Skip to content

Add support for EventLogs via Grafana Alloy #1564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
adamrushad wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support for EventLogs via Grafana Alloy #1564

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 87 additions & 25 deletions .tests/windows-bf/scenario.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,63 +1,125 @@
len(results) == 1
"192.168.9.212" in results[0].Overflow.GetSources()
results[0].Overflow.Sources["192.168.9.212"].IP == "192.168.9.212"
results[0].Overflow.Sources["192.168.9.212"].Range == ""
results[0].Overflow.Sources["192.168.9.212"].GetScope() == "Ip"
results[0].Overflow.Sources["192.168.9.212"].GetValue() == "192.168.9.212"
len(results) == 2
"192.168.9.212" in results[1].Overflow.GetSources()
"192.168.9.213" in results[0].Overflow.GetSources()
results[1].Overflow.Sources["192.168.9.212"].IP == "192.168.9.212"
results[1].Overflow.Sources["192.168.9.212"].Range == ""
results[1].Overflow.Sources["192.168.9.212"].GetScope() == "Ip"
results[1].Overflow.Sources["192.168.9.212"].GetValue() == "192.168.9.212"
results[0].Overflow.Sources["192.168.9.213"].IP == "192.168.9.213"
results[0].Overflow.Sources["192.168.9.213"].Range == ""
results[0].Overflow.Sources["192.168.9.213"].GetScope() == "Ip"
results[0].Overflow.Sources["192.168.9.213"].GetValue() == "192.168.9.213"
basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "windows-bf.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "wineventlog"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "windows_failed_auth"
results[0].Overflow.Alert.Events[0].GetMeta("logon_type") == "3"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.212"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.213"
results[0].Overflow.Alert.Events[0].GetMeta("status") == "0xc000006d"
results[0].Overflow.Alert.Events[0].GetMeta("sub_status") == "0xc0000064"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-04-29T12:36:01.9027913Z"
results[0].Overflow.Alert.Events[0].GetMeta("username") == "asdfasdf"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-11-03T19:58:18.2731995Z"
results[0].Overflow.Alert.Events[0].GetMeta("username") == "qwertyqwerty"
basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "windows-bf.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "wineventlog"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "windows_failed_auth"
results[0].Overflow.Alert.Events[1].GetMeta("logon_type") == "3"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.212"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.213"
results[0].Overflow.Alert.Events[1].GetMeta("status") == "0xc000006d"
results[0].Overflow.Alert.Events[1].GetMeta("sub_status") == "0xc0000064"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-04-29T12:36:02.2268806Z"
results[0].Overflow.Alert.Events[1].GetMeta("username") == "asdfasdf"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-11-03T19:58:19.2731995Z"
results[0].Overflow.Alert.Events[1].GetMeta("username") == "qwertyqwerty"
basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "windows-bf.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "wineventlog"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "windows_failed_auth"
results[0].Overflow.Alert.Events[2].GetMeta("logon_type") == "3"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.212"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.213"
results[0].Overflow.Alert.Events[2].GetMeta("status") == "0xc000006d"
results[0].Overflow.Alert.Events[2].GetMeta("sub_status") == "0xc0000064"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-04-29T12:36:03.2268806Z"
results[0].Overflow.Alert.Events[2].GetMeta("username") == "asdfasdf"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-11-03T19:58:20.2731995Z"
results[0].Overflow.Alert.Events[2].GetMeta("username") == "qwertyqwerty"
basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "windows-bf.log"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "wineventlog"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "windows_failed_auth"
results[0].Overflow.Alert.Events[3].GetMeta("logon_type") == "3"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.212"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.213"
results[0].Overflow.Alert.Events[3].GetMeta("status") == "0xc000006d"
results[0].Overflow.Alert.Events[3].GetMeta("sub_status") == "0xc0000064"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-04-29T12:36:04.2268806Z"
results[0].Overflow.Alert.Events[3].GetMeta("username") == "asdfasdf"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-11-03T19:58:21.2731995Z"
results[0].Overflow.Alert.Events[3].GetMeta("username") == "qwertyqwerty"
basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "windows-bf.log"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "wineventlog"
results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "windows_failed_auth"
results[0].Overflow.Alert.Events[4].GetMeta("logon_type") == "3"
results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.9.212"
results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.9.213"
results[0].Overflow.Alert.Events[4].GetMeta("status") == "0xc000006d"
results[0].Overflow.Alert.Events[4].GetMeta("sub_status") == "0xc0000064"
results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-04-29T12:36:06.2268806Z"
results[0].Overflow.Alert.Events[4].GetMeta("username") == "asdfasdf"
results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-11-03T19:58:22.2731995Z"
results[0].Overflow.Alert.Events[4].GetMeta("username") == "qwertyqwerty"
basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "windows-bf.log"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "wineventlog"
results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "windows_failed_auth"
results[0].Overflow.Alert.Events[5].GetMeta("logon_type") == "3"
results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.9.212"
results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.9.213"
results[0].Overflow.Alert.Events[5].GetMeta("status") == "0xc000006d"
results[0].Overflow.Alert.Events[5].GetMeta("sub_status") == "0xc0000064"
results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-04-29T12:36:07.2268806Z"
results[0].Overflow.Alert.Events[5].GetMeta("username") == "asdfasdf"
results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-11-03T19:58:23.2731995Z"
results[0].Overflow.Alert.Events[5].GetMeta("username") == "qwertyqwerty"
results[0].Overflow.Alert.GetScenario() == "crowdsecurity/windows-bf"
results[0].Overflow.Alert.Remediation == true
results[0].Overflow.Alert.GetEventsCount() == 6
results[0].Overflow.Alert.GetEventsCount() == 6
basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "windows-bf.log"
results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "wineventlog"
results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "windows_failed_auth"
results[1].Overflow.Alert.Events[0].GetMeta("logon_type") == "3"
results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.212"
results[1].Overflow.Alert.Events[0].GetMeta("status") == "0xc000006d"
results[1].Overflow.Alert.Events[0].GetMeta("sub_status") == "0xc0000064"
results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-04-29T12:36:01.9027913Z"
results[1].Overflow.Alert.Events[0].GetMeta("username") == "asdfasdf"
basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "windows-bf.log"
results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "wineventlog"
results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "windows_failed_auth"
results[1].Overflow.Alert.Events[1].GetMeta("logon_type") == "3"
results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.212"
results[1].Overflow.Alert.Events[1].GetMeta("status") == "0xc000006d"
results[1].Overflow.Alert.Events[1].GetMeta("sub_status") == "0xc0000064"
results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2022-04-29T12:36:02.2268806Z"
results[1].Overflow.Alert.Events[1].GetMeta("username") == "asdfasdf"
basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "windows-bf.log"
results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "wineventlog"
results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "windows_failed_auth"
results[1].Overflow.Alert.Events[2].GetMeta("logon_type") == "3"
results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.212"
results[1].Overflow.Alert.Events[2].GetMeta("status") == "0xc000006d"
results[1].Overflow.Alert.Events[2].GetMeta("sub_status") == "0xc0000064"
results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2022-04-29T12:36:03.2268806Z"
results[1].Overflow.Alert.Events[2].GetMeta("username") == "asdfasdf"
basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "windows-bf.log"
results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "wineventlog"
results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "windows_failed_auth"
results[1].Overflow.Alert.Events[3].GetMeta("logon_type") == "3"
results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.212"
results[1].Overflow.Alert.Events[3].GetMeta("status") == "0xc000006d"
results[1].Overflow.Alert.Events[3].GetMeta("sub_status") == "0xc0000064"
results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2022-04-29T12:36:04.2268806Z"
results[1].Overflow.Alert.Events[3].GetMeta("username") == "asdfasdf"
basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "windows-bf.log"
results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "wineventlog"
results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "windows_failed_auth"
results[1].Overflow.Alert.Events[4].GetMeta("logon_type") == "3"
results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.9.212"
results[1].Overflow.Alert.Events[4].GetMeta("status") == "0xc000006d"
results[1].Overflow.Alert.Events[4].GetMeta("sub_status") == "0xc0000064"
results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2022-04-29T12:36:06.2268806Z"
results[1].Overflow.Alert.Events[4].GetMeta("username") == "asdfasdf"
basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "windows-bf.log"
results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "wineventlog"
results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "windows_failed_auth"
results[1].Overflow.Alert.Events[5].GetMeta("logon_type") == "3"
results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.9.212"
results[1].Overflow.Alert.Events[5].GetMeta("status") == "0xc000006d"
results[1].Overflow.Alert.Events[5].GetMeta("sub_status") == "0xc0000064"
results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-04-29T12:36:07.2268806Z"
results[1].Overflow.Alert.Events[5].GetMeta("username") == "asdfasdf"
results[1].Overflow.Alert.GetScenario() == "crowdsecurity/windows-bf"
results[1].Overflow.Alert.Remediation == true
results[1].Overflow.Alert.GetEventsCount() == 6
Loading