-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] No findings with test detectors #368
Comments
Seems like you're inserting string value but doc level query is searching numeric value 16 |
The field is mapped as a number, so even if we insert in parantheses, it is ingested as a number. When utilizing uncoder.io to translate the sigma rule to an Opensearch query we are able to find the document though. |
Did you try inserting doc like this:
Also, can you verify that you have alias "winlog-event_id" in your winlogbeat-7.10.2-test-1 index mappings |
We tried that already, unfortunately without success.
Gives me the following output:
But we have three unmapped filed aliases, is that normal?
|
@phipiship Can you please verify that index winlogbeat-7.10.2-test-1 has this alias in mappings:
Please execute |
I reproduced the issue mentioned above by @jaakoob and he is totally right, alerts are not been generated by security analytics, see the steps I did:
{
"os_windows-000002": {
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CommandLine": {
"type": "alias",
"path": "process.command_line"
},
"agent": {
"properties": {
"ephemeral_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"destination": {
"properties": {
"ip": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"range": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"user": {
"properties": {
"domain": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"dns": {
"properties": {
"answers": {
"properties": {
"data": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"question": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"response_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"ecs": {
"properties": {
"version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"event": {
"properties": {
"action": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"bytes": {
"type": "long"
},
"code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"created": {
"type": "date"
},
"id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ingested": {
"type": "date"
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"outcome": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"provider": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"reason": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"file": {
"properties": {
"hash": {
"properties": {
"sha256": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"pe": {
"properties": {
"imphash": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"host": {
"properties": {
"hostname": {
"type": "keyword",
"ignore_above": 1024
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"host-hostname": {
"type": "alias",
"path": "host.hostname"
},
"labels": {
"properties": {
"fingerprint": {
"properties": {
"flow": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"session": {
"properties": {
"id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"log": {
"properties": {
"level": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"sender": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"message": {
"type": "text",
"norms": false
},
"network": {
"properties": {
"protocol": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"transport": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"organization": {
"properties": {
"jira": {
"properties": {
"id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"process": {
"properties": {
"command_line": {
"type": "keyword",
"ignore_above": 1024,
"fields": {
"text": {
"type": "text",
"norms": false
}
}
},
"executable": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"hash": {
"properties": {
"md5": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"sha256": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"parent": {
"properties": {
"command_line": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"executable": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"pid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"pe": {
"properties": {
"company": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"description": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"file_version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"imphash": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"original_file_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"product": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"pid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
},
"working_directory": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"rule": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"server-user-hash": {
"type": "alias",
"path": "process.command_line"
},
"source": {
"properties": {
"geo": {
"properties": {
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"geo": {
"properties": {
"city_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_iso_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"location": {
"properties": {
"lat": {
"type": "float"
},
"lon": {
"type": "float"
}
}
},
"postal_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"ip": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"port": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"range": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"user": {
"properties": {
"domain": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"tags": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"timestamp": {
"type": "alias",
"path": "@timestamp"
},
"user": {
"properties": {
"domain": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"user_agent": {
"properties": {
"device": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"windows": {
"properties": {
"hour": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"weekday": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"windows-message": {
"type": "alias",
"path": "message"
},
"winlog": {
"properties": {
"activity_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"api": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"channel": {
"type": "keyword"
},
"computerObject": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"computer_name": {
"type": "keyword"
},
"event_data": {
"properties": {
"AccountExpires": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"AdvancedOptions": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"AlgorithmName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"AllowedToDelegateTo": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"AuthenticationPackageName": {
"type": "keyword"
},
"Binary": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BitlockerUserInputTime": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BootAppStatus": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BootMenuPolicy": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BootMode": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BootStatusPolicy": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BootType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BugcheckCode": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BugcheckInfoFromEFI": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BugcheckParameter1": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BugcheckParameter2": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BugcheckParameter3": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BugcheckParameter4": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BuildVersion": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CallTrace": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CallerProcessId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CallerProcessName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Checkpoint": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CheckpointStatus": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ClientCreationTime": {
"type": "date"
},
"ClientProcessId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CommandLine": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Company": {
"type": "keyword"
},
"Config": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ConfigAccessPolicy": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ConfigurationReader": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ConnectedStandbyInProgress": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CorruptionActionState": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CountNew": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CountOfCredentialsReturned": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CountOld": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CreationUtcTime": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CsEntryScenarioInstanceId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CurrentDirectory": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CurrentStratumNumber": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Default SD String:": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Description": {
"type": "keyword"
},
"DestinationHostname": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DestinationIp": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DestinationIsIpv6": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DestinationPort": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DestinationPortName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Detail": {
"type": "keyword"
},
"Details": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DeviceName": {
"type": "keyword"
},
"DeviceNameLength": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DeviceTime": {
"type": "date"
},
"DeviceVersionMajor": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DeviceVersionMinor": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DirtyPages": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DisableIntegrityChecks": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DisplayName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DriveName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DriverName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DriverNameLength": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Dummy": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DwordVal": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ElevatedToken": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"EnableDisableReason": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"EnabledNew": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"EntryCount": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"EventType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"FailureName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"FailureNameLength": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"FileVersion": {
"type": "keyword"
},
"FinalStatus": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"FlightSigning": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"GrantedAccess": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Group": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"HandleId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Hashes": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"HiveName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"HiveNameLength": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"HomeDirectory": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"HomePath": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"HypervisorDebug": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"HypervisorLaunchType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"HypervisorLoadOptions": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"IdleImplementation": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"IdleStateCount": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Image": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ImageLoaded": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ImpersonationLevel": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Initiated": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"IntegrityLevel": {
"type": "keyword"
},
"IpAddress": {
"type": "keyword"
},
"IpPort": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"IsTestConfig": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"KernelDebug": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"KeyFilePath": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"KeyLength": {
"type": "keyword"
},
"KeyName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"KeyType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"KeysUpdated": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"LastBootGood": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"LastBootId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"LastShutdownGood": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"LmPackageName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"LoadOptions": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"LogonGuid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"LogonHours": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"LogonId": {
"type": "keyword"
},
"LogonProcessName": {
"type": "keyword"
},
"LogonType": {
"type": "keyword"
},
"MajorVersion": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MandatoryLabel": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MaximumPerformancePercent": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MessageNumber": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MessageTotal": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MinimumPasswordLength": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MinimumPasswordLengthAudit": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MinimumPerformancePercent": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MinimumThrottlePercent": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MinorVersion": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"NewProcessId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"NewProcessName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"NewSd": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"NewSize": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"NewThreadId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"NewTime": {
"type": "date"
},
"NewUacValue": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"NominalFrequency": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Number": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ObjectName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ObjectServer": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ObjectType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"OldSd": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"OldTime": {
