-
-
Save Sylvain-69/42b7e71b97c3d918f7721d59df942b06 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter { | |
# | |
# | |
# identifier les messages Windows via le tag | |
# | |
if "dc" in [tags] { | |
# | |
# | |
# Gestion création/suppression des groupes de Sécurités | |
# | |
# | |
if [event_id] == 4727 or [event_id] == 4731 or [event_id] == 4754 { | |
mutate { | |
add_field => {"Auteur" => "%{[event_data][SubjectUserName]}"} | |
add_field => {"Groupe" => "%{[event_data][TargetUserName]}"} | |
add_field => {"Action" => "Création d'un groupe de sécurité"} | |
remove_field => [ "[event_data][PrivilegeList]", "[event_data][SidHistory]", "[event_data][SubjectLogonId]" ] | |
} | |
} | |
else if [event_id] == 4730 or [event_id] == 4734 or [event_id] == 4758 { | |
mutate { | |
add_field => {"Auteur" => "%{[event_data][SubjectUserName]}"} | |
add_field => {"Groupe" => "%{[event_data][TargetUserName]}"} | |
add_field => {"Action" => "Suppression d'un groupe global"} | |
remove_field => [ "[event_data][PrivilegeList]", "[event_data][SidHistory]", "[event_data][SubjectLogonId]" ] | |
} | |
} | |
# | |
# | |
# Gestion ajout/suppression des membres de groupes de sécurités | |
# | |
# | |
else if [event_id] == 4728 or [event_id] == 4732 or [event_id] == 4756 { | |
grok { patterns_dir => ["/etc/logstash/conf.d/patterns"] | |
match => {"[event_data][MemberName]" => "%{USERLDAP1:Membre}"} | |
match => {"[event_data][MemberName]" => "%{USERLDAP2:Membre}"} | |
} | |
mutate { | |
add_field => {"Auteur" => "%{[event_data][SubjectUserName]}"} | |
add_field => {"Groupe" => "%{[event_data][TargetUserName]}"} | |
add_field => {"Action" => "Ajout d'un membre à un groupe de sécurité"} | |
} | |
} | |
else if [event_id] == 4729 or [event_id] == 4733 or [event_id] == 4757 { | |
grok { patterns_dir => ["/etc/logstash/conf.d/patterns"] | |
match => {"[event_data][MemberName]" => "%{USERLDAP1:Membre}"} | |
match => {"[event_data][MemberName]" => "%{USERLDAP2:Membre}"} | |
} | |
mutate { | |
add_field => {"Auteur" => "%{[event_data][SubjectUserName]}"} | |
add_field => {"Groupe" => "%{[event_data][TargetUserName]}"} | |
add_field => {"Action" => "Suppression d'un membre d'un groupe de sécurité"} | |
} | |
} | |
else if [event_id] == 4764 { | |
mutate { | |
add_field => {"Auteur" => "%{[event_data][SubjectUserName]}"} | |
add_field => {"Groupe" => "%{[event_data][TargetUserName]}"} | |
add_field => {"Action" => "Modification du type d'un groupe"} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment