update logstash <> ossem

[neu5ron]

In OSSEM but not HELK

• Security:4964
• Security:4626
• Security:4664
• Security:4688 naming
• Security:4696
• Audit User Account Management
  • Security:4722
  • Security:4723
  • Security:4724
  • Security:4725
  • Security:4726
  • Security:4738
  • Security:4740
  • Security:4765
  • Security:4766
  • Security:4767
  • Security:4780
  • Security:4781
  • Security:4794
  • Security:4798
  • Security:5376
  • Security:5377
• Audit Security Group Management
  • Security:4727
  • Security:4728
  • Security:4729
  • Security:4730
  • Security:4731
  • Security:4732
  • Security:4733
  • Security:4734
  • Security:4735
  • Security:4737
  • Security:4754
  • Security:4755
  • Security:4756
  • Security:4757
  • Security:4758
  • Security:4764
  • Security:4799
    • ProcessID and CallerProcessId
• [x Account Management\Audit Distribution Group Management
  • Security:4749
  • Security:4750
  • Security:4751
  • Security:4752
  • Security:4753
• Security:4764
• Security:4772
• Security:4773
• Audit Other Logon
  • Security:4649
  • Security:4778
  • Security:4779
  • Security:4802
  • Security:4803
  • Security:4825
  • Security:5378
  • Security:5632
  • Security:5633
• Audit Security System Extension
  • Security:4610
  • Security:4614
  • Security:4622
• Audit Other Account Management Events
  • Security:4782
  • Security:4793
• Security:5142
• Security:5143
• Security:5144
• Security:5145
• Security:5168
• Sysmon:5
• Sysmon:255
• Security:4932
  low priority, not really a great schema for this
• Security:4933
  low priority, not really a great schema for this

In HELK but not OSSEM

• AccessReason
• all "sddl" should be "sd"
• object_access_handle_id > object_handle_id
• object_access_list_requested > object_access_list
• object_access_mask_requested > object_access_mask
• Audit Security System Extension
  • Security:4611
  • Security:4697
• Security:4616
• Security:4648
• Security:4657
• Audit Sensitive Privilege Use
  • Security:4659
• Security:4670
• Security:4690
• Other Object Access Scheduled Tasks
  • Security:4698 - HELK not OSSEM
  • Security:4699 - OSSEM not HELK
  • Security:4701 - HELK not OSSEM
  • Security:4702 - HELK not OSSEM
  • Security:4703 - neither
• Security:4704
• Audit Policy Change
  • check other logs in live data (already checked in OSSEM) that have EventSourceId
  • check other logs in live data (already checked in OSSEM) that have AuditSourceName
  • check other logs in live data (already checked in OSSEM) that have SubcategoryId
  • check other logs in live data (already checked in OSSEM) that have SubcategoryGuid
  • check other logs in live data (already checked in OSSEM) that have AuditPolicyChanges
  • check other logs in live data (already checked in OSSEM) that have PuaCount
  • check other logs in live data (already checked in OSSEM) that have PuaPolicyId
  • check other logs in live data (already checked in OSSEM) that have SidList
    4908 and 4964 is really it?
  • 4902 any other info
  • 4906 any other info
  • 4908 any other info
  • Security:4715 The audit policy (SACL) on an object was changed. - NOT HELK, check OSSEM
  • Security:4719 System audit policy was changed. - HELK not OSSEM
  • Security:4817 Auditing settings on object were changed. - NOT HELK, check OSSEM
  • Security:4902 The Per-user audit policy table was created. - NOT HELK, check OSSEM
  • Security:4904 An attempt was made to register a security event source - NOT HELK, check OSSEM
  • Security:4905 An attempt was made to unregister a security event source - NOT HELK, check OSSEM
  • Security:4906 The CrashOnAuditFail value has changed. - NOT HELK, check OSSEM
  • Security:4907 Auditing settings on object were changed - In HELK, check OSSEM
  • Security:4908 Special Groups Logon table modified - NOT HELK, check OSSEM
  • Security:4912 Per User Audit Policy was changed - OSSEM not HELK
• Security:4728
• Security:4729
• Security:5058
• Security:5059
• Security:5061
• Audit Directory Service Changes
  • Security:5136
  • Security:5137
• target_host_name
• Security:6144
• processId from Microsoft-Windows-Bits-Client/Operational should be process_id and original process id should be parent_process_id
• ProcessPath: process_path
• processPath: process_path

