forked from SolisAU/elasticsearch-plaso-pipelines
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathplaso-evidenceof.json
48 lines (48 loc) · 1.67 KB
/
plaso-evidenceof.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
{
"description": "plaso add evidence of tags",
"processors": [
{
"set": {
"field": "evidence_of",
"value": "ProgramExecution",
"if": "ctx.parser=~/(appcompatcache|prefetch|userassist)/",
"ignore_failure": true
}
}, {
"set": {
"field": "evidence_of",
"value": "FileFolderOpening",
"if": "ctx.parser=~/(mrulistex_shell_item_list|mrulistex_string_and_shell_item|mrulistex_string|microsoft_office_mru|bagmru)/",
"ignore_failure": true
}
}, {
"set": {
"field": "evidence_of",
"value": "FileFolderOpening",
"if": "ctx.parser=~/(automatic_destinations)/ && ctx.source_long!='System'",
"ignore_failure": true
}
}, {
"set": {
"field": "evidence_of",
"value": "AccountUsage",
"if": "ctx.parser=='winevtx' && ctx.source_name=='Microsoft-Windows-TerminalServices-LocalSessionManager' && ctx.event_id=~/(20|21|22|23|24|39|40|9009)/",
"ignore_failure": true
}
}, {
"set": {
"field": "evidence_of",
"value": "AccountUsage",
"if": "ctx.parser=='winevtx' && ctx.source_name=='Microsoft-Windows-Security-Auditing' && ctx.event_id=~/(4624|4634|4647|4778|4779)/",
"ignore_failure": true
}
}, {
"set": {
"field": "evidence_of",
"value": "AccountUsage",
"if": "ctx.parser=='winevtx' && ctx.source_name=='Service Control Manager' && ctx.event_id=~/(7034|7035|7036|7040)/",
"ignore_failure": true
}
}
]
}