From b491b1bf760854e5af6a3c02719f6fe4d012814f Mon Sep 17 00:00:00 2001 From: Brian Grabau Date: Fri, 8 Mar 2024 13:39:14 -0600 Subject: [PATCH 1/2] Added file share acl fields for wef --- config/processors/wef_audit_windows.events.conf | 3 +++ doc/elastic_common_schema/ecs_1.9_with_custom_fields.csv | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/config/processors/wef_audit_windows.events.conf b/config/processors/wef_audit_windows.events.conf index 0ee43780..75262cfb 100644 --- a/config/processors/wef_audit_windows.events.conf +++ b/config/processors/wef_audit_windows.events.conf @@ -32,6 +32,9 @@ filter { rename => {"[winlog][event_data][OriginalFileName]" => "[file][path]"} rename => {"[winlog][event_data][Path]" => "[file][path]"} rename => {"[winlog][event_data][ShareLocalPath]" => "[file][target_path]"} + rename => {"[winlog][event_data][ShareName]" => "[file][sharename]" + rename => {"[winlog][event_data][NewSD]" => "[file][new_acl]" + rename => {"[winlog][event_data][OldSD]" => "[file][old_acl]" rename => {"[winlog][event_data][ObjectName]" => "[file][path]"} rename => { "[winlog][event_data][ServiceFileName]" => "[file][path]" } # Process fields diff --git a/doc/elastic_common_schema/ecs_1.9_with_custom_fields.csv b/doc/elastic_common_schema/ecs_1.9_with_custom_fields.csv index 36ea9d4c..47dd5053 100755 --- a/doc/elastic_common_schema/ecs_1.9_with_custom_fields.csv +++ b/doc/elastic_common_schema/ecs_1.9_with_custom_fields.csv @@ -296,6 +296,9 @@ custom,TRUE,event,event.severity_name,[event][severity_name],keyword,extended,,, 1.9.0-dev,TRUE,file,file.x509.subject.organizational_unit,[file][x509][subject][organizational_unit],keyword,extended,array,,List of organizational units (OU) of subject. 1.9.0-dev,TRUE,file,file.x509.subject.state_or_province,[file][x509][subject][state_or_province],keyword,extended,array,California,"List of state or province names (ST, S, or P)" 1.9.0-dev,TRUE,file,file.x509.version_number,[file][x509][version_number],keyword,extended,,3,Version of x509 format. +custom,TRUE,file,file.sharename,[file][sharename],keyword,extended,,, +custom,TRUE,file,[file.new_acl,[file][new_acl],keyword,extended,,, +custom,TRUE,file,file.old_acl,[file][old_acl],keyword,extended,,, 1.9.0-dev,TRUE,group,group.domain,[group][domain],keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,TRUE,group,group.id,[group][id],keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,TRUE,group,group.name,[group][name],keyword,extended,,,Name of the group. @@ -917,4 +920,3 @@ custom,TRUE,vulnerability,vulnerability.recurrence,[vulnerability][recurrence],b 1.9.0-dev,TRUE,vulnerability,vulnerability.score.version,[vulnerability][score][version],keyword,extended,,2,CVSS version. 1.9.0-dev,TRUE,vulnerability,vulnerability.severity,[vulnerability][severity],keyword,extended,,Critical,Severity of the vulnerability. custom,TRUE,vulnerability,vulnerability.status,[vulnerability][status],keyword,Custom Field,,Custom Field, - From 63aa854b4a9711d9a8d4c7908bb15ece09d0b709 Mon Sep 17 00:00:00 2001 From: MehaSal <87989881+MehaSal@users.noreply.github.com> Date: Fri, 8 Mar 2024 13:56:07 -0600 Subject: [PATCH 2/2] Fix wef_audit_windows.events.conf --- config/processors/wef_audit_windows.events.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/processors/wef_audit_windows.events.conf b/config/processors/wef_audit_windows.events.conf index 75262cfb..b09f2903 100644 --- a/config/processors/wef_audit_windows.events.conf +++ b/config/processors/wef_audit_windows.events.conf @@ -32,9 +32,9 @@ filter { rename => {"[winlog][event_data][OriginalFileName]" => "[file][path]"} rename => {"[winlog][event_data][Path]" => "[file][path]"} rename => {"[winlog][event_data][ShareLocalPath]" => "[file][target_path]"} - rename => {"[winlog][event_data][ShareName]" => "[file][sharename]" - rename => {"[winlog][event_data][NewSD]" => "[file][new_acl]" - rename => {"[winlog][event_data][OldSD]" => "[file][old_acl]" + rename => {"[winlog][event_data][ShareName]" => "[file][sharename]"} + rename => {"[winlog][event_data][NewSD]" => "[file][new_acl]"} + rename => {"[winlog][event_data][OldSD]" => "[file][old_acl]"} rename => {"[winlog][event_data][ObjectName]" => "[file][path]"} rename => { "[winlog][event_data][ServiceFileName]" => "[file][path]" } # Process fields