-
-
Save Sylvain-69/045a3e13d297c9037239422c578939aa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter { | |
# | |
# | |
# eviter les doublons dans les logs | |
# | |
# | |
if "dc" in [tags] { | |
if [host] == "DAFT" and [event_data][IpAddress] == "10.10.102.106" { | |
drop { } | |
} | |
} | |
# | |
# identifier les messages de securité Windows via le tag | |
# | |
if "securityevent" in [tags] { | |
mutate { add_field => {"SecurityEvents" => "1" }} | |
# | |
# Modification du champs IP avec suppression de la version ipv6 | |
# | |
mutate { gsub => ["[event_data][IpAddress]", "::ffff:", ""]} | |
# | |
# Identify and drop machine accounts or unknown machines | |
# | |
if [event_data][TargetUserName] =~ /\w+[$]/ { | |
drop { } | |
} | |
if [event_data][TargetUserName] == "S-1-5-21-312104408-55515560-629696583-10897" { | |
drop { } | |
} | |
# | |
# tag or drop local successful and Failed logon (4624/4625) | |
# | |
if [event_id] == 4624 or [event_id] == 4625 { | |
# Tag event ID 4624 en successful logon | |
if [event_id] == 4624 { | |
mutate { add_field => {"LogonLocal" => "1" }} | |
mutate { add_field => {"Resultat" => "successful logon" }} | |
} | |
# Tag event ID 4625 en Failed logon + tag des raisons de l'echec | |
else if [event_id] == 4625 { | |
mutate { add_field => {"LogonLocal" => "1" }} | |
mutate { add_field => {"Resultat" => "failed logon" }} | |
# tag des raisons de failed logon | |
if [event_data][Status] == "0xc0000064" or [event_data][SubStatus] == "0xc0000064" { | |
mutate { add_field => {"Raison" => "Nom d'utilisateur incorrect" }} | |
} | |
else if [event_data][Status] == "0xc000006a" or [event_data][SubStatus] == "0xc000006a" { | |
mutate { add_field => {"Raison" => "Mot de passe incorrect" }} | |
} | |
else if [event_data][Status] == "0xc0000234" or [event_data][SubStatus] == "0xc0000234" { | |
mutate { add_field => {"Raison" => "Utilisateur verrouille" }} | |
} | |
else if [event_data][Status] == "0xc0000072" or [event_data][SubStatus] == "0xc0000072"{ | |
mutate { add_field => {"Raison" => "Utilisateur desactive" }} | |
} | |
else if [event_data][Status] == "0xc000006f" or [event_data][SubStatus] == "0xc000006f" { | |
mutate { add_field => {"Raison" => "Hors plage horaire" }} | |
} | |
else if [event_data][Status] == "0xc0000070" or [event_data][SubStatus] == "0xc0000070" { | |
mutate { add_field => {"Raison" => "workstation restriction, or Authentication Policy Silo violation" }} | |
} | |
else if [event_data][Status] == "0xc0000193" or [event_data][SubStatus] == "0xc0000193" { | |
mutate { add_field => {"Raison" => "Compte expire" }} | |
} | |
else if [event_data][Status] == "0xc0000071" or [event_data][SubStatus] == "0xc0000071" { | |
mutate { add_field => {"Raison" => "Mot de passe expire" }} | |
} | |
else if [event_data][Status] == "0xc0000133" or [event_data][SubStatus] == "0xc0000133" { | |
mutate { add_field => {"Raison" => "clocks between DC and other computer too far out of sync" }} | |
} | |
else if [event_data][Status] == "0xc0000224" or [event_data][SubStatus] == "0xc0000224" { | |
mutate { add_field => {"Raison" => "L'utitilisateur doit changer de mot de passe" }} | |
} | |
else if [event_data][Status] == "0xc0000225" or [event_data][SubStatus] == "0xc0000225" { | |
mutate { add_field => {"Raison" => "evidently a bug in Windows and not a risk" }} | |
} | |
else if [event_data][Status] == "0xc000015b" or [event_data][SubStatus] == "0xc000015b" { | |
mutate { add_field => {"Raison" => "l'utilisateur n'a pas pu se connecter" }} | |
} | |
} | |
# | |
# Tag du type de connexion pour les evenements 4624 et 4625 | |
# | |
# LogonType=2 ouverture de session depuis l'ordi local (ecran-clavier) | |
if [event_data][LogonType] == "2" { | |
