Addes parsing for WEF event id 33205

Cargill · Nov 7, 2024 · 050339a · 050339a
1 parent aed519f
commit 050339a
Showing 1 changed file with 57 additions and 1 deletion.
diff --git a/config/processors/wef_audit_windows.events.conf b/config/processors/wef_audit_windows.events.conf
@@ -109,8 +109,64 @@ filter {
       remove_field => [ "[event][code]" ]
     }
   }
+  if [event][id] == "33205" {
+    # https://docs.logrhythm.com/devices/docs/evid-33205-sql-audit-event
+    mutate {
+      rename => {
+       "[winlog][event_data][param1][action_id]" => "[rule][id]"
+       "[winlog][event_data][param1][class_type]" => "[event][type]"
+       "[winlog][event_data][param1][server_instance_name]" => "[database][instance]"
+       "[winlog][event_data][param1][database_name]" => "[database][name]"
+       "[winlog][event_data][param1][schema_name]" => "[process][title]"
+       "[winlog][event_data][param1][object_name]" => "[process][args]"
+       "[winlog][event_data][param1][statement]" => "[process][command_line]"
+       "[winlog][event_data][param1][application_name]" => "[process][name]"
+       "[winlog][event_data][param1][data_sensitivity_information]" => "[cmdb][application][sensitivity]"
+       "[winlog][event_data][param1][database_principal_name]" => "[database][principal_name]"
+       "[winlog][event_data][param1][host_name]" => "[host][hostname]"   
+      }
+      replace => { "[event][created]" => "%{[event_data][param1][event_time]}" }
+    }
+    mutate {
+       lowercase => [ "[host][hostname]" ]
+    }
+    if [event_data][param1][succeeded] {
+      mutate {
+        add_field => { "[event][outcome]" => "success" }
+      }
+    } else {
+      mutate {
+        add_field => { "[event][outcome]" => "failed" }
+      }      
+    }
+    if [event_data][param1][client_ip] {
+      if [winlog][event_data][param1][client_ip] =~ "\d+\.\d+\.\d+\.\d+" {
+        mutate {
+          rename => {
+            "[winlog][event_data][param1][client_ip]" => "[source][ip]"
+          }
+        }
+      } else {
+        mutate {
+          rename => {
+            "[winlog][event_data][param1][client_ip]" => "[source][address]"
+          }
+        }
+      }
+    }
+    grok {
+      tag_on_failure => "_grokparsefailure_src_usr_name"
+      match => { "[winlog][event_data][param1][session_server_principal_name]" => "^((?<[source][user][domain]>.*?)\\)?(?<[source][user][name]>.*?)$" }
+      timeout_millis => 500
+    }
+    grok {
+      tag_on_failure => "_grokparsefailure_db_usr_name"
+      match => { "[winlog][event_data][param1][server_principal_name]" => "^((?<[database][user][domain]>.*?)\\)?(?<[database][user][name]>.*?)$" }
+      timeout_millis => 500
+    }
+  }
   date {
-    match => ["[event][created]", "yyyy-MM-dd'T'HH:mm:ssZ","ISO8601","yyyy-MM-dd't'HH:mm:ss.SSSz"]
+    match => ["[event][created]", "yyyy-MM-dd'T'HH:mm:ssZ","ISO8601","yyyy-MM-dd't'HH:mm:ss.SSSz", "yyyy-MM-dd HH:mm:ss.SSS" ]
     timezone => "GMT"
     locale => "en"
     target => "[event][created]"