adding illuminate collector

graylog-labs · Oct 23, 2023 · 26a8710 · 26a8710
1 parent 2adcea0
commit 26a8710
Showing 1 changed file with 71 additions and 0 deletions.
diff --git a/Collectors/winlogbeat_illuminate_sysmon.yml b/Collectors/winlogbeat_illuminate_sysmon.yml
@@ -0,0 +1,71 @@
+# Needed for Graylog
+fields_under_root: true
+fields.collector_node_id: ${sidecar.nodeName}
+fields.gl2_source_collector: ${sidecar.nodeId}
+
+output.logstash:
+   hosts: ["<HOST>:PORT"]
+path:
+  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
+  logs: C:\Program Files\Graylog\sidecar\logs
+tags:
+ - windows
+winlogbeat.event_logs:
+  - name: Application
+    level: critical, error, warning
+    ignore_older: 48h
+
+  # Account login: Successful, Failed, logged off, loggon using explicit credentials
+  - name: Security
+    event_id: 4616, 4624, 4625, 4634, 4647, 4648, 4688
+    level: info
+    ignore_older: 48h
+    provider:
+      - Microsoft-Windows-Security-Auditing
+
+# Active Directory Monitoring: User account created, A user account was enabled, An attempt was made to change the password of an account, A user account was disabled,A user account was changed, A user account was locked out,A user account was unlocked
+  - name: Security
+    event_id:  4720-4727
+    level: info
+    ignore_older: 48h
+    provider:
+      - Microsoft-Windows-Security-Auditing
+
+# Active directory Monitoring Group:A user was added to a privileged global group, 	A user was added to a privileged local group, A user was added to a privileged universal group, A privileged local group was modified, A privileged global group was modified, A privileged universal group was modified
+  - name: Security
+    event_id:   4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740-4743, 4754-4758, 4764, 4767, 4769
+    level: info
+    ignore_older: 48h
+    provider:
+      - Microsoft-Windows-Security-Auditing
+
+ # Active directory Kerberos:A Kerberos authentication ticket request failed
+  - name: Security
+    event_id:   4770-4773, 4768, 4769
+    level: info
+    ignore_older: 48h
+    provider:
+      - Microsoft-Windows-Security-Auditing
+
+   # Active directory RDP: 
+  - name: Security
+    event_id:  1024, 1100, 1101, 1102, 1103, 1104, 1149, 98, 131, 21, 22, 25 
+    level: info
+    ignore_older: 48h
+    provider:
+      - Microsoft-Windows-Security-Auditing
+
+  - name: System
+    level: critical, error, warning
+    ignore_older: 48h
+  - name: Microsoft-Windows-Sysmon/Operational
+    ignore_older: 48h
+  - name: Windows PowerShell
+    level: critical, error, warning
+    ignore_older: 48h
+  - name: Microsoft-Windows-PowerShell/Operational
+    level: critical, error, warning
+    ignore_older: 48h
+  - name: Microsoft-Windows-Windows Defender/Operational
+    level: critical, error, warning
+    ignore_older: 48h