mutate { add_field => {"Connexion" => "Ouverture Session Console"}} | |
} | |
# LogonType=3 Network (ex : Connexion à un dossier partagé sur le PC) | |
else if [event_data][LogonType] == "3" { | |
drop { } | |
} | |
# LogonType=4 Batch (ex : taches planifiées) | |
else if [event_data][LogonType] == "4" { | |
drop { } | |
} | |
# LogonType=5 Démarrage service | |
else if [event_data][LogonType] == "5" { | |
drop { } | |
} | |
# LogonType=7 Deverrouillage de session (ecran de veille) | |
else if [event_data][LogonType] == "7" { | |
drop { } | |
} | |
# LogonType=8 NetworkCleartext | |
else if [event_data][LogonType] == "8" { | |
mutate { add_field => {"Connexion" => "NetworkCleartext"}} | |
} | |
# LogonType=9 Connection en Run As | |
else if [event_data][LogonType] == "9" { | |
mutate { add_field => {"Connexion" => "Run As"}} | |
} | |
# LogonType=10 Connexion bureau à distance | |
else if [event_data][LogonType] == "10" { | |
mutate { add_field => {"Connexion" => "Connexion RDP"}} | |
} | |
# LogonType=11 CachedInteractive ??? | |
else if [event_data][LogonType] == "11" { | |
mutate { add_field => {"Connexion" => "CachedInteractive"}} | |
} | |
} | |
# | |
# tag failed logon au niveau du DC (4771/4768) | |
# | |
if [event_id] == 4771 or [event_id] == 4768 { | |
mutate { add_field => {"Resultat" => "failed logon" }} | |
mutate { add_field => {"LogonLocal" => "0" }} | |
# Tag des raisons du failed logon | |
if [event_data][Status] == "0x1" { | |
mutate { add_field => {"Raison" => "Client's entry in database has expired" }} | |
} | |
else if [event_data][Status] == "0x2" { | |
mutate { add_field => {"Raison" => "Server's entry in database has expired" }} | |
} | |
else if [event_data][Status] == "0x3" { | |
mutate { add_field => {"Raison" => "Requested protocol version # not supported" }} | |
} | |
else if [event_data][Status] == "0x4" { | |
mutate { add_field => {"Raison" => "Client's key encrypted in old master key" }} | |
} | |
else if [event_data][Status] == "0x5" { | |
mutate { add_field => {"Raison" => "Server's key encrypted in old master key" }} | |
} | |
else if [event_data][Status] == "0x6" { | |
mutate { add_field => {"Raison" => "Utilisateur Inconnu" }} | |
} | |
else if [event_data][Status] == "0x7" { | |
mutate { add_field => {"Raison" => "PC inconnu" }} | |
} | |
else if [event_data][Status] == "0x8" { | |
mutate { add_field => {"Raison" => "Multiple principal entries in database" }} | |
} | |
else if [event_data][Status] == "0x9" { | |
mutate { add_field => {"Raison" => "The client or server has a null key" }} | |
} | |
else if [event_data][Status] == "0x10" { | |
drop { } | |
} | |
else if [event_data][Status] == "0xC" { | |
mutate { add_field => {"Raison" => "KDC policy rejects request - Reset du mot de passe necessaire" }} | |
} | |
else if [event_data][Status] == "0x12" { | |
mutate { add_field => {"Raison" => "Compte désactivé, bloqué, expiré ou hors horaire" }} | |
} | |
else if [event_data][Status] == "0x17" { | |
mutate { add_field => {"Raison" => "Mot de passe expiré" }} | |
} | |
else if [event_data][Status] == "0x18" { | |
mutate { add_field => {"Raison" => "Mauvais mot de passe" }} | |
} | |
else if [event_data][Status] == "0x25" { | |
mutate { add_field => {"Raison" => "Décallage entre l'heure du PC et du DC" }} | |
} | |
} | |
# | |
# tag DC successful logon (4768) | |
# | |
if [event_id] == 4768 and [event_data][PreAuthType] == "2" { | |
mutate { remove_field => [ "Resultat" ]} | |
mutate { add_field => {"Resultat" => "successfull logon" }} | |
} | |
# | |
# drop successful kerberos request (4768) | |
# | |
else if [event_id] == 4768 and [event_data][Status] == "0x0" { | |
drop { } | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment