Audit Message Value"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_name]" => "None"} + } + } + + if [logx][wineventlog][event_id] == 4663 { + if [logx][wineventlog][event_data][AccessMask]{ + if [logx][wineventlog][event_data][AccessMask] == "0x1" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "read"} + add_field => {"[logx][wineventlog][access_description]" => "For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.\n For a directory, the right to list the contents of the directory.\n For registry objects, this is, Query key value."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x2" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write"} + add_field => {"[logx][wineventlog][access_description]" => "For a file object, the right to write data to the file.\n For a directory object, the right to create a file in the directory.\n For registry objects, this is, Set key value."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x4" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "append"} + add_field => {"[logx][wineventlog][access_description]" => "For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.)\n For a directory object, the right to create a subdirectory.\n For a named pipe, the right to create a pipe."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x8" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "read_extended_attributes"} + add_field => {"[logx][wineventlog][access_description]" => "The right to read extended file attributes.\n For registry objects, this is, Enumerate sub-keys."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x10" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write_extended_attributes"} + add_field => {"[logx][wineventlog][access_description]" => "The right to write extended file attributes."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x20" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "execute"} + add_field => {"[logx][wineventlog][access_description]" => "For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.\n For a directory, the right to traverse the directory. By default, users are assigned the BYPASS_TRAVERSE_CHECKING privilege, which ignores the FILE_TRAVERSE access right."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x40" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "delete_child"} + add_field => {"[logx][wineventlog][access_description]" => "For a directory, the right to delete a directory and all the files it contains, including read-only files."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x80" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "read_attributes"} + add_field => {"[logx][wineventlog][access_description]" => "The right to read file attributes."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x100" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write_attributes"} + add_field => {"[logx][wineventlog][access_description]" => "The right to write file attributes."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x10000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "delete"} + add_field => {"[logx][wineventlog][access_description]" => "The right to delete the object."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x20000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "read_control"} + add_field => {"[logx][wineventlog][access_description]" => "The right to read the information in the object''s security descriptor, not including the information in the system access control list (SACL)."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x40000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write_dac"} + add_field => {"[logx][wineventlog][access_description]" => "The right to modify the discretionary access control list (DACL) in the object''s security descriptor."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x80000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "write_owner"} + add_field => {"[logx][wineventlog][access_description]" => "The right to change the owner in the object''s security descriptor"} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x100000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "synchronize"} + add_field => {"[logx][wineventlog][access_description]" => "The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right."} + } + } + else if [logx][wineventlog][event_data][AccessMask] == "0x1000000" { + mutate { + add_field => {"[logx][wineventlog][access_type]" => "access_sys_sec"} + add_field => {"[logx][wineventlog][access_description]" => "The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an object''s security descriptor."} + } + } + } + } + if [logx][wineventlog][event_id] == 4625 { + if [logx][wineventlog][event_data][FailureReason] { + if [logx][wineventlog][event_data][FailureReason] == "%%2305" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "The specified user account has expired."} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2309" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "The specified account''s password has expired"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2310" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "Account currently disabled"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2311" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "Account logon time restriction violation"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2312" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "User not allowed to logon at this computer"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2313" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "Unknown user name or bad password"} + } + } + else if [logx][wineventlog][event_data][FailureReason] == "%%2304" { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "An Error occurred during Logon"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "None"} + } + } + } + if [logx][wineventlog][event_data][Status] { + if [logx][wineventlog][event_data][Status] == "0xC0000234" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account locked out"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000193" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000133" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Clocks out of sync"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000224" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Password change required"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xc000015b" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "User does not have logon right"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xc000006d" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Logon failure"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xc000006e" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account restriction"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xc00002ee" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "An error occurred during logon"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000071" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Password expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000072" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account disabled"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC0000413" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Authentication firewall prohibits logon"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "None"} + } + } + } + if [logx][wineventlog][event_data][SubStatus] { + if [logx][wineventlog][event_data][SubStatus] == "0xC0000234" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account locked out"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000193" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account expired"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000133" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Clocks out of sync"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000224" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Password change required"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc000015b" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "User does not have logon right"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc000006d" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Logon failure"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc000006e" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account restriction"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc00002ee" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "An error occurred during logon"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000071" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Password expired"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000072" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account disabled"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xC0000413" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Authentication firewall prohibits logon"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc000006a" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Incorrect password"} + } + } + else if [logx][wineventlog][event_data][SubStatus] == "0xc0000064" { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account does not exist"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "None"} + } + } + } + } + if [logx][wineventlog][event_id] == 4771 { + if [logx][wineventlog][event_data][Status] { + if [logx][wineventlog][event_data][Status] == "0x1" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client''s entry in database has expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server''s entry in database has expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x3" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Requested protocol version not supported"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x4" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client''s key encrypted in old master key"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x5" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server''s key encrypted in old master key"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x6" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client not found in Kerberos database"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x7" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server not found in Kerberos database"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x8" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Multiple principal entries in database"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x9" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "The client or server has a null key"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xA" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket not eligible for postdating"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xB" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Requested start time is later than end time"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xC" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC policy rejects request"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xD" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC cannot accommodate requested option"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xE" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for encryption type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0xF" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for checksum type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x10" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for padata type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x11" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for transited type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x12" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Clients credentials have been revoked"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x13" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Credentials for server have been revoked"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x14" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "TGT has been revoked"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x15" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client not yet valid - try again later"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x16" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server not yet valid - try again later"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x17" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Password has expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x18" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Pre-authentication information was invalid"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x19" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Additional pre-authentication required"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x1F" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Integrity check on decrypted field failed"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x20" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket expired"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x21" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket not yet valid"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x22" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Request is a replay"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x23" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "The ticket isn''t for us"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x24" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket and authenticator don''t match"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x25" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Clock skew too great"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x26" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Incorrect net address"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x27" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Protocol version mismatch"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x28" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Invalid msg type"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x29" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Message stream modified"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2A" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Message out of order"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2C" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Specified version of key is not available"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2D" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Service key not available"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2E" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Mutual authentication failed"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x2F" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Incorrect message direction"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x30" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Alternative authentication method required"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x31" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Incorrect sequence number in message"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x32" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Inappropriate type of checksum in message"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x3C" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Generic error (description in e-text)"} + } + } + else if [logx][wineventlog][event_data][Status] == "0x3D" { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Field is too long for this implementation"} + } + } + else { + mutate { + add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "None"} + } + } + } + } + } + } + #Also, remove unwanted fields if the message not match with conditions + mutate { + remove_field => ["headers","[logx][wineventlog][execution]"] + } +}' + WHERE id=701; + ]]> + + + \ No newline at end of file diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index c8468c2a7..37ee950fb 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -103,7 +103,6 @@ - + From 55066308d358d35a9a9f8a1d7dd72a0b33d95e9c Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 30 May 2025 17:15:45 -0500 Subject: [PATCH 55/56] fix: update wineventlog filter --- .../20250527001_update_filter_wineventlog.xml | 2839 ----------------- 1 file changed, 2839 deletions(-) delete mode 100644 backend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_wineventlog.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_wineventlog.xml b/backend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_wineventlog.xml deleted file mode 100644 index 5f53f66c8..000000000 --- a/backend/src/main/resources/config/liquibase/changelog/20250527001_update_filter_wineventlog.xml +++ /dev/null @@ -1,2839 +0,0 @@ - - - - - - - "message" - terminator => "" - } - json { - source => "message" - } - - if [channel] { - mutate { - add_field => { "dataType" => "wineventlog" } - - rename => { - "channel" => "[logx][wineventlog][channel]" - "computer" => "dataSource" - "correlation" => "[logx][wineventlog][correlation]" - "data" => "[logx][wineventlog][event_data]" - "eventCode" => "[logx][wineventlog][event_id]" - "execution" => "[logx][wineventlog][execution]" - "keywords" => "[logx][wineventlog][keywords]" - "level" => "[logx][wineventlog][level]" - "opcode" => "[logx][wineventlog][opcode]" - "providerGuid" => "[logx][wineventlog][provider_guid]" - "providerName" => "[logx][wineventlog][provider_name]" - "recordId" => "[logx][wineventlog][record_id]" - "task" => "[logx][wineventlog][task]" - "timeCreated" => "[logx][wineventlog][time_created]" - "timestamp" => "[logx][wineventlog][timestamp]" - "version" => "[logx][wineventlog][version]" - } - } - - mutate { convert => { "[logx][wineventlog][event_id]" => "integer" }} - } - - if ([winlog][api] and [winlog][api] == "wineventlog") or ([type] and [type] == "wineventlog") { - - mutate { - add_field => { "dataType" => "wineventlog" } - - add_field => {"[global][type]" => "logx"} - remove_field => ["fileset"] - remove_field => ["fields"] - } - - #If winlogbeat is of old version - if [type] and [type] == "wineventlog"{ - mutate { - rename => { "[beat][name]" => "[dataSource]" } - rename => {"[type]" => "[logx][type]"} - - rename => {"[activity_id]" => "[logx][wineventlog][activity_id]"} - rename => {"[beat]" => "[logx][wineventlog][beat]"} - rename => {"[event_data]" => "[logx][wineventlog][event_data]"} - rename => {"[event_id]" => "[logx][wineventlog][event_id]"} - rename => {"[keywords]" => "[logx][wineventlog][keywords]"} - rename => {"[level]" => "[logx][wineventlog][level]"} - rename => {"[log]" => "[logx][wineventlog][log]"} - rename => {"[log_name]" => "[logx][wineventlog][log_name]"} - rename => {"[opcode]" => "[logx][wineventlog][opcode]"} - rename => {"[process_id]" => "[logx][wineventlog][process_id]"} - rename => {"[provider_guid]" => "[logx][wineventlog][provider_guid]"} - rename => {"[record_number]" => "[logx][wineventlog][record_number]"} - rename => {"[source_name]" => "[logx][wineventlog][source_name]"} - rename => {"[task]" => "[logx][wineventlog][task]"} - rename => {"[thread_id]" => "[logx][wineventlog][thread_id]"} - rename => {"[user]" => "[logx][wineventlog][user]"} - rename => {"[user_data]" => "[logx][wineventlog][user_data]"} - rename => {"[version]" => "[logx][wineventlog][version]"} - - rename => {"[meta]" => "[logx][wineventlog][meta]"} - rename => {"[docker]" => "[logx][wineventlog][docker]"} - rename => {"[related_activity_id]" => "[logx][wineventlog][related_activity_id]"} - } - } - - #If winlogbeat is of version 8.5.1 - if [winlog][api] and [winlog][api] == "wineventlog"{ - mutate { - rename => { "[host][hostname]" => "[dataSource]" } - rename => {"[winlog][api]" => "[logx][type]"} - - rename => {"[winlog][activity_id]" => "[logx][wineventlog][activity_id]"} - rename => {"[event][timezone]" => "[logx][wineventlog][beat][timezone]"} - rename => {"[agent][name]" => "[logx][wineventlog][beat][hostname]"} - rename => {"[agent][version]" => "[logx][wineventlog][beat][version]"} - rename => {"[event][original]" => "[xml]"} - rename => {"[winlog][event_data]" => "[logx][wineventlog][event_data]"} - rename => {"[winlog][event_id]" => "[logx][wineventlog][event_id]"} - rename => {"[winlog][keywords]" => "[logx][wineventlog][keywords]"} - rename => {"[log][level]" => "[logx][wineventlog][level]"} - rename => {"[winlog][channel]" => "[logx][wineventlog][log_name]"} - rename => {"[winlog][opcode]" => "[logx][wineventlog][opcode]"} - rename => {"[winlog][process][pid]" => "[logx][wineventlog][process_id]"} - rename => {"[winlog][provider_guid]" => "[logx][wineventlog][provider_guid]"} - rename => {"[winlog][record_id]" => "[logx][wineventlog][record_number]"} - rename => {"[winlog][provider_name]" => "[logx][wineventlog][source_name]"} - rename => {"[winlog][task]" => "[logx][wineventlog][task]"} - rename => {"[winlog][process][thread][id]" => "[logx][wineventlog][thread_id]"} - rename => {"[winlog][user]" => "[logx][wineventlog][user]"} - rename => {"[winlog][user_data]" => "[logx][wineventlog][user_data]"} - rename => {"[winlog][version]" => "[logx][wineventlog][version]"} - - rename => {"[cloud]" => "[logx][wineventlog][meta][cloud]"} - rename => {"[container]" => "[logx][wineventlog][docker][container]"} - rename => {"[winlog][computer_name]" => "[computer_name]"} - rename => {"[winlog][related_activity_id]" => "[logx][wineventlog][related_activity_id]"} - rename => {"[ecs]" => "[logx][wineventlog][ecs]"} - rename => {"[winlog][computerObject]" => "[logx][wineventlog][computerObject]"} - rename => {"[winlog][time_created]" => "[logx][wineventlog][time_created]"} - rename => {"[winlog][trustAttribute]" => "[logx][wineventlog][trustAttribute]"} - rename => {"[winlog][trustDirection]" => "[logx][wineventlog][trustDirection]"} - rename => {"[winlog][trustType]" => "[logx][wineventlog][trustType]"} - } - - mutate { convert => { "[logx][wineventlog][event_id]" => "integer" }} - } - - mutate { - rename => {"[clienthost]" => "[logx][wineventlog][clienthost]"} - rename => {"[geoip]" => "[logx][wineventlog][geoip]"} - rename => {"[host]" => "[logx][wineventlog][host]"} - rename => {"[input]" => "[logx][wineventlog][input]"} - rename => {"[log_timestamp]" => "[logx][wineventlog][log_timestamp]"} - rename => {"[message]" => "[logx][wineventlog][message]"} - rename => {"[method]" => "[logx][wineventlog][method]"} - rename => {"[offset]" => "[logx][wineventlog][offset]"} - rename => {"[page]" => "[logx][wineventlog][page]"} - rename => {"[port]" => "[logx][wineventlog][port]"} - rename => {"[prospector]" => "[logx][wineventlog][prospector]"} - rename => {"[querystring]" => "[logx][wineventlog][querystring]"} - rename => {"[referer]" => "[logx][wineventlog][referer]"} - rename => {"[response]" => "[logx][wineventlog][response]"} - rename => {"[scstatus]" => "[logx][wineventlog][scstatus]"} - rename => {"[site]" => "[logx][wineventlog][site]"} - rename => {"[source]" => "[logx][wineventlog][source]"} - rename => {"[subresponse]" => "[logx][wineventlog][subresponse]"} - rename => {"[tags]" => "[logx][wineventlog][tags]"} - rename => {"[timetaken]" => "[logx][wineventlog][timetaken]"} - rename => {"[user_agent]" => "[logx][wineventlog][useragent]"} - rename => {"[username]" => "[logx][wineventlog][username]"} - rename => {"[error]" => "[logx][wineventlog][error]"} - rename => {"[timeseries]" => "[logx][wineventlog][timeseries]"} - rename => {"[event]" => "[logx][wineventlog][event]"} - rename => {"[agent]" => "[logx][wineventlog][agent]"} - rename => {"[as]" => "[logx][wineventlog][as]"} - rename => {"[client]" => "[logx][wineventlog][client]"} - rename => {"[code_signature]" => "[logx][wineventlog][code_signature]"} - rename => {"[data_stream]" => "[logx][wineventlog][data_stream]"} - rename => {"[destination]" => "[logx][wineventlog][destination]"} - rename => {"[dll]" => "[logx][wineventlog][dll]"} - rename => {"[dns]" => "[logx][wineventlog][dns]"} - rename => {"[els]" => "[logx][wineventlog][els]"} - rename => {"[faas]" => "[logx][wineventlog][faas]"} - rename => {"[file]" => "[logx][wineventlog][file]"} - rename => {"[geo]" => "[logx][wineventlog][geo]"} - rename => {"[group]" => "[logx][wineventlog][group]"} - rename => {"[http]" => "[logx][wineventlog][http]"} - rename => {"[interface]" => "[logx][wineventlog][interface]"} - rename => {"[network]" => "[logx][wineventlog][network]"} - rename => {"[observer]" => "[logx][wineventlog][observer]"} - rename => {"[orchestrator]" => "[logx][wineventlog][orchestrator]"} - rename => {"[os]" => "[logx][wineventlog][os]"} - rename => {"[package]" => "[logx][wineventlog][package]"} - rename => {"[pe]" => "[logx][wineventlog][pe]"} - rename => {"[registry]" => "[logx][wineventlog][registry]"} - rename => {"[related]" => "[logx][wineventlog][related]"} - rename => {"[rule]" => "[logx][wineventlog][rule]"} - rename => {"[server]" => "[logx][wineventlog][server]"} - rename => {"[service]" => "[logx][wineventlog][service]"} - rename => {"[threat]" => "[logx][wineventlog][threat]"} - rename => {"[tls]" => "[logx][wineventlog][tls]"} - rename => {"[url]" => "[logx][wineventlog][url]"} - rename => {"[vlan]" => "[logx][wineventlog][vlan]"} - rename => {"[vulnerability]" => "[logx][wineventlog][vulnerability]"} - rename => {"[x509]" => "[logx][wineventlog][x509]"} - rename => {"[process]" => "[logx][wineventlog][process]"} - rename => {"[powershell]" => "[logx][wineventlog][powershell]"} - } - - mutate { - remove_field => ["winlog"] - remove_field => ["log"] - } - - if [logx][wineventlog][event_id] { - if [logx][wineventlog][event_id] == 1100 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The event logging service has shut down"} - } - } - else if [logx][wineventlog][event_id] == 1101 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Audit events have been dropped by the transport."} - } - } - else if [logx][wineventlog][event_id] == 1102 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The audit log was cleared"} - } - } - else if [logx][wineventlog][event_id] == 1104 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The security Log is now full"} - } - } - else if [logx][wineventlog][event_id] == 1105 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Event log automatic backup"} - } - } - else if [logx][wineventlog][event_id] == 1108 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The event logging service encountered an error"} - } - } - else if [logx][wineventlog][event_id] == 4608 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Windows is starting up"} - } - } - else if [logx][wineventlog][event_id] == 4609 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Windows is shutting down"} - } - } - else if [logx][wineventlog][event_id] == 4610 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An authentication package has been loaded by the Local Security Authority"} - } - } - else if [logx][wineventlog][event_id] == 4611 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A trusted logon process has been registered with the Local Security Authority"} - } - } - else if [logx][wineventlog][event_id] == 4612 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Internal resources allocated for the queuing of audit messages have been exhausted: leading to the loss of some audits."