Windows event classification mapping - is there a source for this?

I am writing(re-writing) a logstash parser for windows and I want to ensure that all of my events get categorized as closely as possible to the ECS definitions. The mappings I am directly referring to are event.type, event.category, and event. kind. I handle event.outcome already, and for most logs, I think event.kind = 'event' will probably be correct.

What I am looking for though is for each event.code(i.e. event 4625,4770,etc) is there a mapping anywhere that anyone has done to map the type and category fields? It is a ton of work to build this mapping from scratch and if you want to be in sync with the same fields others are using for future supportability, it all needs to categorized similiarly. Does anyone know of a resource to find a mapping for this?

You could look at how the winlogbeat module categorize some events with its ingest pipeline.

For example to the event 4770, it will do this:

        "4770":
          category:
            - authentication
          type:
            - start
          action: kerberos-service-ticket-renewed

Those are the event.category, event.type and event.action fields

Thanks for the quick reply. Kicking myself for not looking at that sooner!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.