forked from HASecuritySolutions/Logstash
-
Notifications
You must be signed in to change notification settings - Fork 0
/
event_collector_events
82 lines (82 loc) · 4.76 KB
/
event_collector_events
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[EventID=4688]] and *[EventData[Data[@Name='SubjectLogonId'] = '0x3e7' and (
Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchFilterHost.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\SysWOW64\SearchProtocolHost.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchProtocolHost.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\backgroundTaskHost.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\conhost.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\wbem\WmiPrvSE.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhost.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskeng.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\svchost.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\sc.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\rundll32.exe'
or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhostex.exe'
)]]</Suppress>
<Suppress Path="Security">(*[System[EventID=4769]] and *[EventData[Data[@Name='ServiceName'] = 'krbtgt']])
or (*[System[EventID=4770]])
or (*[System[EventID=4624]] and *[EventData[Data[@Name='LogonType'] = '3']])
or (*[System[EventID=4634]] and *[EventData[Data[@Name='LogonType'] = '3']])
</Suppress>
</Query>
<Query Id="1" Path="Application">
<Select Path="Application">*</Select>
</Query>
<Query Id="2" Path="System">
<Select Path="System">*</Select>
</Query>
<Query Id="3" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
<Query Id="4" Path="Microsoft-Windows-PowerShell/Operational">
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
</Query>
<Query Id="5" Path="Windows PowerShell">
<Select Path="Windows PowerShell">*[System[EventID=400]] or *[System[EventID=600]] or *[System[EventID=800]]</Select>
</Query>
<Query Id="6" Path="Microsoft-Windows-WMI-Activity/Operational">
<Select Path="Microsoft-Windows-WMI-Activity/Operational">*[System[EventID=5857]] or *[System[EventID=5858]] or *[System[EventID=5859]] or *[System[EventID=5860]] or *[System[EventID=5861]]</Select>
</Query>
<Query Id="7" Path="Microsoft-Windows-TaskScheduler/Operational">
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
</Query>
<Query Id="8" Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">
<Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*</Select>
</Query>
<Query Id="9" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*</Select>
</Query>
<Query Id="10" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*</Select>
</Query>
<Query Id="11" Path="Microsoft-Windows-GroupPolicy/Operational">
<Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>
</Query>
<Query Id="12" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">
<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[EventID=2003]] or *[System[EventID=2004]] or *[System[EventID=2102]]</Select>
</Query>
<Query Id="13" Path="Microsoft-Windows-AppLocker/EXE and DLL">
<Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>
<Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
</Query>
<Query Id="14" Path="Microsoft-Windows-AppLocker/Packaged app-Execution">
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
</Query>
<Query Id="15" Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
</Query>
<Query Id="16" Path="Microsoft-Windows-SmartCard-Audit/Authentication">
<Select Path="Microsoft-Windows-SmartCard-Audit/Authentication">*</Select>
</Query>
<Query Id="17" Path="Microsoft-Windows-SMBClient/Operational">
<!-- get all UNC/mapped drive successful connection -->
<Select Path="Microsoft-Windows-SMBClient/Operational">*[System[(EventID=30622 or EventID=30624)]]</Select>
</Query>
<Query Id="41" Path="Microsoft-Windows-Windows Defender/Operational">
<!-- Modern Windows Defender event provider Detection events (1006-1009) and (1116-1119) -->
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID >= 1006 and EventID <= 1009) )]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID >= 1116 and EventID <= 1119) )]]</Select>
</Query>
</QueryList>