Sure.
Jinja:
elasticsearch_host: "x.x.1.7:9200"
protocol: "https"
elasticsearch_user: "elastic"
kibana_host: "x.x.1.7:5601"
path:
home: c:\Program Files\winlogbeat
config: c:\Program Files\winlogbeat
data: c:\ProgramData\winlogbeat
logs: c:\ProgramData\winlogbeat\logs
winlogbeat.event_logs:
- name: Application
event_id: 1000, 1002
ignore_older: 72h
level: error
provider:
- Application Error
- Application Hang
- name: Application
event_id: 1001
ignore_older: 72h
level: info
provider:
- Windows Error Reporting
- name: Security
event_id: 4740
level: info
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Auditing
- name: System
ignore_older: 72h
provider:
- Microsoft-Windows-Eventlog
- name: Security
ignore_older: 72h
event_id: 1100, 1104, 1105, 1108
- name: Security
level: info
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Auditing
- name: Security
event_id: 4627, 4703, 4704, 4705, 4720, 4737-4739, 4780-4782, 4793, 4794, 4798, 4799, 5376, 5377
ignore_older: 72h
- name: Security
event_id: 4722-4735
ignore_older: 72h
- name: Security
event_id: 4741-4753
ignore_older: 72h
- name: Security
event_id: 4754-4767
ignore_older: 72h
- name: Security
event_id: 4624-4626, 4647, 4649, 4675, 4774-4779, 4800-4803, 4964, 5378
ignore_older: 72h
- name: Autoruns
ignore_older: 72h
- name: Security
event_id: 4886, 4887, 4888
ignore_older: 72h
- name: Microsoft-Windows-CodeIntegrity/Operational
event_id: 3001, 3002, 3003, 3004, 3010, 3023
ignore_older: 72h
level: error, warning
provider:
- Microsoft-Windows-CodeIntegrity
- name: Security
event_id: 5038, 6281, 6410
ignore_older: 72h
level: info
provider:
- Microsoft-Windows-Security-Auditing
- name: System
event_id: 219
ignore_older: 72h
level: warning
provider:
- Microsoft-Windows-Kernel-PnP
- name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
event_id: 2004
ignore_older: 72h
- name: System
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Windows Defender/Operational
event_id: 1121, 1122, 5007
ignore_older: 72h
- name: Microsoft-Windows-Windows Defender/WHC
event_id: 1121, 1122, 5007
ignore_older: 72h
- name: Microsoft-Windows-Security-Mitigations/KernelMode
event_id: 1-9, 11-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Security-Mitigations/KernelMode
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Concurrency
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Concurrency
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Contention
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Contention
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Messages
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Messages
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Operational
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Operational
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Power
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Power
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Render
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Render
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Tracing
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/Tracing
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/UIPI
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Win32k/UIPI
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: System
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: System
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Security-Mitigations/UserMode
event_id: 1-12, 5, 260
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Security-Mitigations/UserMode
event_id: 12-24
ignore_older: 72h
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Windows Defender/Operational
event_id: 1125, 1126, 5007
ignore_older: 72h
- name: Microsoft-Windows-Windows Defender/WHC
event_id: 1125, 1126, 5007
ignore_older: 72h
# windows defender: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Windows-Defender.xml
- name: Microsoft-Windows-Windows Defender/Operational
event_id: 1006-1009
ignore_older: 72h
- name: Microsoft-Windows-Windows Defender/Operational
event_id: 1116-1119
ignore_older: 72h
- name: Microsoft-Windows-BitLocker/BitLocker Operational
level: 'critical, error, warning'
ignore_older: 72h
- name: Microsoft-Windows-BitLocker/BitLocker Management
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-DeviceGuard/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-DSC/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4105, 4106
ignore_older: 72h
- name: Microsoft-Windows-PowerShell/Admin
ignore_older: 72h
- name: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
ignore_older: 72h
- name: Microsoft-Windows-Shell-Core/Operational
ignore_older: 72h
- name: Microsoft-Windows-Shell-Core/LogonTasksChannel
ignore_older: 72h
- name: Microsoft-Windows-Shell-Core/AppDefaults
ignore_older: 72h
- name: Microsoft-Windows-Shell-Core/ActionCenter
level: 'critical, error'
ignore_older: 72h
- name: PowerShellCore/Operational
level: 'critical, error, warning'
ignore_older: 72h
- name: OpenSSH/Operational
level: 'critical, error, warning'
ignore_older: 72h
- name: OpenSSH/Admin
level: 'critical, error, warning'
ignore_older: 72h
- name: HardwareEvents
level: 'critical, error'
ignore_older: 72h
- name: Windows PowerShell
event_id: 400, 403, 600, 800
level: 'critical, error, warning'
ignore_older: 72h
- name: Microsoft-Windows-WMI-Activity/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TPM-WMI
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Security-Mitigations/KernelMode
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Security-Mitigations/UserMode
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-WHEA/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-WHEA/Errors
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-WDI/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-StoreMgr/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-ShimEngine/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-Power/Thermal-Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-PnP/Driver Watchdog
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-PnP/Configuration
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-LiveDump/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Kernel-IO/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
level: 'critical, error'
ignore_older: 72h
include_xml: true
- name: Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity
level: 'critical, error'
ignore_older: 72h
include_xml: true
- name: Windows Networking Vpn Plugin Platform/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-VPN/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-VPN-Client/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-RasAgileVpn/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TCPIP/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-LiveId/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-ReFS/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-GroupPolicy/Operational
level: 'critical, error, warning'
ignore_older: 72h
- name: Microsoft-Windows-TaskScheduler/Operational
event_id: 106, 129, 141, 142, 200, 201
ignore_older: 72h
provider:
- Microsoft-Windows-TaskScheduler
- name: Security
event_id: 4698-4702
ignore_older: 72h
- name: Microsoft-Windows-TaskScheduler/Maintenance
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Storsvc/Diagnostic
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Store/Operational
level: 'critical'
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 8002
- name: Microsoft-Windows-StorageSpaces-SpaceManager/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-StorageSpaces-Driver/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-StorageSpaces-Driver/Diagnostic
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-StorageManagement/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Storage-Tiering/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Storage-Storport/Operational
level: 'critical'
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 549
- equals.winlog.event_id: 534
- equals.winlog.event_id: 523
- equals.winlog.event_id: 500
- name: Microsoft-Windows-Storage-Storport/Health
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Storage-Storport/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Storage-Disk/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Storage-Disk/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-SMBServer/Security
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-SMBServer/Operational
level: 'critical, error'
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 1024
- name: Microsoft-Windows-SMBServer/Connectivity
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-SMBServer/Audit
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-SmbClient/Security
level: 'critical, error'
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 8464
- equals.winlog.event_id: 31001
- name: Microsoft-Windows-SMBClient/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-SmbClient/Connectivity
