diff --git a/config/processors/wef_audit_windows.events.conf b/config/processors/wef_audit_windows.events.conf index 0ee43780..b09f2903 100644 --- a/config/processors/wef_audit_windows.events.conf +++ b/config/processors/wef_audit_windows.events.conf @@ -32,6 +32,9 @@ filter { rename => {"[winlog][event_data][OriginalFileName]" => "[file][path]"} rename => {"[winlog][event_data][Path]" => "[file][path]"} rename => {"[winlog][event_data][ShareLocalPath]" => "[file][target_path]"} + rename => {"[winlog][event_data][ShareName]" => "[file][sharename]"} + rename => {"[winlog][event_data][NewSD]" => "[file][new_acl]"} + rename => {"[winlog][event_data][OldSD]" => "[file][old_acl]"} rename => {"[winlog][event_data][ObjectName]" => "[file][path]"} rename => { "[winlog][event_data][ServiceFileName]" => "[file][path]" } # Process fields diff --git a/doc/elastic_common_schema/ecs_1.9_with_custom_fields.csv b/doc/elastic_common_schema/ecs_1.9_with_custom_fields.csv index 36ea9d4c..47dd5053 100755 --- a/doc/elastic_common_schema/ecs_1.9_with_custom_fields.csv +++ b/doc/elastic_common_schema/ecs_1.9_with_custom_fields.csv @@ -296,6 +296,9 @@ custom,TRUE,event,event.severity_name,[event][severity_name],keyword,extended,,, 1.9.0-dev,TRUE,file,file.x509.subject.organizational_unit,[file][x509][subject][organizational_unit],keyword,extended,array,,List of organizational units (OU) of subject. 1.9.0-dev,TRUE,file,file.x509.subject.state_or_province,[file][x509][subject][state_or_province],keyword,extended,array,California,"List of state or province names (ST, S, or P)" 1.9.0-dev,TRUE,file,file.x509.version_number,[file][x509][version_number],keyword,extended,,3,Version of x509 format. +custom,TRUE,file,file.sharename,[file][sharename],keyword,extended,,, +custom,TRUE,file,[file.new_acl,[file][new_acl],keyword,extended,,, +custom,TRUE,file,file.old_acl,[file][old_acl],keyword,extended,,, 1.9.0-dev,TRUE,group,group.domain,[group][domain],keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,TRUE,group,group.id,[group][id],keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,TRUE,group,group.name,[group][name],keyword,extended,,,Name of the group. @@ -917,4 +920,3 @@ custom,TRUE,vulnerability,vulnerability.recurrence,[vulnerability][recurrence],b 1.9.0-dev,TRUE,vulnerability,vulnerability.score.version,[vulnerability][score][version],keyword,extended,,2,CVSS version. 1.9.0-dev,TRUE,vulnerability,vulnerability.severity,[vulnerability][severity],keyword,extended,,Critical,Severity of the vulnerability. custom,TRUE,vulnerability,vulnerability.status,[vulnerability][status],keyword,Custom Field,,Custom Field, -