} - } - } - else if [logx][wineventlog][event_id] == 4614 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A notification package has been loaded by the Security Account Manager."} - } - } - else if [logx][wineventlog][event_id] == 4615 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Invalid use of LPC port"} - } - } - else if [logx][wineventlog][event_id] == 4616 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The system time was changed."} - } - } - else if [logx][wineventlog][event_id] == 4618 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A monitored security event pattern has occurred"} - } - } - else if [logx][wineventlog][event_id] == 4621 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Administrator recovered system from CrashOnAuditFail"} - } - } - else if [logx][wineventlog][event_id] == 4622 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security package has been loaded by the Local Security Authority."} - } - } - else if [logx][wineventlog][event_id] == 4624 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An account was successfully logged on"} - } - } - else if [logx][wineventlog][event_id] == 4625 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An account failed to log on"} - } - } - else if [logx][wineventlog][event_id] == 4626 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "User/Device claims information"} - } - } - else if [logx][wineventlog][event_id] == 4627 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Group membership information."} - } - } - else if [logx][wineventlog][event_id] == 4634 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An account was logged off"} - } - } - else if [logx][wineventlog][event_id] == 4646 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IKE DoS-prevention mode started"} - } - } - else if [logx][wineventlog][event_id] == 4647 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "User initiated logoff"} - } - } - else if [logx][wineventlog][event_id] == 4648 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A logon was attempted using explicit credentials"} - } - } - else if [logx][wineventlog][event_id] == 4649 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A replay attack was detected"} - } - } - else if [logx][wineventlog][event_id] == 4650 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode security association was established"} - } - } - else if [logx][wineventlog][event_id] == 4651 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode security association was established"} - } - } - else if [logx][wineventlog][event_id] == 4652 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode negotiation failed"} - } - } - else if [logx][wineventlog][event_id] == 4653 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode negotiation failed"} - } - } - else if [logx][wineventlog][event_id] == 4654 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Quick Mode negotiation failed"} - } - } - else if [logx][wineventlog][event_id] == 4655 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Main Mode security association ended"} - } - } - else if [logx][wineventlog][event_id] == 4656 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A handle to an object was requested"} - } - } - else if [logx][wineventlog][event_id] == 4657 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A registry value was modified"} - } - } - else if [logx][wineventlog][event_id] == 4658 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The handle to an object was closed"} - } - } - else if [logx][wineventlog][event_id] == 4659 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A handle to an object was requested with intent to delete"} - } - } - else if [logx][wineventlog][event_id] == 4660 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An object was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4661 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A handle to an object was requested"} - } - } - else if [logx][wineventlog][event_id] == 4662 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An operation was performed on an object"} - } - } - else if [logx][wineventlog][event_id] == 4663 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to access an object"} - } - } - else if [logx][wineventlog][event_id] == 4664 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to create a hard link"} - } - } - else if [logx][wineventlog][event_id] == 4665 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to create an application client context."} - } - } - else if [logx][wineventlog][event_id] == 4666 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An application attempted an operation"} - } - } - else if [logx][wineventlog][event_id] == 4667 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An application client context was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4668 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An application was initialized"} - } - } - else if [logx][wineventlog][event_id] == 4670 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Permissions on an object were changed"} - } - } - else if [logx][wineventlog][event_id] == 4671 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An application attempted to access a blocked ordinal through the TBS"} - } - } - else if [logx][wineventlog][event_id] == 4672 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Special privileges assigned to new logon"} - } - } - else if [logx][wineventlog][event_id] == 4673 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A privileged service was called"} - } - } - else if [logx][wineventlog][event_id] == 4674 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An operation was attempted on a privileged object"} - } - } - else if [logx][wineventlog][event_id] == 4675 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "SIDs were filtered"} - } - } - else if [logx][wineventlog][event_id] == 4688 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A new process has been created"} - } - } - else if [logx][wineventlog][event_id] == 4689 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A process has exited"} - } - } - else if [logx][wineventlog][event_id] == 4690 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to duplicate a handle to an object"} - } - } - else if [logx][wineventlog][event_id] == 4691 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Indirect access to an object was requested"} - } - } - else if [logx][wineventlog][event_id] == 4692 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Backup of data protection master key was attempted"} - } - } - else if [logx][wineventlog][event_id] == 4693 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Recovery of data protection master key was attempted"} - } - } - else if [logx][wineventlog][event_id] == 4694 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Protection of auditable protected data was attempted"} - } - } - else if [logx][wineventlog][event_id] == 4695 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Unprotection of auditable protected data was attempted"} - } - } - else if [logx][wineventlog][event_id] == 4696 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A primary token was assigned to process"} - } - } - else if [logx][wineventlog][event_id] == 4697 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A service was installed in the system"} - } - } - else if [logx][wineventlog][event_id] == 4698 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was created"} - } - } - else if [logx][wineventlog][event_id] == 4699 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4700 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was enabled"} - } - } - else if [logx][wineventlog][event_id] == 4701 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was disabled"} - } - } - else if [logx][wineventlog][event_id] == 4702 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A scheduled task was updated"} - } - } - else if [logx][wineventlog][event_id] == 4703 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A token right was adjusted"} - } - } - else if [logx][wineventlog][event_id] == 4704 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user right was assigned"} - } - } - else if [logx][wineventlog][event_id] == 4705 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user right was removed"} - } - } - else if [logx][wineventlog][event_id] == 4706 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A new trust was created to a domain"} - } - } - else if [logx][wineventlog][event_id] == 4707 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A trust to a domain was removed"} - } - } - else if [logx][wineventlog][event_id] == 4709 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Services was started"} - } - } - else if [logx][wineventlog][event_id] == 4710 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Services was disabled"} - } - } - else if [logx][wineventlog][event_id] == 4711 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine (1%)"} - } - } - else if [logx][wineventlog][event_id] == 4712 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Services encountered a potentially serious failure"} - } - } - else if [logx][wineventlog][event_id] == 4713 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Kerberos policy was changed"} - } - } - else if [logx][wineventlog][event_id] == 4714 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Encrypted data recovery policy was changed"} - } - } - else if [logx][wineventlog][event_id] == 4715 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The audit policy (SACL) on an object was changed"} - } - } - else if [logx][wineventlog][event_id] == 4716 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Trusted domain information was modified"} - } - } - else if [logx][wineventlog][event_id] == 4717 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "System security access was granted to an account"} - } - } - else if [logx][wineventlog][event_id] == 4718 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "System security access was removed from an account"} - } - } - else if [logx][wineventlog][event_id] == 4719 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "System audit policy was changed"} - } - } - else if [logx][wineventlog][event_id] == 4720 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user account was created"} - } - } - else if [logx][wineventlog][event_id] == 4722 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user account was enabled"} - } - } - else if [logx][wineventlog][event_id] == 4723 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to change an account''s password"} - } - } - else if [logx][wineventlog][event_id] == 4724 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to reset an accounts password"} - } - } - else if [logx][wineventlog][event_id] == 4725 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user account was disabled"} - } - } - else if [logx][wineventlog][event_id] == 4726 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user account was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4727 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled global group was created"} - } - } - else if [logx][wineventlog][event_id] == 4728 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-enabled global group"} - } - } - else if [logx][wineventlog][event_id] == 4729 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-enabled global group"} - } - } - else if [logx][wineventlog][event_id] == 4730 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled global group was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4731 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group was created"} - } - } - else if [logx][wineventlog][event_id] == 4732 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-enabled local group"} - } - } - else if [logx][wineventlog][event_id] == 4733 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-enabled local group"} - } - } - else if [logx][wineventlog][event_id] == 4734 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4735 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group was changed"} - } - } - else if [logx][wineventlog][event_id] == 4737 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled global group was changed"} - } - } - else if [logx][wineventlog][event_id] == 4738 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user account was changed"} - } - } - else if [logx][wineventlog][event_id] == 4739 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Domain Policy was changed"} - } - } - else if [logx][wineventlog][event_id] == 4740 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user account was locked out"} - } - } - else if [logx][wineventlog][event_id] == 4741 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A computer account was created"} - } - } - else if [logx][wineventlog][event_id] == 4742 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A computer account was changed"} - } - } - else if [logx][wineventlog][event_id] == 4743 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A computer account was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4744 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-disabled local group was created"} - } - } - else if [logx][wineventlog][event_id] == 4745 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-disabled local group was changed"} - } - } - else if [logx][wineventlog][event_id] == 4746 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-disabled local group"} - } - } - else if [logx][wineventlog][event_id] == 4747 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-disabled local group"} - } - } - else if [logx][wineventlog][event_id] == 4748 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-disabled local group was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4749 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-disabled global group was created"} - } - } - else if [logx][wineventlog][event_id] == 4750 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-disabled global group was changed"} - } - } - else if [logx][wineventlog][event_id] == 4751 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-disabled global group"} - } - } - else if [logx][wineventlog][event_id] == 4752 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-disabled global group"} - } - } - else if [logx][wineventlog][event_id] == 4753 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-disabled global group was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4754 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled universal group was created"} - } - } - else if [logx][wineventlog][event_id] == 4755 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled universal group was changed"} - } - } - else if [logx][wineventlog][event_id] == 4756 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-enabled universal group"} - } - } - else if [logx][wineventlog][event_id] == 4757 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-enabled universal group"} - } - } - else if [logx][wineventlog][event_id] == 4758 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled universal group was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4759 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-disabled universal group was created"} - } - } - else if [logx][wineventlog][event_id] == 4760 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-disabled universal group was changed"} - } - } - else if [logx][wineventlog][event_id] == 4761 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was added to a security-disabled universal group"} - } - } - else if [logx][wineventlog][event_id] == 4762 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a security-disabled universal group"} - } - } - else if [logx][wineventlog][event_id] == 4763 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-disabled universal group was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4764 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A groups type was changed"} - } - } - else if [logx][wineventlog][event_id] == 4765 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "SID History was added to an account"} - } - } - else if [logx][wineventlog][event_id] == 4766 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt to add SID History to an account failed"} - } - } - else if [logx][wineventlog][event_id] == 4767 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user account was unlocked"} - } - } - else if [logx][wineventlog][event_id] == 4768 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Kerberos authentication ticket (TGT) was requested"} - } - } - else if [logx][wineventlog][event_id] == 4769 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket was requested"} - } - } - else if [logx][wineventlog][event_id] == 4770 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket was renewed"} - } - } - else if [logx][wineventlog][event_id] == 4771 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Kerberos pre-authentication failed"} - } - } - else if [logx][wineventlog][event_id] == 4772 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Kerberos authentication ticket request failed"} - } - } - else if [logx][wineventlog][event_id] == 4773 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket request failed"} - } - } - else if [logx][wineventlog][event_id] == 4774 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An account was mapped for logon"} - } - } - else if [logx][wineventlog][event_id] == 4775 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An account could not be mapped for logon"} - } - } - else if [logx][wineventlog][event_id] == 4776 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The domain controller attempted to validate the credentials for an account"} - } - } - else if [logx][wineventlog][event_id] == 4777 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The domain controller failed to validate the credentials for an account"} - } - } - else if [logx][wineventlog][event_id] == 4778 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A session was reconnected to a Window Station"} - } - } - else if [logx][wineventlog][event_id] == 4779 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A session was disconnected from a Window Station"} - } - } - else if [logx][wineventlog][event_id] == 4780 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The ACL was set on accounts which are members of administrators groups"} - } - } - else if [logx][wineventlog][event_id] == 4781 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The name of an account was changed"} - } - } - else if [logx][wineventlog][event_id] == 4782 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The password hash an account was accessed"} - } - } - else if [logx][wineventlog][event_id] == 4783 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A basic application group was created"} - } - } - else if [logx][wineventlog][event_id] == 4784 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A basic application group was changed"} - } - } - else if [logx][wineventlog][event_id] == 4785 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was added to a basic application group"} - } - } - else if [logx][wineventlog][event_id] == 4786 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A member was removed from a basic application group"} - } - } - else if [logx][wineventlog][event_id] == 4787 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A non-member was added to a basic application group"} - } - } - else if [logx][wineventlog][event_id] == 4788 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A non-member was removed from a basic application group."} - } - } - else if [logx][wineventlog][event_id] == 4789 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A basic application group was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4790 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An LDAP query group was created"} - } - } - else if [logx][wineventlog][event_id] == 4791 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A basic application group was changed"} - } - } - else if [logx][wineventlog][event_id] == 4792 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An LDAP query group was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4793 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Password Policy Checking API was called"} - } - } - else if [logx][wineventlog][event_id] == 4794 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to set the Directory Services Restore Mode administrator password"} - } - } - else if [logx][wineventlog][event_id] == 4797 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to query the existence of a blank password for an account"} - } - } - else if [logx][wineventlog][event_id] == 4798 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user''s local group membership was enumerated."} - } - } - else if [logx][wineventlog][event_id] == 4799 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security-enabled local group membership was enumerated"} - } - } - else if [logx][wineventlog][event_id] == 4800 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The workstation was locked"} - } - } - else if [logx][wineventlog][event_id] == 4801 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The workstation was unlocked"} - } - } - else if [logx][wineventlog][event_id] == 4802 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The screen saver was invoked"} - } - } - else if [logx][wineventlog][event_id] == 4803 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The screen saver was dismissed"} - } - } - else if [logx][wineventlog][event_id] == 4816 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "RPC detected an integrity violation while decrypting an incoming message"} - } - } - else if [logx][wineventlog][event_id] == 4817 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Auditing settings on object were changed."} - } - } - else if [logx][wineventlog][event_id] == 4818 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy"} - } - } - else if [logx][wineventlog][event_id] == 4819 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Central Access Policies on the machine have been changed"} - } - } - else if [logx][wineventlog][event_id] == 4820 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions"} - } - } - else if [logx][wineventlog][event_id] == 4821 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Kerberos service ticket was denied because the user: device: or both does not meet the access control restrictions"} - } - } - else if [logx][wineventlog][event_id] == 4822 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "NTLM authentication failed because the account was a member of the Protected User group"} - } - } - else if [logx][wineventlog][event_id] == 4823 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "NTLM authentication failed because access control restrictions are required"} - } - } - else if [logx][wineventlog][event_id] == 4824 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group"} - } - } - else if [logx][wineventlog][event_id] == 4825 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A user was denied the access to Remote Desktop. By default: users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group"} - } - } - else if [logx][wineventlog][event_id] == 4826 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Boot Configuration Data loaded"} - } - } - else if [logx][wineventlog][event_id] == 4830 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "SID History was removed from an account"} - } - } - else if [logx][wineventlog][event_id] == 4864 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A namespace collision was detected"} - } - } - else if [logx][wineventlog][event_id] == 4865 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A trusted forest information entry was added"} - } - } - else if [logx][wineventlog][event_id] == 4866 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A trusted forest information entry was removed"} - } - } - else if [logx][wineventlog][event_id] == 4867 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A trusted forest information entry was modified"} - } - } - else if [logx][wineventlog][event_id] == 4868 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The certificate manager denied a pending certificate request"} - } - } - else if [logx][wineventlog][event_id] == 4869 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a resubmitted certificate request"} - } - } - else if [logx][wineventlog][event_id] == 4870 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services revoked a certificate"} - } - } - else if [logx][wineventlog][event_id] == 4871 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a request to publish the certificate revocation list (CRL)"} - } - } - else if [logx][wineventlog][event_id] == 4872 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services published the certificate revocation list (CRL)"} - } - } - else if [logx][wineventlog][event_id] == 4873 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A certificate request extension changed"} - } - } - else if [logx][wineventlog][event_id] == 4874 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "One or more certificate request attributes changed."