"type": "date"
},
"OldUacValue": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Operation": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"OriginalFileName": {
"type": "keyword"
},
"OriginalSize": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"PackageName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ParentCommandLine": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ParentImage": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ParentProcessGuid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ParentProcessId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ParentProcessName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ParentUser": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"PasswordLastSet": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Path": {
"type": "keyword"
},
"PerformanceImplementation": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Phase": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"PowerButtonTimestamp": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"PreviousTime": {
"type": "date"
},
"PrimaryGroupId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"PrivilegeList": {
"type": "keyword"
},
"ProcessCreationTime": {
"type": "date"
},
"ProcessGuid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ProcessID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ProcessId": {
"type": "keyword"
},
"ProcessName": {
"type": "keyword"
},
"ProcessPath": {
"type": "keyword"
},
"Product": {
"type": "keyword"
},
"ProfilePath": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Protocol": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ProviderName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"PuaCount": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"PuaPolicyId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"QfeVersion": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"QueryName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"QueryResults": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"QueryStatus": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ReadOperation": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Reason": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"RemoteEventLogging": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"RestrictedAdminMode": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ReturnCode": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"RuleName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"RunningMode": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SamAccountName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SchemaVersion": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ScriptBlockId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ScriptBlockText": {
"type": "keyword"
},
"ScriptPath": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ServiceName": {
"type": "keyword"
},
"ServiceVersion": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ShutdownActionType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ShutdownEventCode": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ShutdownReason": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SidHistory": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signature": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SignatureStatus": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Signed": {
"type": "keyword"
},
"SleepInProgress": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceHostname": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceImage": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceIp": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceIsIpv6": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourcePort": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourcePortName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceProcessGUID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceProcessGuid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceProcessId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceThreadId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceUser": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"StartAddress": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"StartFunction": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"StartModule": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"State": {
"type": "keyword"
},
"Status": {
"type": "keyword"
},
"SubjectDomainName": {
"type": "keyword"
},
"SubjectLogonId": {
"type": "keyword"
},
"SubjectUserName": {
"type": "keyword"
},
"SubjectUserSid": {
"type": "keyword"
},
"SystemSleepTransitionsToOn": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TSId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetDomainName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetFilename": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetImage": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetInfo": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetLinkedLogonId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetLogonGuid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetLogonId": {
"type": "keyword"
},
"TargetName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetObject": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetOutboundDomainName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetOutboundUserName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetProcessGUID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetProcessGuid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetProcessId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetProcessName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetServerName": {
"type": "keyword"
},
"TargetSid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetUser": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TargetUserName": {
"type": "keyword"
},
"TargetUserSid": {
"type": "keyword"
},
"TerminalSessionId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TestSigning": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TimeSource": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TimeSourceRefId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TokenElevationType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"TransmittedServices": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UpdateReason": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"User": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserAccountControl": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserParameters": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserPrincipalName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserSid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserWorkstations": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UtcTime": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"VirtualAccount": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"VsmLaunchType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"VsmPolicy": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Workstation": {
"type": "keyword"
},
"WorkstationName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"param1": {
"type": "keyword"
},
"param2": {
"type": "keyword"
},
