|
| 1 | +platform: ElasticSearch ES|QL |
| 2 | +source: azure_mcas |
| 3 | +log_source: |
| 4 | + index: [logs-*] |
| 5 | +default_log_source: |
| 6 | + index: logs-* |
| 7 | +field_mapping: |
| 8 | + Name: o365.audit.Name |
| 9 | + ProviderName: |
| 10 | + - winlog.event_data.ProviderName |
| 11 | + - winlog.provider_name |
| 12 | + dns_query_name: dns.question.name |
| 13 | + EventID: winlog.event_id |
| 14 | + AccessMask: winlog.event_data.AccessMask |
| 15 | + AccountName: winlog.event_data.AccountName |
| 16 | + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo |
| 17 | + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName |
| 18 | + AttributeValue: winlog.event_data.AttributeValue |
| 19 | + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges |
| 20 | + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName |
| 21 | + CallingProcessName: winlog.event_data.CallingProcessName |
| 22 | + CallTrace: winlog.event_data.CallTrace |
| 23 | + Channel: winlog.channel |
| 24 | + CommandLine: process.command_line.text |
| 25 | + Command_Line: process.command_line.text |
| 26 | + Commandline: process.command_line.text |
| 27 | + commandline: process.command_line.text |
| 28 | + ScriptBlockText: powershell.file.script_block_text |
| 29 | + Payload: |
| 30 | + - powershell.command.invocation_details |
| 31 | + - winlog.event_data.Payload |
| 32 | + ComputerName: winlog.ComputerName |
| 33 | + CurrentDirectory: process.working_directory.text |
| 34 | + Description: winlog.event_data.Description |
| 35 | + DestinationHostname: |
| 36 | + - destination.domain |
| 37 | + - dns.question.name |
| 38 | + - dns.question.subdomain |
| 39 | + DestinationIp: destination.address |
| 40 | + dst_ip: destination.address |
| 41 | + DestinationPort: destination.port |
| 42 | + dst_port: destination.port |
| 43 | + DestinationPortName: network.protocol |
| 44 | + Details: winlog.event_data.Details |
| 45 | + EngineVersion: winlog.event_data.EngineVersion |
| 46 | + EventType: winlog.event_data.EventType |
| 47 | + FailureCode: winlog.event_data.FailureCode |
| 48 | + FileName: file.path.text |
| 49 | + GrantedAccess: winlog.event_data.GrantedAccess |
| 50 | + GroupName: |
| 51 | + - winlog.event_data.GroupName |
| 52 | + - group.name |
| 53 | + GroupSid: |
| 54 | + - group.id |
| 55 | + - winlog.event_data.GroupSid |
| 56 | + Hashes: winlog.event_data.Hashes |
| 57 | + file_hash: winlog.event_data.Hashes |
| 58 | + HiveName: winlog.event_data.HiveName |
| 59 | + HostVersion: winlog.event_data.HostVersion |
| 60 | + Image: process.executable.text |
| 61 | + ImageLoaded: dll.path |
| 62 | + ImagePath: winlog.event_data.ImagePath |
| 63 | + Imphash: winlog.event_data.Imphash |
| 64 | + IpAddress: source.address |
| 65 | + ClientAddress: |
| 66 | + - winlog.event_data.ClientAddress |
| 67 | + - source.ip |
| 68 | + IpPort: source.port |
| 69 | + KeyLength: winlog.event_data.KeyLength |
| 70 | + LogonProcessName: winlog.event_data.LogonProcessName |
| 71 | + LogonType: winlog.event_data.LogonType |
| 72 | + MemberName: winlog.event_data.MemberName |
| 73 | + MemberSid: winlog.event_data.MemberSid |
| 74 | + NewProcessName: winlog.event_data.NewProcessName |
| 75 | + ObjectClass: winlog.event_data.ObjectClass |
| 76 | + ObjectName: winlog.event_data.ObjectName |
| 77 | + ObjectType: winlog.event_data.ObjectType |
| 78 | + ObjectValueName: winlog.event_data.ObjectValueName |
