-
Notifications
You must be signed in to change notification settings - Fork 31
/
Copy pathpcapmonkey.yml
95 lines (95 loc) · 4.35 KB
/
pcapmonkey.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
title: Elastic evtx2elk index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
fieldmappings:
EventID: winlog.event_id
AccessMask: Event.EventData.Data.AccessMask
AccountName: Event.EventData.Data.AccountName
AllowedToDelegateTo: Event.EventData.Data.AllowedToDelegateTo
AttributeLDAPDisplayName: Event.EventData.Data.AttributeLDAPDisplayName
AuditPolicyChanges: Event.EventData.Data.AuditPolicyChanges
AuthenticationPackageName: Event.EventData.Data.AuthenticationPackageName
CallingProcessName: Event.EventData.Data.CallingProcessName
CallTrace: Event.EventData.Data.CallTrace
Channel: winlog.channel
CommandLine: Event.EventData.Data.CommandLine
ComputerName: winlog.ComputerName
CurrentDirectory: Event.EventData.Data.CurrentDirectory
Description: Event.EventData.Data.Description
DestinationHostname: Event.EventData.Data.DestinationHostname
DestinationIp: Event.EventData.Data.DestinationIp
dst_ip: Event.EventData.Data.DestinationIp
DestinationIsIpv6: Event.EventData.Data.DestinationIsIpv6
DestinationPort: Event.EventData.Data.DestinationPort
dst_port: Event.EventData.Data.DestinationPort
Details: Event.EventData.Data.Details
EngineVersion: Event.EventData.Data.EngineVersion
EventType: Event.EventData.Data.EventType
FailureCode: Event.EventData.Data.FailureCode
FileName: Event.EventData.Data.FileName
OriginalFileName: Event.EventData.Data.OriginalFileName
GrantedAccess: Event.EventData.Data.GrantedAccess
GroupName: Event.EventData.Data.GroupName
GroupSid: Event.EventData.Data.GroupSid
Hashes: Event.EventData.Data.Hashes
HiveName: Event.EventData.Data.HiveName
HostVersion: Event.EventData.Data.HostVersion
Image: Event.EventData.Data.Image
ImageLoaded: Event.EventData.Data.ImageLoaded
ImagePath: Event.EventData.Data.ImagePath
Imphash: Event.EventData.Data.Imphash
IpAddress: Event.EventData.Data.IpAddress
KeyLength: Event.EventData.Data.KeyLength
LogonProcessName: Event.EventData.Data.LogonProcessName
LogonType: Event.EventData.Data.LogonType
NewProcessName: Event.EventData.Data.NewProcessName
ObjectClass: Event.EventData.Data.ObjectClass
ObjectName: Event.EventData.Data.ObjectName
ObjectType: Event.EventData.Data.ObjectType
ObjectValueName: Event.EventData.Data.ObjectValueName
ParentCommandLine: Event.EventData.Data.ParentCommandLine
ParentProcessName: Event.EventData.Data.ParentProcessName
ParentImage: Event.EventData.Data.ParentImage
Path: Event.EventData.Data.Path
PipeName: Event.EventData.Data.PipeName
ProcessCommandLine: Event.EventData.Data.ProcessCommandLine
ProcessName: Event.EventData.Data.ProcessName
Properties: Event.EventData.Data.Properties
RuleName: Event.EventData.Data.RuleName
SecurityID: Event.EventData.Data.SecurityID
ServiceFileName: Event.EventData.Data.ServiceFileName
ServiceName: Event.EventData.Data.ServiceName
ShareName: Event.EventData.Data.ShareName
Signature: Event.EventData.Data.Signature
Source: Event.EventData.Data.Source
SourceImage: Event.EventData.Data.SourceImage
SourceIp: Event.EventData.Data.SourceIp
src_ip: Event.EventData.Data.SourceIp
SourcePort: Event.EventData.Data.SourcePort
src_port: Event.EventData.Data.SourcePort
StartModule: Event.EventData.Data.StartModule
Status: Event.EventData.Data.Status
SubjectUserName: Event.EventData.Data.SubjectUserName
SubjectUserSid: Event.EventData.Data.SubjectUserSid
TargetFilename: Event.EventData.Data.TargetFilename
TargetImage: Event.EventData.Data.TargetImage
TargetObject: Event.EventData.Data.TargetObject
TicketEncryptionType: Event.EventData.Data.TicketEncryptionType
TicketOptions: Event.EventData.Data.TicketOptions
User: Event.EventData.Data.User
WorkstationName: Event.EventData.Data.WorkstationName
# Channel: WLAN-Autoconfig AND EventID: 8001
AuthenticationAlgorithm: Event.EventData.Data.AuthenticationAlgorithm
BSSID: Event.EventData.Data.BSSID
BSSType: Event.EventData.Data.BSSType
CipherAlgorithm: Event.EventData.Data.CipherAlgorithm
ConnectionId: Event.EventData.Data.ConnectionId
ConnectionMode: Event.EventData.Data.ConnectionMode
InterfaceDescription: Event.EventData.Data.InterfaceDescription
InterfaceGuid: Event.EventData.Data.InterfaceGuid
OnexEnabled: Event.EventData.Data.OnexEnabled
PHYType: Event.EventData.Data.PHYType
ProfileName: Event.EventData.Data.ProfileName
SSID: Event.EventData.Data.SSID