Skip to content

Instantly share code, notes, and snippets.

@n3tsurge

n3tsurge/winlogbeat-sysmon-22-parsing

Last active August 22, 2019 04:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save n3tsurge/ae6949848d676ec9b186f267f8f4123e to your computer and use it in GitHub Desktop.
Save n3tsurge/ae6949848d676ec9b186f267f8f4123e to your computer and use it in GitHub Desktop.
Download ZIP
Adds the parsing of DNS query responses to the winlogbeat-sysmon.js file
Raw
winlogbeat-sysmon-22-parsing
// Add this above extractIP4
var splitIps = function(evt) {
extractIP4(evt, "winlog.event_data.QueryResults")
}
// Add this above event22
var extractIP4 = function(evt, queryResultField) {
var addresses = [];
var ips = evt.Get(queryResultField)
if (ips != null) {
//evt.Delete(queryResultField)
ips.split(';').forEach(function(ip){
var regex = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
if(regex.test(ip)) {
ip = ip.replace('::ffff:','')
addresses.push(ip)
}
})
}
evt.Put('destination.ips', addresses)
}
// Add this pretty much anywhere
var event22 = new processor.Chain()
.Add(parseUtcTime)
.Convert({
fields: [
{from: "winlog.event_data.UtcTime", to: "@timestamp"},
{from: "winlog.event_data.QueryName", to: "destination.domain"}
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
.Add(splitIps)
.Add(removeEmptyEventData)
.Build();
// Add this after Event ID 21
22: event22.Run,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment