Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4df8e844e5f59a40ba7ff6e7b6a697bf56c65687
marcredhat-siem-toolkit-pat…/parsers/microsoft_windows_eventlog-latest
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

40 lines
12 KiB
Plaintext
Raw Blame History

{
// Default Attributes
attributes: {
"dataSource.category": "security",
"dataSource.name": "Windows Event Logs",
"dataSource.vendor": "Microsoft",
"event.type": "Windows Event Log Creation"
},
patterns: {
SystemTimePattern: "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{7}Z"
},
formats: [
{
// Match Event ID : 4743
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.keywords.keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.userSID$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.userName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.logonId$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.domainName$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}"
halt: true
},
{
// Match Event ID : 4742
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.Task$\",\"Provider\":\"$winEventLog.rendering_info.Provider$\",\"Opcode\":\"$winEventLog.rendering_info.Opcode$\",\"Message\":\"$winEventLog.rendering_info.Message$\",\"Level\":\"$winEventLog.rendering_info.Level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.Keywords.Keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.Culture$\"},\"EventData\":\\{\"Data\":\\{\"UserWorkstations\":\\{\"Text\":\"$winEventLog.EventData.UserWorkstations$\"},\"UserPrincipalName\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"UserParameters\":\\{\"Text\":\"$winEventLog.EventData.UserParameters$\"},\"UserAccountControl\":\\{\"Text\":\"$winEventLog.EventData.UserAccountControl$\"},\"TargetUserName\":\\{\"Text\":\"$winEventLog.EventData.TargetUserName$\"},\"TargetSid\":\\{\"Text\":\"$winEventLog.EventData.TargetSid$\"},\"TargetDomainName\":\\{\"Text\":\"$winEventLog.EventData.TargetDomainName$\"},\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserSid$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.SubjectDomainName$\"},\"SidHistory\":\\{\"Text\":\"$winEventLog.EventData.SidHistory$\"},\"ServicePrincipalNames\":\\{\"Text\":\"$winEventLog.EventData.ServicePrincipalNames$\"},\"ScriptPath\":\\{\"Text\":\"$winEventLog.EventData.ScriptPath$\"},\"SamAccountName\":\\{\"Text\":\"$winEventLog.EventData.SamAccountName$\"},\"ProfilePath\":\\{\"Text\":\"$winEventLog.EventData.ProfilePath$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"},\"PrimaryGroupId\":\\{\"Text\":\"$winEventLog.EventData.PrimaryGroupId$\"},\"PasswordLastSet\":\\{\"Text\":\"$winEventLog.EventData.PasswordLastSet$\"},\"OldUacValue\":\\{\"Text\":\"$winEventLog.EventData.OldUacValue$\"},\"NewUacValue\":\\{\"Text\":\"$winEventLog.EventData.NewUacValue$\"},\"LogonHours\":\\{\"Text\":\"$winEventLog.EventData.LogonHours$\"},\"HomePath\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"HomeDirectory\":\\{\"Text\":\"$winEventLog.EventData.HomeDirectory$\"},\"DnsHostName\":\\{\"Text\":\"$winEventLog.EventData.DnsHostName$\"},\"DisplayName\":\\{\"Text\":\"$winEventLog.EventData.DisplayName$\"},\"ComputerAccountChange\":\\{\"Text\":\"$winEventLog.EventData.ComputerAccountChange$\"},\"AllowedToDelegateTo\":\\{\"Text\":\"$winEventLog.EventData.AllowedToDelegateTo$\"},\"AccountExpires\":\\{\"Text\":\"$winEventLog.EventData.AccountExpires$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}"
halt: true
},
{
// Match Event ID : 4741
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.keywords.keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"UserWorkstations\":\\{\"Text\":\"$winEventLog.EventData.UserWorkstations$\"},\"UserPrincipalName\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"UserParameters\":\\{\"Text\":\"$winEventLog.EventData.UserParameters$\"},\"UserAccountControl\":\\{\"Text\":\"$winEventLog.EventData.UserAccountControl$\"},\"TargetUserName\":\\{\"Text\":\"$winEventLog.EventData.TargetUserName$\"},\"TargetSid\":\\{\"Text\":\"$winEventLog.EventData.TargetSid$\"},\"TargetDomainName\":\\{\"Text\":\"$winEventLog.EventData.TargetDomainName$\"},\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.userSID$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.logonId$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.SubjectDomainName$\"},\"SidHistory\":\\{\"Text\":\"$winEventLog.EventData.SidHistory$\"},\"ServicePrincipalNames\":\\{\"Text\":\"$winEventLog.EventData.ServicePrincipalNames$\"},\"ScriptPath\":\\{\"Text\":\"$winEventLog.EventData.ScriptPath$\"},\"SamAccountName\":\\{\"Text\":\"$winEventLog.EventData.SamAccountName$\"},\"ProfilePath\":\\{\"Text\":\"$winEventLog.EventData.ProfilePath$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"},\"PrimaryGroupId\":\\{\"Text\":\"$winEventLog.EventData.PrimaryGroupId$\"},\"PasswordLastSet\":\\{\"Text\":\"$winEventLog.EventData.PasswordLastSet$\"},\"OldUacValue\":\\{\"Text\":\"$winEventLog.EventData.OldUacValue$\"},\"NewUacValue\":\\{\"Text\":\"$winEventLog.EventData.NewUacValue$\"},\"LogonHours\":\\{\"Text\":\"$winEventLog.EventData.LogonHours$\"},\"HomePath\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"HomeDirectory\":\\{\"Text\":\"$winEventLog.EventData.HomeDirectory$\"},\"DnsHostName\":\\{\"Text\":\"$winEventLog.EventData.DnsHostName$\"},\"DisplayName\":\\{\"Text\":\"$winEventLog.EventData.DisplayName$\"},\"AllowedToDelegateTo\":\\{\"Text\":\"$winEventLog.EventData.AllowedToDelegateTo$\"},\"AccountExpires\":\\{\"Text\":\"$winEventLog.EventData.AccountExpires$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}"
halt: true
},
{
// Match Event ID : 8002
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":\\{\"UserID\":\"$winEventLog.user_id$\"},\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":$winEventLog.rendering_info.keywords$,\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"ProcessName\":\\{\"Text\":\"$src.process.name$\"},\"MechanismOID\":\\{\"Text\":\"$src.process.mechanism_oid$\"},\"ClientUserName\":\\{\"Text\":\"$src.process.user$\"},\"ClientLUID\":\\{\"Text\":\"$src.process.uid$\"},\"ClientDomainName\":\\{\"Text\":\"$src.process.domain$\"},\"CallerPID\":\\{\"Text\":\"$src.process.callerid$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}"
halt: true
},
{
// Match all rest
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",$winEventLog.rest$"
}
]
}
Reference in New Issue View Git Blame Copy Permalink