level: 'critical, error'
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 30800
- equals.winlog.event_id: 30803
- name: Microsoft-Windows-SmbClient/Audit
level: 'critical, error'
ignore_older: 72h
- name: Win Device Agent
level: 'critical, error'
ignore_older: 72h
- name: ScriptLaunch
level: 'critical, error'
ignore_older: 72h
- name: Operations Manager
level: 'critical, error'
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 4502
- equals.winlog.event_id: 26002
- name: OneApp_IGCC
level: 'critical, error'
ignore_older: 72h
- name: Key Management Service
level: 'critical, error'
ignore_older: 72h
- name: Internet Explorer
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-DNS-Client/Operational
event_id: 3008
ignore_older: 72h
- name: DNS Server
event_id: 150, 770
ignore_older: 72h
- name: Microsoft-Windows-DNSServer/Audit
event_id: 541
ignore_older: 72h
- name: Microsoft-Windows-Dhcpv6-Client/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Dhcpv6-Client/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Dhcp-Client/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Dhcp-Client/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-AppLocker/Packaged app-Execution
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-AppLocker/Packaged app-Deployment
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-AppLocker/MSI and Script
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-AppLocker/EXE and DLL
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-CodeIntegrity/Operational
level: 'critical'
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 3033
# Server only
- name: Microsoft-Windows-Dhcp-Server/Operational
level: 'critical, error'
ignore_older: 72h
# Microsoft Skype for Business Rooms System and Microsoft Teams Rooms System only
- name: Skype Room System
level: 'critical, error, warning'
ignore_older: 72h
# Hp Tooling
- name: HPNotifications Application
level: 'critical, error'
ignore_older: 72h
- name: HP Sure Start
level: 'critical, error'
ignore_older: 72h
- name: HP Diagnostics
level: 'critical, error'
ignore_older: 72h
- name: HP Analytics
level: 'critical, error'
ignore_older: 72h
# Hyper-V only
- name: Microsoft-Windows-Hyper-V-Hypervisor-Operational
level: 'critical, error'
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 41
- name: Microsoft-Windows-Hyper-V-Hypervisor-Admin
level: 'critical, error'
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 41
- name: Microsoft-Windows-Hyper-V-Worker-Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Hyper-V-Worker-Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Hyper-V-VmSwitch-Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Hyper-V-VID-Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Hyper-V-StorageVSP-Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Hyper-V-Compute-Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Hyper-V-Compute-Admin
level: 'critical, error'
ignore_older: 72h
# Monitor USB Devices, this eventlog is not enabled by default
- name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
level: 'critical, error'
event_id: 2003,2102
ignore_older: 72h
# Sysmon related, need some care soon. It IS VERY NOISY, we need a solic filter
- name: Microsoft-Windows-Sysmon/Operational
level: 'critical, error, warning, information'
# Minimum, for now!
event_id: 255, 16, 14, 6
ignore_older: 72h
# NTFS
- name: Microsoft-Windows-Ntfs/WHC
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Ntfs/Operational
level: 'critical, error'
ignore_older: 72h
# NTLM
- name: Microsoft-Windows-NTLM/Operational
level: 'critical, error'
ignore_older: 72h
- name: RemoteDesktopServices-RemoteFX-SessionLicensing-Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsp/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Admin
level: 'critical, error'
ignore_older: 72h
# General Remote Desktop and App related
- name: Microsoft-Windows-Remotefs-Rdbss/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
level: 'critical, error, warning'
ignore_older: 72h
- name: Microsoft-Windows-RemoteApp and Desktop Connections/Operational
level: 'critical, error, warning'
ignore_older: 72h
- name: Microsoft-Windows-RemoteApp and Desktop Connections/Admin
level: 'critical, error'
ignore_older: 72h
# RemoteAssistance
- name: Microsoft-Windows-RemoteAssistance/Operational
level: 'critical, error, warning'
ignore_older: 72h
- name: Microsoft-Windows-RemoteAssistance/Admin
level: 'critical, error'
ignore_older: 72h
# RemoteAccess Management Client
- name: Microsoft-Windows-RemoteAccess-MgmtClientPerf/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-RemoteAccess-MgmtClient/Operational
level: 'critical, error'
ignore_older: 72h
# SettingSync OneDrive
- name: Microsoft-Windows-SettingSync-OneDrive/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-SettingSync-OneDrive/Debug
level: 'critical, error'
ignore_older: 72h
# TerminalServices
- name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-RDPClient/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-Printers/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-Printers/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-PnPDevices/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-PnPDevices/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-Gateway/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-Gateway/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-CloudStore/Operational
level: 'critical, error'
ignore_older: 72h
processors:
- drop_event.when.or:
# 1 is a very generic error, mostly onecoreuap\shell\cloudstore\store\cache\src\cloudcacheinitializer.cpp and it IS to noisy
- equals.winlog.event_id: 1
- name: Microsoft-Windows-CloudStore/Debug
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Client-Licensing-Platform/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-WebAuthN/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Winlogon/Operational
level: 'critical, error'
ignore_older: 72h
#windows update: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Windows-Updates.xml
- name: Microsoft-Windows-WindowsUpdateClient/Operational
event_id: 19, 20, 24, 25, 31, 34, 35
ignore_older: 72h
level: error
provider:
- Microsoft-Windows-WindowsUpdateClient
- name: Setup
event_id: 1009
ignore_older: 72h
level: info
provider:
- Microsoft-Windows-Servicing
- name: Microsoft-Windows-User Profile Service/Operational
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-User Device Registration/Admin
level: 'critical, error'
ignore_older: 72h
- name: Microsoft-Windows-Time-Service/Operational
level: 'critical, error'
ignore_older: 72h
# external devices: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/External-Devices.xml
- name: Microsoft-Windows-Kernel-PnP/Configuration
event_id: 400, 410
ignore_older: 72h
level: info
provider:
- Microsoft-Windows-Kernel-PnP
- name: Security
event_id: 6416
ignore_older: 72h
- name: Security
event_id: 6419-6424
ignore_older: 72h
# firewall: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Firewall.xml
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
event_id: 2004, 2005, 2006, 2033
ignore_older: 72h
level: info, error
provider:
- Microsoft-Windows-Windows Firewall With Advanced Security
- name: Security
event_id: 4944-4954
ignore_older: 72h
- name: Security
event_id: 4956-4958
ignore_older: 72h
- name: Security
event_id: 5024, 5025, 5037
ignore_older: 72h
- name: Security
event_id: 5027-5030
ignore_older: 72h
- name: Security
event_id: 5032-5035
ignore_older: 72h
# gpo errors: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Group-Policy-Errors.xml
- name: System
event_id: 1085, 1125, 1127, 1129
ignore_older: 72h
level: error
provider:
- Microsoft-Windows-GroupPolicy
- name: Security
event_id: 6144, 6145
ignore_older: 72h
# kerberos: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Kerberos.xml
- name: Security
event_id: 4768, 4769, 4770, 4771, 4772, 4773
ignore_older: 72h
# log deletion security: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Log-Deletion-Security.xml
- name: Security
event_id: 1102
ignore_older: 72h
level: info
provider:
- Microsoft-Windows-Eventlog
# log deletion system: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Log-Deletion-System.xml
- name: System
event_id: 104
ignore_older: 72h
level: info
provider:
- Microsoft-Windows-Eventlog
# msi: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/MSI-Packages.xml
- name: Application
event_id: 1022, 1033
ignore_older: 72h
provider:
- MsiInstaller
- name: Setup
event_id: 2, 0
ignore_older: 72h
provider:
- Microsoft-Windows-Servicing
- name: Microsoft-Windows-Application-Experience/Program-Inventory
event_id: 903, 904
ignore_older: 72h
provider:
- Microsoft-Windows-Application-Experience
- name: Microsoft-Windows-Application-Experience/Program-Inventory
event_id: 905, 906
ignore_older: 72h
provider:
- Microsoft-Windows-Application-Experience
- name: Microsoft-Windows-Application-Experience/Program-Inventory
event_id: 907, 908
ignore_older: 72h
provider:
- Microsoft-Windows-Application-Experience
- name: Microsoft-Windows-Application-Experience/Program-Inventory
event_id: 800
ignore_older: 72h
provider:
- Microsoft-Windows-Application-Experience
# office: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Microsoft-Office.xml
- name: OAlerts
ignore_older: 72h
# ntml: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/NTLM.xml
- name: Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
ignore_older: 72h
provider:
- Microsoft-Windows-NTLM
- name: Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
ignore_older: 72h
provider:
- Microsoft-Windows-NTLM
- name: Microsoft-Windows-NTLM/Operational
ignore_older: 72h
provider:
- Microsoft-Windows-NTLM
# object manipulation: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Object-Manipulation.xml
- name: Security
event_id: 4715, 4817, 4656, 4658, 4660, 4663, 4670
ignore_older: 72h
# operating system: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Operating-System.xml
- name: System
event_id: 12, 13
ignore_older: 72h
provider:
- Microsoft-Windows-Kernel-General
- name: Security
event_id: 4608
ignore_older: 72h
- name: System
event_id: 1074
ignore_older: 72h
provider:
- USER32
- name: Security
event_id: 4817, 4826
ignore_older: 72h
- name: System
event_id: 16962, 16965, 16968, 16969
ignore_older: 72h
- name: Microsoft-Windows-SMBServer/Audit
event_id: 3000
ignore_older: 72h
provider:
- Microsoft-Windows-SMBServer
- name: System
event_id: 41, 1001, 6008, 4621
ignore_older: 72h
- name: Security
event_id: 4610, 4611, 4614, 4622, 4697
ignore_older: 72h
- name: Security
event_id: 4719, 4817, 4902, 4906, 4908, 4912, 4904, 4905
ignore_older: 72h
# print: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Print.xml
- name: Microsoft-Windows-PrintService/Operational
event_id: 307
ignore_older: 72h
level: info
provider:
- Microsoft-Windows-PrintService
# privilege use: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Privilege-Use.xml
- name: Security
event_id: 4673, 4674, 4985
ignore_older: 72h
# process exec: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Process-Execution.xml
#- name: Security
# event_id: 4688
# ignore_older: 72h
- name: Security
event_id: 4689
ignore_older: 72h
# registry: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Registry.xml
# TODO: how to filter on eventdata operationtype?
- name: Security
event_id: 4657
ignore_older: 72h
# services: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Services.xml
- name: System
event_id: 7022, 7023, 7024, 7026, 7031, 7032, 7034
ignore_older: 72h
level: info, critical, error, warning
provider:
- Service Control Manager
- name: System
event_id: 7045, 7040
ignore_older: 72h
level: info, critical, error, warning
provider:
- Service Control Manager
# shares: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Shares.xml
- name: Security
event_id: 5140, 5142, 5144, 5145, 5168
ignore_older: 72h
- name: Microsoft-Windows-SMBClient/Operational
event_id: 30622, 30624
ignore_older: 72h
# software restrictions: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Software-Restriction-Policies.xml
- name: Application
event_id: 865, 866, 867, 868, 882
ignore_older: 72h
provider:
- Microsoft-Windows-SoftwareRestrictionPolicies
- name: Security
event_id: 4886, 4887, 4888
ignore_older: 72h
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
# ====================== Elasticsearch template settings =======================
setup.template.settings:
index.number_of_shards: 1
tags: ["windows_workstation"]
setup.dashboards.enabled: false
setup.kibana:
host: "{{kibana_host}}"
username: elastic
password: "${ES_PWD}"
protocol: "{{protocol}}"
ssl:
enabled: true
ca_trusted_fingerprint: "{CA_FINGERPRINT}"
verification_mode: none
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["{{elasticsearch_host}}"]
protocol: "{{protocol}}"
username: "{{ elasticsearch_user }}"
password: "${ES_PWD}"
pipeline: "winlogbeat-%{[agent.version]}-routing"
ssl:
enabled: true
ca_trusted_fingerprint: "{CA_FINGERPRINT}"
verification_mode: none
# ================================= Processors =================================
# General processors
processors:
# - add_host_metadata: ~
# - add_cloud_metadata: ~
# - add_docker_metadata: ~
- add_process_metadata:
match_pids: ["system.process.ppid"]
target: system.process.parent
# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: info
logging.to_files: true
logging.files:
path: c:\ProgramData\winlogbeat\logs
name: winlogbeat
keepfiles: 7
permissions: "0640"