"serviceGuid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"updateGuid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"updateRevisionNumber": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"updateTitle": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"event_id": {
"type": "long"
},
"keywords": {
"type": "keyword"
},
"opcode": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"process": {
"properties": {
"pid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"provider_guid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"provider_name": {
"type": "keyword"
},
"record_id": {
"type": "long"
},
"task": {
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"identifier": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"name": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"user_data": {
"properties": {
"Address": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Class": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ListenerName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Param1": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Param2": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Param3": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Reason": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"RmSessionId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Session": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SessionID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UTCStartTime": {
"type": "date"
},
"User": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"binaryData": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"binaryDataSize": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"listenerName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"messageName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"param1": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"param2": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"xml_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"version": {
"type": "long"
}
}
},
"winlog-channel": {
"type": "alias",
"path": "winlog.channel"
},
"winlog-computerObject-name": {
"type": "alias",
"path": "winlog.computerObject.name"
},
"winlog-computer_name": {
"type": "alias",
"path": "winlog.computer_name"
},
"winlog-event_data-AuthenticationPackageName": {
"type": "alias",
"path": "winlog.event_data.AuthenticationPackageName"
},
"winlog-event_data-Company": {
"type": "alias",
"path": "winlog.event_data.Company"
},
"winlog-event_data-Description": {
"type": "alias",
"path": "winlog.event_data.Description"
},
"winlog-event_data-Detail": {
"type": "alias",
"path": "winlog.event_data.Detail"
},
"winlog-event_data-DeviceName": {
"type": "alias",
"path": "winlog.event_data.DeviceName"
},
"winlog-event_data-FileVersion": {
"type": "alias",
"path": "winlog.event_data.FileVersion"
},
"winlog-event_data-IntegrityLevel": {
"type": "alias",
"path": "winlog.event_data.IntegrityLevel"
},
"winlog-event_data-IpAddress": {
"type": "alias",
"path": "winlog.event_data.IpAddress"
},
"winlog-event_data-KeyLength": {
"type": "alias",
"path": "winlog.event_data.KeyLength"
},
"winlog-event_data-LogonId": {
"type": "alias",
"path": "winlog.event_data.LogonId"
},
"winlog-event_data-LogonProcessName": {
"type": "alias",
"path": "winlog.event_data.LogonProcessName"
},
"winlog-event_data-LogonType": {
"type": "alias",
"path": "winlog.event_data.LogonType"
},
"winlog-event_data-OriginalFileName": {
"type": "alias",
"path": "winlog.event_data.OriginalFileName"
},
"winlog-event_data-Path": {
"type": "alias",
"path": "winlog.event_data.Path"
},
"winlog-event_data-PrivilegeList": {
"type": "alias",
"path": "winlog.event_data.PrivilegeList"
},
"winlog-event_data-ProcessId": {
"type": "alias",
"path": "winlog.event_data.ProcessId"
},
"winlog-event_data-ProcessName": {
"type": "alias",
"path": "winlog.event_data.ProcessName"
},
"winlog-event_data-ProcessPath": {
"type": "alias",
"path": "winlog.event_data.ProcessPath"
},
"winlog-event_data-Product": {
"type": "alias",
"path": "winlog.event_data.Product"
},
"winlog-event_data-ScriptBlockText": {
"type": "alias",
"path": "winlog.event_data.ScriptBlockText"
},
"winlog-event_data-ServiceName": {
"type": "alias",
"path": "winlog.event_data.ServiceName"
},
"winlog-event_data-Signed": {
"type": "alias",
"path": "winlog.event_data.Signed"
},
"winlog-event_data-State": {
"type": "alias",
"path": "winlog.event_data.State"
},
"winlog-event_data-Status": {
"type": "alias",
"path": "winlog.event_data.Status"
},
"winlog-event_data-SubjectDomainName": {
"type": "alias",
"path": "winlog.event_data.SubjectDomainName"
},
"winlog-event_data-SubjectLogonId": {
"type": "alias",
"path": "winlog.event_data.SubjectLogonId"
},
"winlog-event_data-SubjectUserName": {
"type": "alias",
"path": "winlog.event_data.SubjectUserName"
},
"winlog-event_data-SubjectUserSid": {
"type": "alias",
"path": "winlog.event_data.SubjectUserSid"
},
"winlog-event_data-TargetLogonId": {
"type": "alias",
"path": "winlog.event_data.TargetLogonId"
},
"winlog-event_data-TargetServerName": {
"type": "alias",
"path": "winlog.event_data.TargetServerName"
},
"winlog-event_data-TargetUserName": {
"type": "alias",
"path": "winlog.event_data.TargetUserName"
},
"winlog-event_data-TargetUserSid": {
"type": "alias",
"path": "winlog.event_data.TargetUserSid"
},
"winlog-event_data-Workstation": {
"type": "alias",
"path": "winlog.event_data.Workstation"
},
"winlog-event_data-param1": {
"type": "alias",
"path": "winlog.event_data.param1"
},
"winlog-event_data-param2": {
"type": "alias",
"path": "winlog.event_data.param2"
},
"winlog-event_id": {
"type": "alias",
"path": "winlog.event_id"
},
"winlog-keywords": {
"type": "alias",
"path": "winlog.keywords"
},
"winlog-provider_name": {
"type": "alias",
"path": "winlog.provider_name"
},
"winlog-task": {
"type": "alias",
"path": "winlog.task"
},
"winlog-user-name": {
"type": "alias",
"path": "winlog.user.name"
},
"winlog-user-type": {
"type": "alias",
"path": "winlog.user.type"
}
}
}
}
}
POST os_windows/_doc
{
"@timestamp": "2023-03-24T02:11:00+0000",
"winlog.event_id": 16
} |
@petardz here is the output if i execute the following:
I get a very long output, but it contains the following:
|
Ah yes, sorry, you're right. This still works for me.. Did you insert this document AFTER creating a detector? |
Yes, I added it after creating the detector. In your test it works? Maybe you can provide me with your mapping so that I can try it with it? |
We now get findings and alerts from the "Raw Disk Access Using Illegitimate Tools" rule.
no Finding is generated, although it is the same document as the one that triggered a finding before. |
Can't reproduce that. Are you sure that you';re inseting document in index which is monitored by detector? |
Yes, the documents are written to the correct index. Do you have a working instance for Windows logs? If yes, how do you test the function of the Sigma rules? Maybe you can give me your field and alias mappings that I can try with it? |
|
Hello @petardz , I carefully followed all the steps outlined above. While creating the index in the first step, I had to use PUT instead of POST, but despite making this minor adjustment, no alert was triggered. However, I do have all the necessary prints as evidence. What is the version of the security analytics plugin you're using? I'm also putting in the effort to make this work, but unfortunately, I haven't been able to achieve the desired outcome. Could you share the OpenSearch docker image you're using? |
I am using latest main branch (2.6) ran through gradle command: ./gradlew run |
I have done the steps as described, both on an existing installation that was upgraded from 2.5 to 2.6 in the past, and on a fresh 2.6 installation, both unfortunately did not work. |
Did you get any exceptions in logs? |
I recreated the HTTP requests you posted above in postman (with the modification of the index creation as described by @fquinino). I ran them against a fresh opensearch in a container ("opensearchproject/opensearch:latest"). I did not get any findings nor warnings or errors related to the security analytics module in the logs. I would appreciate if you can create more documentation for the module as this won´t happen if usable docs exist. |
I am able to reproduce your issue only using official docker images. Some Sigma rules have original field names after parsing instead of mapped, which shouldn't happen. In this case EventID isn't converted to winlog-event_id so this is a reason why it's not working. I'll investigate this. |
Hi @petardz , I'm currently running the OS 2.6 locally within the security analytics plugin, but encountering an error while attempting to create the detector, as detailed below:
{
"error": {
"root_cause": [
{
"type": "security_analytics_exception",
"reason": "Unknown error"
}
],
"type": "security_analytics_exception",
"reason": "Unknown error",
"caused_by": {
"type": "exception",
"reason": "org.opensearch.action.search.SearchPhaseExecutionException: "
}
},
"status": 500
}
Can you provide me with the repository, and specific tag/commit ID you used to successfully build and run the test locally? I'm interested in using this plugin and would like to conduct some testing. |
I investigated above issue with no findings and problem was in mappings. Locally, I fixed windows mappings, which are buggy in 2.6. We have "EventId" defined and it no "EventID". Because of this, rule won't work until "EventID" field or alias is defined in index. |
Thanks for your help! Do you think it´s possible to handle this through an alias in the security analytics mapping:
I can´t get it to work with that and a current version. Is there a prebuilt preview for 2.7.0. available or do we have to build it ourselves? |
Yea, because it didn't convert EventID to winlog-event_id, the actual used field in doc level query is EventID. You need to provide either that field or alias named EventID. You can use core's mapping API to apply alias:
Also, be advised that issue was discovered in Alerting plugin when ingesteddocuments are "nested"(non-flattened). This is addressed by this PR: link. This means that for now, you will have to ingest document with flattened fields. Example:
|
Ok, thanks for the clarification. I understood it the other way around (between Id and ID). It is now working for us. Is there an issue for the windows mappings we can link here and close this issue? |
hi @jaakoob , thanks for confirming that the issue is fixed. Can you please let us know if you have more questions on this? i'm closing this issue but feel free to open it again. |
…t#368) * [FEATURE] Detector must have at least one alert set opensearch-project#288 Signed-off-by: Jovan Cvetkovic <[email protected]> * [FEATURE] Upgrade Vega-tooltips plugin version opensearch-project#254 Signed-off-by: Jovan Cvetkovic <[email protected]> * Upgrade vega tooltips to use custom tooltip format opensearch-project#368 Signed-off-by: Jovan Cvetkovic <[email protected]> * [BUG] Create detector | Interval field can be empty opensearch-project#378 Signed-off-by: Jovan Cvetkovic <[email protected]> * Adjust styling for Finding details flyout opensearch-project#369 Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * detector unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * detector unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * detector unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * detector unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * detector unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * detector unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * detector unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * detector unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * detector unit tests Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests review Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests review Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests review Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests review Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests review Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests review Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests review Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests review Signed-off-by: Jovan Cvetkovic <[email protected]> * Feature/update vertical domain #372 Signed-off-by: Jovan Cvetkovic <[email protected]> * Unit tests for public components opensearch-project#383 Signed-off-by: Jovan Cvetkovic <[email protected]> * Unit tests for public components opensearch-project#383 Signed-off-by: Jovan Cvetkovic <[email protected]> * Unit tests for public components opensearch-project#383 Signed-off-by: Jovan Cvetkovic <[email protected]> * Unit tests for public components opensearch-project#383 Signed-off-by: Jovan Cvetkovic <[email protected]> * Unit tests for public components opensearch-project#383 [BUG] Detector Edit | Custom rule are not selected on update rules opensearch-project#406 Signed-off-by: Jovan Cvetkovic <[email protected]> * Unit tests for public components opensearch-project#383 [BUG] Detector Edit | Custom rule are not selected on update rules opensearch-project#406 Signed-off-by: Jovan Cvetkovic <[email protected]> * PR code review Signed-off-by: Jovan Cvetkovic <[email protected]> * PR code review Signed-off-by: Jovan Cvetkovic <[email protected]> * PR code review Signed-off-by: Jovan Cvetkovic <[email protected]> * PR code review Signed-off-by: Jovan Cvetkovic <[email protected]> * PR code review Signed-off-by: Jovan Cvetkovic <[email protected]> * PR code review Signed-off-by: Jovan Cvetkovic <[email protected]> * PR code review Signed-off-by: Jovan Cvetkovic <[email protected]> * [FEATURE] Create detector | Make data source multi-select field opensearch-project#419 Signed-off-by: Jovan Cvetkovic <[email protected]> * unit tests fix Signed-off-by: Jovan Cvetkovic <[email protected]> --------- Signed-off-by: Jovan Cvetkovic <[email protected]>
What is the bug?
We can not get any findings from some test detectors we created.
How can one reproduce the bug?
Steps to reproduce the behavior:
POST winlogbeat-7.10.2-test-1/_doc { "@timestamp": "2023-03-02T20:12:59+0000", "host.name": "server01", "winlog.event_id": "16", "winlog.channel": "Microsoft-Windows-Sysmon/Operational", }
What is the expected behavior?
We would expect to see a finding with that doc attached.
What is your host/environment?
Do you have any additional context?
We used the auto generated field mapping for the sigma rules and all except from 3 were found in the mapping supplied from winlogbeat.
The text was updated successfully, but these errors were encountered: