dlee35/6500_winlogbeat_sysmon.conf

## 6500_winlogbeat_sysmon.conf
# Author: Wes Lambert
#
# Last Update: 09/24/2018
#
# This conf file is based on accepting Sysmon logs from winlogbeat

filter {
  if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
      mutate {
        replace => { "type" => "sysmon" }
        rename => { "[event_data][User]" => "username" }
        rename => { "[event_data][DestinationPort]" => "destination_port" }
        rename => { "[event_data][DestinationIp]" => "destination_ip" }
        rename => { "[event_data][SourceIp]" => "source_ip" }
        rename => { "[event_data][Image]" => "image_path" }
        rename => { "[event_data][ParentImage]" => "parent_image_path" }
        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
        rename => { "[event_data][SourceHostname]" => "source_hostname" }
	      rename => { "[event_data][TargetFilename]" => "target_filename" }
        rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
      }
      if [destination_hostname] == '' {
        mutate {
          replace => [ "destination_hostname", "unknown" ]
        }
      }
      if [event_data][RuleName] {
        kv {
          source => "[event_data][RuleName]"
          field_split => ","
          value_split => "="
          prefix => "[event_data]"
          transform_key => "capitalize"
        }
      }
      if [event_data][Hashes] {
        kv {
          source => "[event_data][Hashes]"
          field_split => ","
          value_split => "="
          prefix => "[event_data]"
        }
      }
  }
}
	# Author: Wes Lambert
	#
	# Last Update: 09/24/2018
	#
	# This conf file is based on accepting Sysmon logs from winlogbeat

	filter {
	if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
	mutate {
	replace => { "type" => "sysmon" }
	rename => { "[event_data][User]" => "username" }
	rename => { "[event_data][DestinationPort]" => "destination_port" }
	rename => { "[event_data][DestinationIp]" => "destination_ip" }
	rename => { "[event_data][SourceIp]" => "source_ip" }
	rename => { "[event_data][Image]" => "image_path" }
	rename => { "[event_data][ParentImage]" => "parent_image_path" }
	rename => { "[data][sysmon][targetfilename]" => "target_filename" }
	rename => { "[event_data][SourceHostname]" => "source_hostname" }
	rename => { "[event_data][TargetFilename]" => "target_filename" }
	rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
	}
	if [destination_hostname] == '' {
	mutate {
	replace => [ "destination_hostname", "unknown" ]
	}
	}
	if [event_data][RuleName] {
	kv {
	source => "[event_data][RuleName]"
	field_split => ","
	value_split => "="
	prefix => "[event_data]"
	transform_key => "capitalize"
	}
	}
	if [event_data][Hashes] {
	kv {
	source => "[event_data][Hashes]"
	field_split => ","
	value_split => "="
	prefix => "[event_data]"
	}
	}
	}
	}