| 79 | + ParentCommandLine: process.parent.command_line.text |
| 80 | + ParentProcessName: process.parent.name.text |
| 81 | + ParentImage: process.parent.executable.text |
| 82 | + Path: winlog.event_data.Path |
| 83 | + PipeName: file.name |
| 84 | + ProcessCommandLine: winlog.event_data.ProcessCommandLine |
| 85 | + ProcessName: process.executable.text |
| 86 | + Properties: winlog.event_data.Properties |
| 87 | + RuleName: winlog.event_data.RuleName |
| 88 | + RegistryValue: winlog.event_data.RegistryValue |
| 89 | + SecurityID: winlog.event_data.SecurityID |
| 90 | + ServiceFileName: winlog.event_data.ServiceFileName |
| 91 | + ServiceName: winlog.event_data.ServiceName |
| 92 | + ShareName: winlog.event_data.ShareName |
| 93 | + Signature: winlog.event_data.Signature |
| 94 | + Signed: winlog.event_data.Signed |
| 95 | + Source: winlog.event_data.Source |
| 96 | + SourceHostname: source.domain |
| 97 | + SourceImage: process.executable.text |
| 98 | + SourceIp: source.address |
| 99 | + src_ip: source.address |
| 100 | + SourcePort: source.port |
| 101 | + src_port: source.port |
| 102 | + StartModule: winlog.event_data.StartModule |
| 103 | + Status: winlog.event_data.Status |
| 104 | + SubStatus: winlog.event_data.SubStatus |
| 105 | + SubjectDomainName: winlog.event_data.SubjectDomainName |
| 106 | + SubjectUserName: winlog.event_data.SubjectUserName |
| 107 | + SubjectUserSid: winlog.event_data.SubjectUserSid |
| 108 | + TargetDomainName: winlog.event_data.TargetDomainName |
| 109 | + TargetFilename: file.path.text |
| 110 | + TargetImage: winlog.event_data.TargetImage |
| 111 | + TargetObject: winlog.event_data.TargetObject |
| 112 | + TargetSid: winlog.event_data.TargetSid |
| 113 | + TargetUserName: winlog.event_data.TargetUserName |
| 114 | + TargetUserSid: winlog.event_data.TargetUserSid |
| 115 | + QueryName: dns.question.name |
| 116 | + TicketEncryptionType: winlog.event_data.TicketEncryptionType |
| 117 | + TicketOptions: winlog.event_data.TicketOptions |
| 118 | + User: user.name |
| 119 | + WorkstationName: source.domain |
| 120 | + TransmittedServices: winlog.event_data.TransmittedServices |
| 121 | + AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm |
| 122 | + BSSID: winlog.event_data.BSSID |
| 123 | + BSSType: winlog.event_data.BSSType |
| 124 | + CipherAlgorithm: winlog.event_data.CipherAlgorithm |
| 125 | + ConnectionId: winlog.event_data.ConnectionId |
| 126 | + ConnectionMode: winlog.event_data.ConnectionMode |
| 127 | + InterfaceDescription: winlog.event_data.InterfaceDescription |
| 128 | + InterfaceGuid: winlog.event_data.InterfaceGuid |
| 129 | + OnexEnabled: winlog.event_data.OnexEnabled |
| 130 | + PHYType: winlog.event_data.PHYType |
| 131 | + ProfileName: winlog.event_data.ProfileName |
| 132 | + SSID: winlog.event_data.SSID |
| 133 | + QueryResults: dns.answers |
| 134 | + OriginalFileName: winlog.event_data.OriginalFileName |
| 135 | + Domain: winlog.event_data.Domain |
| 136 | + ServiceType: winlog.event_data.ServiceType |
| 137 | + SourceName: winlog.event_data.SourceName |
| 138 | + StartType: winlog.event_data.StartType |
| 139 | + UserID: winlog.event_data.UserID |
| 140 | + Initiated: winlog.event_data.Initiated |
| 141 | + NewUACList: winlog.event_data.NewUACList |
| 142 | + UserAccountControl: winlog.event_data.UserAccountControl |
| 143 | + NewUacValue: winlog.event_data.NewUacValue |
| 144 | + OldUacValue: winlog.event_data.OldUacValue |
| 145 | + AccountExpires: winlog.event_data.AccountExpires |
| 146 | + DisplayName: winlog.event_data.DisplayName |
| 147 | + DnsHostName: winlog.event_data.DnsHostName |
| 148 | + HomeDirectory: winlog.event_data.HomeDirectory |
| 149 | + HomePath: winlog.event_data.HomePath |
| 150 | + LogonHours: winlog.event_data.LogonHours |
| 151 | + PasswordLastSet: winlog.event_data.PasswordLastSet |
| 152 | + PrimaryGroupId: winlog.event_data.PrimaryGroupId |
| 153 | + PrivilegeList: winlog.event_data.PrivilegeList |
| 154 | + ProfilePath: winlog.event_data.ProfilePath |
| 155 | + SamAccountName: winlog.event_data.SamAccountName |
| 156 | + ScriptPath: winlog.event_data.ScriptPath |
| 157 | + ServicePrincipalNames: winlog.event_data.ServicePrincipalNames |
| 158 | + SidHistory: winlog.event_data.SidHistory |
| 159 | + UserParameters: winlog.event_data.UserParameters |
| 160 | + UserPrincipalName: winlog.event_data.UserPrincipalName |
| 161 | + UserWorkstations: winlog.event_data.UserWorkstations |
| 162 | + RelativeTargetName: winlog.event_data.RelativeTargetName |
| 163 | + NotificationPackageName: winlog.event_data.NotificationPackageName |
| 164 | + SecurityPackageName: winlog.event_data.SecurityPackageName |
| 165 | + HostApplication: process.command_line.text |
| 166 | + TaskName: winlog.event_data.TaskName |
| 167 | + TaskContent: winlog.event_data.TaskContent |
| 168 | + ObjectServer: winlog.event_data.ObjectServer |
| 169 | + NewSd: winlog.event_data.NewSd |
| 170 | + OldSd: winlog.event_data.OldSd |
| 171 | + TestSigning: winlog.event_data.TestSigning |
| 172 | + AdvancedOptions: winlog.event_data.AdvancedOptions |
| 173 | + ConfigAccessPolicy: winlog.event_data.ConfigAccessPolicy |
| 174 | + DisableIntegrityChecks: winlog.event_data.DisableIntegrityChecks |
| 175 | + FlightSigning: winlog.event_data.FlightSigning |
| 176 | + HypervisorDebug: winlog.event_data.HypervisorDebug |
| 177 | + HypervisorLaunchType: winlog.event_data.HypervisorLaunchType |
| 178 | + HypervisorLoadOptions: winlog.event_data.HypervisorLoadOptions |
| 179 | + KernelDebug: winlog.event_data.KernelDebug |
| 180 | + LoadOptions: winlog.event_data.LoadOptions |
| 181 | + RemoteEventLogging: winlog.event_data.RemoteEventLogging |
| 182 | + ExceptionCode: winlog.event_data.ExceptionCode |
| 183 | + CertSerialNumber: winlog.event_data.CertSerialNumber |
| 184 | + CertThumbprint: winlog.event_data.CertThumbprint |
| 185 | + CertIssuerName: winlog.event_data.CertIssuerName |
| 186 | + TicketOptionsDescription: winlog.event_data.TicketOptionsDescription |
| 187 | + keywords: winlog.keywords |
| 188 | + StartAddress: winlog.event_data.StartAddress |
| 189 | + ServiceSid: winlog.event_data.ServiceSid |
| 190 | + TargetInfo: winlog.event_data.TargetInfo |
| 191 | + ClientProcessId: winlog.event_data.ClientProcessId |
| 192 | + ParentProcessId: winlog.event_data.ParentProcessId |
| 193 | + AccessList: winlog.event_data.AccessList |
| 194 | + GroupMembership: winlog.event_data.GroupMembership |
| 195 | + FilterName: winlog.event_data.FilterName |
| 196 | + ChangeType: winlog.event_data.ChangeType |
| 197 | + LayerName: winlog.event_data.LayerName |
| 198 | + ProcessId: winlog.event_data.ProcessId |
| 199 | + ProcessID: winlog.event_data.ProcessID |
| 200 | + SubjectLogonId: winlog.event_data.SubjectLogonId |
| 201 | + ElevatedToken: winlog.event_data.ElevatedToken |
| 202 | + PublishURLs: winlog.event_data.PublishURLs |
| 203 | + VMUserAuthenticationEvent: horizon.user_authentication_event |
| 204 | + VMUserAuthenticationUser: horizon.user_authentication_user |
| 205 | + VMUserAuthenticationSourceIp: horizon.user_authentication_source_ip |
| 206 | + VMUserAuthenticationTimeStamp: horizon.user_authentication_time_stamp |
| 207 | + VMDesktopSessionStartEvent: horizon.desktop_session_start_event |
| 208 | + VMDesktopSessionStartUser: horizon.desktop_session_start_user |
| 209 | + VMDesktopSessionStartDesktopID: horizon.desktop_session_start_desktop_id |
| 210 | + VMDesktopSessionStartTimeStamp: horizon.desktop_session_time_stamp |
| 211 | + VMApplicationLaunchEvent: horizon.application_launch_event |
| 212 | + VMApplicationLaunchUser: horizon.application_launch_user |
| 213 | + VMApplicationLaunchAppId: horizon.application_launch_app_id |
| 214 | + VMApplicationLaunchAppName: horizon.application_launch_app_name |
| 215 | + VMApplicationLaunchTimeStamp: horizon.application_launch_time_stamp |
| 216 | + VMConnectionServerStatusEvent: horizon.connection_server_status_event |
| 217 | + VMConnectionServerStatusServer: horizon.connection_server_status_server |
| 218 | + VMConnectionServerStatus: horizon.connection_Server_status |
| 219 | + VMConnectionServerStatusTimeStamp: horizon.connection_server_status_time_stamp |
| 220 | + VMVirtualDesktopPoolManagmentEvent: horizon.virtual_desktop_pool_managment_event |
| 221 | + VMVirtualDesktopPoolManagmentPoolId: horizon.virtual_desktop_pool_managment_pool_id |
| 222 | + VMVirtualDesktopPoolManagmentPoolName: horizon.virtual_desktop_pool_managment_pool_name |
| 223 | + VMVirtualDesktopPoolManagmentTimeStamp: horizon.virtual_desktop_pool_managment_time_stamp |
| 224 | + VMLoadBalancingEvent: horizon.load_balancing_event |
| 225 | + VMLoadBalancingStatus: horizon.load_balancing_status |
| 226 | + VMLoadBalancingAlgorithm: horizon.load_balancing_algorithm |
| 227 | + VMLoadBalancingTimeStamp: horizon.load_balancing_time_stamp |
| 228 | + VMBlastProtocolEvent: horizon.blast_protocol_event |
| 229 | + VMBlastProtocolUser: horizon.blast_protocol_user |
| 230 | + VMBlastProtocolProtocolVersion: horizon.blast_protocol_protocol_version |
| 231 | + VMBlastProtocolTimeStamp: horizon.blast_protocol_time_stamp |
| 232 | + VMSecurityEventName: horizon.security_event_name |
| 233 | + VMSecurityEventUser: horizon.security_event_user |
| 234 | + VMSecurityEventAlertType: horizon.security_event_alert_type |
| 235 | + VMSecurityEventSourceIp: horizon.security_event_source_ip |
| 236 | + VMSecurityEventTimeStamp: horizon.security_event_time_stamp |
| 237 | + VMLicensingInformationEvent: horizon.licensing_information_event |
| 238 | + VMLicensingInformationLicenseType: horizon.licensing_information_license_type |
| 239 | + VMLicensingInformationExpiryDate: horizon.licensing_information_expiry_date |
| 240 | + VMLicensingInformationTimeStamp: horizon.licensing_information_time_stamp |
| 241 | + VMConnectionBrokeringEvent: horizon.connection_brokering_event |
| 242 | + VMConnectionBrokeringUser: horizon.connection_brokering_user |
| 243 | + VMConnectionBrokeringDesktopId: horizon.connection_brokering_desktop_id |
| 244 | + VMConnectionBrokeringStatus: horizon.connection_brokering_status |
| 245 | + VMConnectionBrokeringTimeStamp: horizon.connection_brokering_time_stamp |
| 246 | + DatastoreName: vsphere.datastore_name |
| 247 | + FilesystemType: vsphere.datastore_fstype |
| 248 | + DatastoreBytes: vsphere.datastore_capacity_free_bytes |
| 249 | + DatastoreBytesUsed: vsphere.datastore_capacity_used_pct |
| 250 | + HostName: vsphere.host_name |
| 251 | + UsedCPUmhz: vsphere.host_cpu_free_mhz |
| 252 | + UsedMemoryBites: vsphere.host_memory_total_bytes |
| 253 | + FreeMemoryBites: vsphere.host_memory_free_bytes |
| 254 | + VMHostID: vsphere.virtualmachine_host_id |
| 255 | + VMHostName: |
| 256 | + - vsphere.virtualmachine_host_hostname |
| 257 | + - esxi.vmhost_name |
| 258 | + VMName: |
| 259 | + - vsphere.virtualmachine_name |
| 260 | + - esxi.vmname |
| 261 | + VMOperatingSystem: vsphere.virtualmachine_os |
| 262 | + VMUsedCPU: vsphere.virtualmachine_cpu_used_mhz |
| 263 | + VMTotalCPU: vsphere.virtualmachine_cpu_free_mhz |
| 264 | + VMMemoryGuestUsed: vsphere.virtualmachine_memory_used_guest_bytes |
| 265 | + VMUMemoryHostUsed: vsphere.virtualmachine_memory_used_host_bytes |
| 266 | + VMTotalMemoryGuestBytes: vsphere.virtualmachine_memory_total_guest_bytes |
| 267 | + VMMemoryGuestFree: vsphere.virtualmachine_memory_free_guest_bytes |
| 268 | + VMCustomFields: vsphere.virtualmachine_custom_fields |
| 269 | + VMNetworkNames: vsphere.virtualmachine_network_names |
| 270 | + VMLogicalSwitchingEvent: nsxv.vmlogical_switching_event |
| 271 | + VMLogicalSwitchingEventID: nsxv.vmlogical_switching_event_id |
| 272 | + VMLogicalSwitchingName: nsxv.vmlogical_switching_name |
| 273 | + VMDistributedFirewallEvent: nsxv.distributed_firewall_event_type |
| 274 | + VMDistributedFirewallRuleID: nsxv.distributed_firewall_rule_id |
| 275 | + VMDistributedFirewallAction: nsxv.distributed_firewall_action |
| 276 | + VMDistributedFirewallSourceIp: nsxv.distributed_firewall_source_ip |
| 277 | + VMDistributedFirewallDestinationIp: nsxv.distributed_firewall_destination_ip |
| 278 | + VMSecurityGroupEventType: nsxv.security_group_event_type |
| 279 | + VMSecurityGroupId: nsxv.security_group_id |
| 280 | + VMSecurityGroupName: nsxv.security_group_name |
| 281 | + VMEdgeServicesGatewayEventType: nsxv.security_edge_services_gateway_event_type |
| 282 | + VMEdgeServicesGatewayESGID: nsxv.security_edge_services_gateway_esgid |
| 283 | + VMEdgeServicesGatewayStatus: nsxv.security_edge_services_gateway_status |
| 284 | + VMLoadBalancingEventType: nsxv.load_balancing_event_type |
| 285 | + VMLoadBalancingId: nsxv.load_balancing_id |
| 286 | + VMLoadBalancingVirtualServer: nsxv.load_balancing_virtual_server |
| 287 | + VMNSXManagerEventType: nsxv.nsx_manager_event_type |
| 288 | + VMNSXManagerEventDescription: nsxv.nsx_manager_event_description |
| 289 | + VMEdgeFirewallEventType: nsxv.edge_firewall_event_type |
| 290 | + VMEdgeFirewallSourceIP: nsxv.edge_firewall_source_ip |
| 291 | + VMEdgeFirewallDestinationIP: nsxv.edge_firewall_destination_ip |
| 292 | + VMEdgeFirewallRuleID: nsxv.edge_firewall_rule_id |
| 293 | + VMSSLVPNEventType: nsxv.ssl_vpn_event_type |
| 294 | + VMSSLVPNUserName: nsxv.ssl_vpn_user_name |
| 295 | + VMSSLVPNSourceIp: nsxv.ssl_vpn_source_ip |
| 296 | + VMNSXControllerEventType: nsxv.nsx_controller_event_type |
| 297 | + VMNSXControllerID: nsxv.nsx_controller_id |
| 298 | + VMNSXControllerStatus: nsxv.nsx_controller_status |
| 299 | + VMLogicalRoutingEventType: nsxv.logical_routing_event_type |
| 300 | + VMLogicalRoutingRouterID: nsxv.logical_routing_router_id |
| 301 | + VMLogicalRoutingRouterName: nsxv.logical_routing_router_name |
0 commit comments