} - } - } - else if [logx][wineventlog][event_id] == 4875 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a request to shut down"} - } - } - else if [logx][wineventlog][event_id] == 4876 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services backup started"} - } - } - else if [logx][wineventlog][event_id] == 4877 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services backup completed"} - } - } - else if [logx][wineventlog][event_id] == 4878 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services restore started"} - } - } - else if [logx][wineventlog][event_id] == 4879 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services restore completed"} - } - } - else if [logx][wineventlog][event_id] == 4880 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services started"} - } - } - else if [logx][wineventlog][event_id] == 4881 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services stopped"} - } - } - else if [logx][wineventlog][event_id] == 4882 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The security permissions for Certificate Services changed"} - } - } - else if [logx][wineventlog][event_id] == 4883 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services retrieved an archived key"} - } - } - else if [logx][wineventlog][event_id] == 4884 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services imported a certificate into its database"} - } - } - else if [logx][wineventlog][event_id] == 4885 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The audit filter for Certificate Services changed"} - } - } - else if [logx][wineventlog][event_id] == 4886 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services received a certificate request"} - } - } - else if [logx][wineventlog][event_id] == 4887 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services approved a certificate request and issued a certificate"} - } - } - else if [logx][wineventlog][event_id] == 4888 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services denied a certificate request"} - } - } - else if [logx][wineventlog][event_id] == 4889 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services set the status of a certificate request to pending"} - } - } - else if [logx][wineventlog][event_id] == 4890 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The certificate manager settings for Certificate Services changed."} - } - } - else if [logx][wineventlog][event_id] == 4891 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A configuration entry changed in Certificate Services"} - } - } - else if [logx][wineventlog][event_id] == 4892 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A property of Certificate Services changed"} - } - } - else if [logx][wineventlog][event_id] == 4893 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services archived a key"} - } - } - else if [logx][wineventlog][event_id] == 4894 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services imported and archived a key"} - } - } - else if [logx][wineventlog][event_id] == 4895 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services published the CA certificate to Active Directory Domain Services"} - } - } - else if [logx][wineventlog][event_id] == 4896 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "One or more rows have been deleted from the certificate database"} - } - } - else if [logx][wineventlog][event_id] == 4897 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Role separation enabled"} - } - } - else if [logx][wineventlog][event_id] == 4898 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services loaded a template"} - } - } - else if [logx][wineventlog][event_id] == 4899 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Certificate Services template was updated"} - } - } - else if [logx][wineventlog][event_id] == 4900 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Certificate Services template security was updated"} - } - } - else if [logx][wineventlog][event_id] == 4902 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Per-user audit policy table was created"} - } - } - else if [logx][wineventlog][event_id] == 4904 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to register a security event source"} - } - } - else if [logx][wineventlog][event_id] == 4905 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt was made to unregister a security event source"} - } - } - else if [logx][wineventlog][event_id] == 4906 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The CrashOnAuditFail value has changed"} - } - } - else if [logx][wineventlog][event_id] == 4907 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Auditing settings on object were changed"} - } - } - else if [logx][wineventlog][event_id] == 4908 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Special Groups Logon table modified"} - } - } - else if [logx][wineventlog][event_id] == 4909 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The local policy settings for the TBS were changed"} - } - } - else if [logx][wineventlog][event_id] == 4910 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The group policy settings for the TBS were changed"} - } - } - else if [logx][wineventlog][event_id] == 4911 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Resource attributes of the object were changed"} - } - } - else if [logx][wineventlog][event_id] == 4912 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Per User Audit Policy was changed"} - } - } - else if [logx][wineventlog][event_id] == 4913 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Central Access Policy on the object was changed"} - } - } - else if [logx][wineventlog][event_id] == 4928 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica source naming context was established"} - } - } - else if [logx][wineventlog][event_id] == 4929 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica source naming context was removed"} - } - } - else if [logx][wineventlog][event_id] == 4930 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica source naming context was modified"} - } - } - else if [logx][wineventlog][event_id] == 4931 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An Active Directory replica destination naming context was modified"} - } - } - else if [logx][wineventlog][event_id] == 4932 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Synchronization of a replica of an Active Directory naming context has begun"} - } - } - else if [logx][wineventlog][event_id] == 4933 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Synchronization of a replica of an Active Directory naming context has ended"} - } - } - else if [logx][wineventlog][event_id] == 4934 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Attributes of an Active Directory object were replicated"} - } - } - else if [logx][wineventlog][event_id] == 4935 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Replication failure begins"} - } - } - else if [logx][wineventlog][event_id] == 4936 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Replication failure ends"} - } - } - else if [logx][wineventlog][event_id] == 4937 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A lingering object was removed from a replica"} - } - } - else if [logx][wineventlog][event_id] == 4944 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The following policy was active when the Windows Firewall started"} - } - } - else if [logx][wineventlog][event_id] == 4945 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A rule was listed when the Windows Firewall started"} - } - } - else if [logx][wineventlog][event_id] == 4946 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to Windows Firewall exception list. A rule was added"} - } - } - else if [logx][wineventlog][event_id] == 4947 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to Windows Firewall exception list. A rule was modified"} - } - } - else if [logx][wineventlog][event_id] == 4948 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to Windows Firewall exception list. A rule was deleted"} - } - } - else if [logx][wineventlog][event_id] == 4949 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall settings were restored to the default values"} - } - } - else if [logx][wineventlog][event_id] == 4950 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Windows Firewall setting has changed"} - } - } - else if [logx][wineventlog][event_id] == 4951 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A rule has been ignored because its major version number was not recognized by Windows Firewall"} - } - } - else if [logx][wineventlog][event_id] == 4952 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall"} - } - } - else if [logx][wineventlog][event_id] == 4953 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A rule has been ignored by Windows Firewall because it could not parse the rule"} - } - } - else if [logx][wineventlog][event_id] == 4954 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall Group Policy settings has changed. The new settings have been applied"} - } - } - else if [logx][wineventlog][event_id] == 4956 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall has changed the active profile"} - } - } - else if [logx][wineventlog][event_id] == 4957 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall did not apply the following rule"} - } - } - else if [logx][wineventlog][event_id] == 4958 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer"} - } - } - else if [logx][wineventlog][event_id] == 4960 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound packet that failed an integrity check"} - } - } - else if [logx][wineventlog][event_id] == 4961 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound packet that failed a replay check"} - } - } - else if [logx][wineventlog][event_id] == 4962 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound packet that failed a replay check"} - } - } - else if [logx][wineventlog][event_id] == 4963 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec dropped an inbound clear text packet that should have been secured"} - } - } - else if [logx][wineventlog][event_id] == 4964 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Special groups have been assigned to a new logon"} - } - } - else if [logx][wineventlog][event_id] == 4965 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)."} - } - } - else if [logx][wineventlog][event_id] == 4976 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "During Main Mode negotiation: IPsec received an invalid negotiation packet."} - } - } - else if [logx][wineventlog][event_id] == 4977 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "During Quick Mode negotiation: IPsec received an invalid negotiation packet."} - } - } - else if [logx][wineventlog][event_id] == 4978 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "During Extended Mode negotiation: IPsec received an invalid negotiation packet."} - } - } - else if [logx][wineventlog][event_id] == 4979 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established."} - } - } - else if [logx][wineventlog][event_id] == 4980 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established"} - } - } - else if [logx][wineventlog][event_id] == 4981 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established"} - } - } - else if [logx][wineventlog][event_id] == 4982 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Main Mode and Extended Mode security associations were established"} - } - } - else if [logx][wineventlog][event_id] == 4983 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Extended Mode negotiation failed"} - } - } - else if [logx][wineventlog][event_id] == 4984 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Extended Mode negotiation failed"} - } - } - else if [logx][wineventlog][event_id] == 4985 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The state of a transaction has changed"} - } - } - else if [logx][wineventlog][event_id] == 5024 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service has started successfully"} - } - } - else if [logx][wineventlog][event_id] == 5025 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service has been stopped"} - } - } - else if [logx][wineventlog][event_id] == 5027 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service was unable to retrieve the security policy from the local storage"} - } - } - else if [logx][wineventlog][event_id] == 5028 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service was unable to parse the new security policy."} - } - } - else if [logx][wineventlog][event_id] == 5029 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service failed to initialize the driver"} - } - } - else if [logx][wineventlog][event_id] == 5030 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service failed to start"} - } - } - else if [logx][wineventlog][event_id] == 5031 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Service blocked an application from accepting incoming connections on the network."} - } - } - else if [logx][wineventlog][event_id] == 5032 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network"} - } - } - else if [logx][wineventlog][event_id] == 5033 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver has started successfully"} - } - } - else if [logx][wineventlog][event_id] == 5034 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver has been stopped"} - } - } - else if [logx][wineventlog][event_id] == 5035 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver failed to start"} - } - } - else if [logx][wineventlog][event_id] == 5037 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Firewall Driver detected critical runtime error. Terminating"} - } - } - else if [logx][wineventlog][event_id] == 5038 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Code integrity determined that the image hash of a file is not valid"} - } - } - else if [logx][wineventlog][event_id] == 5039 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A registry key was virtualized."} - } - } - else if [logx][wineventlog][event_id] == 5040 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. An Authentication Set was added."} - } - } - else if [logx][wineventlog][event_id] == 5041 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. An Authentication Set was modified"} - } - } - else if [logx][wineventlog][event_id] == 5042 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. An Authentication Set was deleted"} - } - } - else if [logx][wineventlog][event_id] == 5043 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Connection Security Rule was added"} - } - } - else if [logx][wineventlog][event_id] == 5044 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Connection Security Rule was modified"} - } - } - else if [logx][wineventlog][event_id] == 5045 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Connection Security Rule was deleted"} - } - } - else if [logx][wineventlog][event_id] == 5046 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Crypto Set was added"} - } - } - else if [logx][wineventlog][event_id] == 5047 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Crypto Set was modified"} - } - } - else if [logx][wineventlog][event_id] == 5048 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A change has been made to IPsec settings. A Crypto Set was deleted"} - } - } - else if [logx][wineventlog][event_id] == 5049 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Security Association was deleted"} - } - } - else if [logx][wineventlog][event_id] == 5050 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE)"} - } - } - else if [logx][wineventlog][event_id] == 5051 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A file was virtualized"} - } - } - else if [logx][wineventlog][event_id] == 5056 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic self test was performed"} - } - } - else if [logx][wineventlog][event_id] == 5057 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic primitive operation failed"} - } - } - else if [logx][wineventlog][event_id] == 5058 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Key file operation"} - } - } - else if [logx][wineventlog][event_id] == 5059 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Key migration operation"} - } - } - else if [logx][wineventlog][event_id] == 5060 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Verification operation failed"} - } - } - else if [logx][wineventlog][event_id] == 5061 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Cryptographic operation"} - } - } - else if [logx][wineventlog][event_id] == 5062 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A kernel-mode cryptographic self test was performed"} - } - } - else if [logx][wineventlog][event_id] == 5063 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic provider operation was attempted"} - } - } - else if [logx][wineventlog][event_id] == 5064 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic context operation was attempted"} - } - } - else if [logx][wineventlog][event_id] == 5065 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic context modification was attempted"} - } - } - else if [logx][wineventlog][event_id] == 5066 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function operation was attempted"} - } - } - else if [logx][wineventlog][event_id] == 5067 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function modification was attempted"} - } - } - else if [logx][wineventlog][event_id] == 5068 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function provider operation was attempted"} - } - } - else if [logx][wineventlog][event_id] == 5069 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function property operation was attempted"} - } - } - else if [logx][wineventlog][event_id] == 5070 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A cryptographic function property operation was attempted"} - } - } - else if [logx][wineventlog][event_id] == 5071 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Key access denied by Microsoft key distribution service"} - } - } - else if [logx][wineventlog][event_id] == 5120 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "OCSP Responder Service Started"} - } - } - else if [logx][wineventlog][event_id] == 5121 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "OCSP Responder Service Stopped"} - } - } - else if [logx][wineventlog][event_id] == 5122 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Configuration entry changed in the OCSP Responder Service"} - } - } - else if [logx][wineventlog][event_id] == 5123 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A configuration entry changed in the OCSP Responder Service"} - } - } - else if [logx][wineventlog][event_id] == 5124 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A security setting was updated on OCSP Responder Service"} - } - } - else if [logx][wineventlog][event_id] == 5125 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A request was submitted to OCSP Responder Service"} - } - } - else if [logx][wineventlog][event_id] == 5126 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Signing Certificate was automatically updated by the OCSP Responder Service"} - } - } - else if [logx][wineventlog][event_id] == 5127 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The OCSP Revocation Provider successfully updated the revocation information"} - } - } - else if [logx][wineventlog][event_id] == 5136 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A directory service object was modified"} - } - } - else if [logx][wineventlog][event_id] == 5137 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A directory service object was created"} - } - } - else if [logx][wineventlog][event_id] == 5138 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A directory service object was undeleted"} - } - } - else if [logx][wineventlog][event_id] == 5139 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A directory service object was moved"} - } - } - else if [logx][wineventlog][event_id] == 5140 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A network share object was accessed"} - } - } - else if [logx][wineventlog][event_id] == 5141 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A directory service object was deleted"} - } - } - else if [logx][wineventlog][event_id] == 5142 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A network share object was added."} - } - } - else if [logx][wineventlog][event_id] == 5143 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A network share object was modified"} - } - } - else if [logx][wineventlog][event_id] == 5144 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A network share object was deleted."} - } - } - else if [logx][wineventlog][event_id] == 5145 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A network share object was checked to see whether client can be granted desired access"} - } - } - else if [logx][wineventlog][event_id] == 5146 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a packet"} - } - } - else if [logx][wineventlog][event_id] == 5147 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A more restrictive Windows Filtering Platform filter has blocked a packet"} - } - } - else if [logx][wineventlog][event_id] == 5148 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded."} - } - } - else if [logx][wineventlog][event_id] == 5149 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The DoS attack has subsided and normal processing is being resumed."} - } - } - else if [logx][wineventlog][event_id] == 5150 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a packet."} - } - } - else if [logx][wineventlog][event_id] == 5151 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A more restrictive Windows Filtering Platform filter has blocked a packet."} - } - } - else if [logx][wineventlog][event_id] == 5152 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform blocked a packet"} - } - } - else if [logx][wineventlog][event_id] == 5153 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A more restrictive Windows Filtering Platform filter has blocked a packet"} - } - } - else if [logx][wineventlog][event_id] == 5154 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections"} - } - } - else if [logx][wineventlog][event_id] == 5155 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections"} - } - } - else if [logx][wineventlog][event_id] == 5156 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has allowed a connection"} - } - } - else if [logx][wineventlog][event_id] == 5157 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a connection"} - } - } - else if [logx][wineventlog][event_id] == 5158 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has permitted a bind to a local port"} - } - } - else if [logx][wineventlog][event_id] == 5159 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The Windows Filtering Platform has blocked a bind to a local port"} - } - } - else if [logx][wineventlog][event_id] == 5168 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Spn check for SMB/SMB2 fails."} - } - } - else if [logx][wineventlog][event_id] == 5169 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A directory service object was modified"} - } - } - else if [logx][wineventlog][event_id] == 5170 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A directory service object was modified during a background cleanup task"} - } - } - else if [logx][wineventlog][event_id] == 5376 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Credential Manager credentials were backed up"} - } - } - else if [logx][wineventlog][event_id] == 5377 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Credential Manager credentials were restored from a backup"} - } - } - else if [logx][wineventlog][event_id] == 5378 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The requested credentials delegation was disallowed by policy"} - } - } - else if [logx][wineventlog][event_id] == 5379 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Credential Manager credentials were read"} - } - } - else if [logx][wineventlog][event_id] == 5380 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Vault Find Credential"} - } - } - else if [logx][wineventlog][event_id] == 5381 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Vault credentials were read"} - } - } - else if [logx][wineventlog][event_id] == 5382 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Vault credentials were read"} - } - } - else if [logx][wineventlog][event_id] == 5440 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The following callout was present when the Windows Filtering Platform Base Filtering Engine started"} - } - } - else if [logx][wineventlog][event_id] == 5441 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The following filter was present when the Windows Filtering Platform Base Filtering Engine started"} - } - } - else if [logx][wineventlog][event_id] == 5442 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The following provider was present when the Windows Filtering Platform Base Filtering Engine started"} - } - } - else if [logx][wineventlog][event_id] == 5443 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The following provider context was present when the Windows Filtering Platform Base Filtering Engine started"} - } - } - else if [logx][wineventlog][event_id] == 5444 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started"} - } - } - else if [logx][wineventlog][event_id] == 5446 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform callout has been changed"} - } - } - else if [logx][wineventlog][event_id] == 5447 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform filter has been changed"} - } - } - else if [logx][wineventlog][event_id] == 5448 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform provider has been changed"} - } - } - else if [logx][wineventlog][event_id] == 5449 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform provider context has been changed"} - } - } - else if [logx][wineventlog][event_id] == 5450 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Windows Filtering Platform sub-layer has been changed"} - } - } - else if [logx][wineventlog][event_id] == 5451 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Quick Mode security association was established"} - } - } - else if [logx][wineventlog][event_id] == 5452 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec Quick Mode security association ended"} - } - } - else if [logx][wineventlog][event_id] == 5453 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started"} - } - } - else if [logx][wineventlog][event_id] == 5456 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine applied Active Directory storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5457 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply Active Directory storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5458 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5459 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5460 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine applied local registry storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5461 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply local registry storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5462 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to apply some rules of the active IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5463 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the active IPsec policy and detected no changes"} - } - } - else if [logx][wineventlog][event_id] == 5464 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the active IPsec policy: detected changes: and applied them to IPsec Services"} - } - } - else if [logx][wineventlog][event_id] == 5465 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully"} - } - } - else if [logx][wineventlog][event_id] == 5466 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the Active Directory IPsec policy: determined that Active Directory cannot be reached: and will use the cached copy of the Active Directory IPsec policy instead"} - } - } - else if [logx][wineventlog][event_id] == 5467 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the Active Directory IPsec policy: determined that Active Directory can be reached: and found no changes to the policy"} - } - } - else if [logx][wineventlog][event_id] == 5468 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine polled for changes to the Active Directory IPsec policy: determined that Active Directory can be reached: found changes to the policy: and applied those changes"} - } - } - else if [logx][wineventlog][event_id] == 5471 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine loaded local storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5472 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to load local storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5473 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine loaded directory storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5474 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to load directory storage IPsec policy on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5477 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "PAStore Engine failed to add quick mode filter"} - } - } - else if [logx][wineventlog][event_id] == 5478 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Services has started successfully"} - } - } - else if [logx][wineventlog][event_id] == 5479 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Services has been shut down successfully"} - } - } - else if [logx][wineventlog][event_id] == 5480 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Services failed to get the complete list of network interfaces on the computer"} - } - } - else if [logx][wineventlog][event_id] == 5483 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Services failed to initialize RPC server. IPsec Services could not be started"} - } - } - else if [logx][wineventlog][event_id] == 5484 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Services has experienced a critical failure and has been shut down"} - } - } - else if [logx][wineventlog][event_id] == 5485 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces"} - } - } - else if [logx][wineventlog][event_id] == 5632 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A request was made to authenticate to a wireless network"} - } - } - else if [logx][wineventlog][event_id] == 5633 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A request was made to authenticate to a wired network"} - } - } - else if [logx][wineventlog][event_id] == 5712 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A Remote Procedure Call (RPC) was attempted"} - } - } - else if [logx][wineventlog][event_id] == 5888 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An object in the COM+ Catalog was modified"} - } - } - else if [logx][wineventlog][event_id] == 5889 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An object was deleted from the COM+ Catalog"} - } - } - else if [logx][wineventlog][event_id] == 5890 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "An object was added to the COM+ Catalog"} - } - } - else if [logx][wineventlog][event_id] == 6144 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Security policy in the group policy objects has been applied successfully"} - } - } - else if [logx][wineventlog][event_id] == 6145 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "One or more errors occured while processing security policy in the group policy objects"} - } - } - else if [logx][wineventlog][event_id] == 6272 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server granted access to a user"} - } - } - else if [logx][wineventlog][event_id] == 6273 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server denied access to a user"} - } - } - else if [logx][wineventlog][event_id] == 6274 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server discarded the request for a user"} - } - } - else if [logx][wineventlog][event_id] == 6275 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server discarded the accounting request for a user"} - } - } - else if [logx][wineventlog][event_id] == 6276 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server quarantined a user"} - } - } - else if [logx][wineventlog][event_id] == 6277 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy"} - } - } - else if [logx][wineventlog][event_id] == 6278 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server granted full access to a user because the host met the defined health policy"} - } - } - else if [logx][wineventlog][event_id] == 6279 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server locked the user account due to repeated failed authentication attempts"} - } - } - else if [logx][wineventlog][event_id] == 6280 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Network Policy Server unlocked the user account"} - } - } - else if [logx][wineventlog][event_id] == 6281 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Code Integrity determined that the page hashes of an image file are not valid..."} - } - } - else if [logx][wineventlog][event_id] == 6400 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "BranchCache: Received an incorrectly formatted response while discovering availability of content."} - } - } - else if [logx][wineventlog][event_id] == 6401 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "BranchCache: Received invalid data from a peer. Data discarded."} - } - } - else if [logx][wineventlog][event_id] == 6402 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "BranchCache: The message to the hosted cache offering it data is incorrectly formatted."} - } - } - else if [logx][wineventlog][event_id] == 6403 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "BranchCache: The hosted cache sent an incorrectly formatted response to the client''s message to offer it data."} - } - } - else if [logx][wineventlog][event_id] == 6404 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate."} - } - } - else if [logx][wineventlog][event_id] == 6405 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "BranchCache: %2 instance(s) of event id %1 occurred."} - } - } - else if [logx][wineventlog][event_id] == 6406 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "%1 registered to Windows Firewall to control filtering for the following:"} - } - } - else if [logx][wineventlog][event_id] == 6408 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Registered product %1 failed and Windows Firewall is now controlling the filtering for %2."} - } - } - else if [logx][wineventlog][event_id] == 6409 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "BranchCache: A service connection point object could not be parsed"} - } - } - else if [logx][wineventlog][event_id] == 6410 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues"} - } - } - else if [logx][wineventlog][event_id] == 6416 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A new external device was recognized by the system."} - } - } - else if [logx][wineventlog][event_id] == 6417 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The FIPS mode crypto selftests succeeded"} - } - } - else if [logx][wineventlog][event_id] == 6418 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The FIPS mode crypto selftests failed"} - } - } - else if [logx][wineventlog][event_id] == 6419 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A request was made to disable a device"} - } - } - else if [logx][wineventlog][event_id] == 6420 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A device was disabled"} - } - } - else if [logx][wineventlog][event_id] == 6421 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A request was made to enable a device"} - } - } - else if [logx][wineventlog][event_id] == 6422 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "A device was enabled"} - } - } - else if [logx][wineventlog][event_id] == 6423 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The installation of this device is forbidden by system policy"} - } - } - else if [logx][wineventlog][event_id] == 6424 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "The installation of this device was allowed: after having previously been forbidden by policy"} - } - } - else if [logx][wineventlog][event_id] == 8191 { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "Highest System-Defined Audit Message Value"} - } - } - else { - mutate { - add_field => {"[logx][wineventlog][event_name]" => "None"} - } - } - - if [logx][wineventlog][event_id] == 4663 { - if [logx][wineventlog][event_data][AccessMask]{ - if [logx][wineventlog][event_data][AccessMask] == "0x1" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "read"} - add_field => {"[logx][wineventlog][access_description]" => "For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.\n For a directory, the right to list the contents of the directory.\n For registry objects, this is, Query key value."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x2" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "write"} - add_field => {"[logx][wineventlog][access_description]" => "For a file object, the right to write data to the file.\n For a directory object, the right to create a file in the directory.\n For registry objects, this is, Set key value."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x4" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "append"} - add_field => {"[logx][wineventlog][access_description]" => "For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.)\n For a directory object, the right to create a subdirectory.\n For a named pipe, the right to create a pipe."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x8" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "read_extended_attributes"} - add_field => {"[logx][wineventlog][access_description]" => "The right to read extended file attributes.\n For registry objects, this is, Enumerate sub-keys."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x10" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "write_extended_attributes"} - add_field => {"[logx][wineventlog][access_description]" => "The right to write extended file attributes."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x20" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "execute"} - add_field => {"[logx][wineventlog][access_description]" => "For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.\n For a directory, the right to traverse the directory. By default, users are assigned the BYPASS_TRAVERSE_CHECKING privilege, which ignores the FILE_TRAVERSE access right."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x40" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "delete_child"} - add_field => {"[logx][wineventlog][access_description]" => "For a directory, the right to delete a directory and all the files it contains, including read-only files."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x80" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "read_attributes"} - add_field => {"[logx][wineventlog][access_description]" => "The right to read file attributes."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x100" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "write_attributes"} - add_field => {"[logx][wineventlog][access_description]" => "The right to write file attributes."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x10000" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "delete"} - add_field => {"[logx][wineventlog][access_description]" => "The right to delete the object."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x20000" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "read_control"} - add_field => {"[logx][wineventlog][access_description]" => "The right to read the information in the object''s security descriptor, not including the information in the system access control list (SACL)."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x40000" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "write_dac"} - add_field => {"[logx][wineventlog][access_description]" => "The right to modify the discretionary access control list (DACL) in the object''s security descriptor."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x80000" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "write_owner"} - add_field => {"[logx][wineventlog][access_description]" => "The right to change the owner in the object''s security descriptor"} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x100000" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "synchronize"} - add_field => {"[logx][wineventlog][access_description]" => "The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right."} - } - } - else if [logx][wineventlog][event_data][AccessMask] == "0x1000000" { - mutate { - add_field => {"[logx][wineventlog][access_type]" => "access_sys_sec"} - add_field => {"[logx][wineventlog][access_description]" => "The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an object''s security descriptor."} - } - } - } - } - if [logx][wineventlog][event_id] == 4625 { - if [logx][wineventlog][event_data][FailureReason] { - if [logx][wineventlog][event_data][FailureReason] == "%%2305" { - mutate { - add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "The specified user account has expired."} - } - } - else if [logx][wineventlog][event_data][FailureReason] == "%%2309" { - mutate { - add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "The specified account''s password has expired"} - } - } - else if [logx][wineventlog][event_data][FailureReason] == "%%2310" { - mutate { - add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "Account currently disabled"} - } - } - else if [logx][wineventlog][event_data][FailureReason] == "%%2311" { - mutate { - add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "Account logon time restriction violation"} - } - } - else if [logx][wineventlog][event_data][FailureReason] == "%%2312" { - mutate { - add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "User not allowed to logon at this computer"} - } - } - else if [logx][wineventlog][event_data][FailureReason] == "%%2313" { - mutate { - add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "Unknown user name or bad password"} - } - } - else if [logx][wineventlog][event_data][FailureReason] == "%%2304" { - mutate { - add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "An Error occurred during Logon"} - } - } - else { - mutate { - add_field => {"[logx][wineventlog][event_data][FailureReasonDescription]" => "None"} - } - } - } - if [logx][wineventlog][event_data][Status] { - if [logx][wineventlog][event_data][Status] == "0xC0000234" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account locked out"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xC0000193" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account expired"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xC0000133" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Clocks out of sync"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xC0000224" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Password change required"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xc000015b" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "User does not have logon right"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xc000006d" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Logon failure"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xc000006e" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account restriction"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xc00002ee" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "An error occurred during logon"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xC0000071" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Password expired"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xC0000072" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account disabled"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xC0000413" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Authentication firewall prohibits logon"} - } - } - else { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "None"} - } - } - } - if [logx][wineventlog][event_data][SubStatus] { - if [logx][wineventlog][event_data][SubStatus] == "0xC0000234" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Account locked out"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xC0000193" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account expired"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xC0000133" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Clocks out of sync"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xC0000224" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Password change required"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xc000015b" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "User does not have logon right"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xc000006d" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Logon failure"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xc000006e" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account restriction"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xc00002ee" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "An error occurred during logon"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xC0000071" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Password expired"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xC0000072" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account disabled"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xC0000413" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Authentication firewall prohibits logon"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xc000006a" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Incorrect password"} - } - } - else if [logx][wineventlog][event_data][SubStatus] == "0xc0000064" { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "Account does not exist"} - } - } - else { - mutate { - add_field => {"[logx][wineventlog][event_data][SubStatusDescription]" => "None"} - } - } - } - } - if [logx][wineventlog][event_id] == 4771 { - if [logx][wineventlog][event_data][Status] { - if [logx][wineventlog][event_data][Status] == "0x1" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client''s entry in database has expired"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x2" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server''s entry in database has expired"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x3" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Requested protocol version not supported"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x4" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client''s key encrypted in old master key"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x5" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server''s key encrypted in old master key"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x6" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client not found in Kerberos database"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x7" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server not found in Kerberos database"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x8" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Multiple principal entries in database"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x9" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "The client or server has a null key"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xA" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket not eligible for postdating"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xB" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Requested start time is later than end time"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xC" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC policy rejects request"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xD" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC cannot accommodate requested option"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xE" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for encryption type"} - } - } - else if [logx][wineventlog][event_data][Status] == "0xF" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for checksum type"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x10" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for padata type"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x11" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "KDC has no support for transited type"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x12" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Clients credentials have been revoked"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x13" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Credentials for server have been revoked"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x14" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "TGT has been revoked"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x15" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Client not yet valid - try again later"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x16" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Server not yet valid - try again later"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x17" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Password has expired"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x18" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Pre-authentication information was invalid"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x19" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Additional pre-authentication required"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x1F" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Integrity check on decrypted field failed"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x20" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket expired"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x21" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket not yet valid"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x22" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Request is a replay"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x23" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "The ticket isn''t for us"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x24" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Ticket and authenticator don''t match"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x25" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Clock skew too great"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x26" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Incorrect net address"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x27" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Protocol version mismatch"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x28" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Invalid msg type"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x29" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Message stream modified"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x2A" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Message out of order"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x2C" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Specified version of key is not available"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x2D" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Service key not available"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x2E" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Mutual authentication failed"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x2F" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Incorrect message direction"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x30" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Alternative authentication method required"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x31" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Incorrect sequence number in message"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x32" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Inappropriate type of checksum in message"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x3C" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Generic error (description in e-text)"} - } - } - else if [logx][wineventlog][event_data][Status] == "0x3D" { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "Field is too long for this implementation"} - } - } - else { - mutate { - add_field => {"[logx][wineventlog][event_data][StatusDescription]" => "None"} - } - } - } - } - } - } - # Also, remove unwanted fields if the message not match with conditions - mutate { - remove_field => ["headers"] - } -}' - WHERE id=701; - ]]> - - - \ No newline at end of file From 46c7d6362bd53bebf98c971e388907a4b16ae8cb Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 2 Jun 2025 11:43:44 -0500 Subject: [PATCH 56/56] fix: add pipeline for aws, sophos-central and o365 integrations --- .../liquibase/changelog/20250507003_add_o365_pipeline.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml b/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml index 96f301704..a84403331 100644 --- a/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml +++ b/backend/src/main/resources/config/liquibase/changelog/20250507003_add_o365_pipeline.xml @@ -8,7 +8,7 @@ INSERT INTO utm_logstash_pipeline (id, pipeline_id, pipeline_name, parent_pipeline, pipeline_status, module_name, system_owner, pipeline_description, pipeline_internal, events_in, events_filtered, events_out, reloads_successes, reloads_failures, reloads_last_failure_timestamp, reloads_last_error, reloads_last_success_timestamp) - VALUES (57, 'o365', 'Office 365', null, 'up', 'AWS', true, null, false, 0, 0, 0, 0, 0, null, null, null); + VALUES (57, 'o365', 'Office 365', null, 'up', 'O365', true, null, false, 0, 0, 0, 0, 0, null, null, null); INSERT INTO utm_group_logstash_pipeline_filters (filter_id, pipeline_id, relation) VALUES (601, 57, 'PIPELINE_FILTER');