Not in HELK or OSSEM

• Microsoft-Windows-Bits-Client/Operational
  specifically nice to atleast normalize:
  • bytesTransferred: dst/server bytes
  • bytesTransferredFrompeer: src/client bytes
  • bytesTotal: net total bytes
  • fileLength: net total bytes
  • processPath: process_path
  • scheme: TBD ( mostly value is BASIC (usually EID 203) or UNIDENTIFIED (usually EID 204) )
  • server: dst server/domain
  • url: url original (some has http and everything, some has just the URI)
  • User: user_name
  • user: user_name
• processId should be process_id and original process id should be parent_process_id
  can be seen in Microsoft-Windows-Bits-Client/Operational EID 3
• check the other that pertain to this same audit category
  • Security:4777
  • Security:4774
  • Security:4775
  • Security:4822
    no logs...or log examples from microsoft
  • Security:4823
    no logs...or log examples from microsoft
• Security:4649
• Account Management\Audit Distribution Group Management
  • Security:4744
  • Security:4745
  • Security:4746
  • Security:4747
  • Security:4748
  • Security:4759
  • Security:4760
  • Security:4761
  • Security:4762
  • Security:4763
• Security:4754
• Security:4755
• Security:4797
• Security:4865
• Security:5051
• Security:5141
• Security:4694 (ossem needs completed, and CryptoAlgorithms should match TLS/SSL schema)
• Object Access\Audit Application Generated
  can't find log example anywhere
  • Security:4665
    Think these are just migrated from XP/server-2003 and no longer exist on => windows7/server2008r2
    An attempt was made to create an application client context.
    Subject:
    Client Name: %3
    Client Domain: %4
    Client Context ID: %5
    Application Information:
    Application Name: %1
    Application Instance ID: %2
    Status: %
  • Security:4666
    Think these are just migrated from XP/server-2003 and no longer exist on => windows7/server2008r2
    An application attempted an operation:
    Subject:
    Client Name:
    Client Domain:
    Client Context ID:
    Object:
    Object Name: GetConnectorsByCriteria
    Scope Names: d5f04262-5efe-43cf-914c-3c1ea37a6529
    Application Information:
    Application Name: Microsoft Operations Manager
    Application Instance ID: 302660
    Access Request Information:
    Role: Role
    Groups: Group
    Operation Name: Connector__Get (14)
  • Security:4667
    Think these are just migrated from XP/server-2003 and no longer exist on => windows7/server2008r2
    An application client context was deleted.
    Subject:
    Client Name:
    Client Domain:
    Client Context ID:
    Application Information:
    Application Name:
    Application Instance ID:
  • Security:4668
    Think these are just migrated from XP/server-2003 and no longer exist on => windows7/server2008r2
    An application was initialized.
    Subject:
    Client Name: %3
    Client Domain: %4
    Client ID: %5
    Application Information:
    Application Name: %1
    Application Instance ID: %2
    Additional Information:
    Policy Store URL: %6

Verify/Update/Additional

• processId
  from Bits client operational (specifically event id 3)
• processPath
  from Bits client operational (specifically event id 3)
• Windows Firewall & IPSEC & Audit Filtering Platform (Connection|Packet Drop)
  [4944 4945 4946 4947 4948 4950 4951 4952 4953 4954 4956 4957 4958 4960 4961 4962 4963 4964 4965 4976 4977 4978 4979 4980 4981 4982 4983 4984 5024 5025 5027 5028 5029 5030 5031 5032 5033 5034 5035 5037 5040 5041 5042 5043 5044 5045 5046 5047 5048 5049 5148 5149 5150 5151 5152 5153 5154 5155 5156 5157 5158 5159 5440 5441 5442 5443 5444 5445 5446 5447 5448 5449 5450 5451 5452 5453 5456 5457 5458 5459 5460 5461 5462 5462 5463 5464 5465 5466 5467 5468 5471 5472 5473 5474 5477 5478 5479 5480 5483 5484 5485]
• object_access_mask hex to int, need to find/replace/change any sigma/stuff to int afterwards
• object_handle_id hex to int, need to find/replace/change any sigma/stuff to int afterwards
• Security:4724
• Security:4725
• Security:4704
• SamAccountName
  • Security:4720
  • Security:4727
  • Security:4731
  • Security:4735
  • Security:4737
  • Security:4738
  • Security:4741
  • Security:4742
  • Security:4744
  • Security:4745
  • Security:4749
  • Security:4750
  • Security:4754
  • Security:4755
  • Security:4759
  • Security:4760
• user_reporter_id should be user_reporter_logon_id ?
• Security:4731
• Security:4732
• Security:4733
• Security:4734
• Security:4735
• Security:4738
  SamAccountName" => "user_attribute_samaccount_name
• Security:4741
• Security:4742
• Security:4743
• Security:4672
• Security:4673
• Security:4674
• PowerShell 4104 matching HELK PowerShell 4104 matching HELK OTRF/OSSEM#45
• Sysmon:1
  OSSEM
  include how User actually goes to user_account also (its mentioned but not specific enough) that the this field is parsed for user_name and user_domain.
  also the user_reporte_* fields
  Creator Process ID
• Sysmon:3 DestinationIsIpv6/SourceIsIpv6 in OSSEM, HELK has a field it uses - just double check what to do with OSSEM/HELK
• object_transaction_guid > transaction_guid need to find/replace/change any sigma/stuff afterwards
• OSSEM has target_process_id but all of HELK uses process_target_id
• find all the fields that begin with “user_target” is using old OSSEM.

OSSEM

• all/most process_name should be process_path
• all/most process_parent_name should be process_parent_path

SIGMAC/SIGMA

• all the process id stuff from HELK/OSSEM
• after OSSEM<>HELK done, will need to update HELK sigmac for SIGMA
• after OSSEM<>HELK done, will need to update Sigma sigmac for HELK sigmac
• specific event IDs for AccessList
• specific event IDs for PrivilegeList
• OriginalFileName => file_name_original
• sysmon dst ip
• all the IP names from HELK/OSSEM logstash file = 1521
• remove sysmon is ip v6
• specific event IDs for AccessMask