LaurenceJJones · November 30, 2022 13:27
diff --git a/Windows fix b/Windows fix
 onsuccess: next_stage
 filter: "evt.Parsed.program == 'windows-firewall' and evt.Parsed.message contains ' DROP TCP ' and evt.Parsed.message contains ' RECEIVE'"
 name: crowdsecurity/windows-firewall-logs
 description: "Parse windows firewall drop logs"
 grok:
  pattern: "%{TIMESTAMP_ISO8601:date} DROP TCP %{IP:src_ip} %{IP:dst_ip} %{INT:src_port} %{INT:dst_port} %{INT:size} %{WORD:flags} %{INT:tcpsyn} %{INT:tcpack} %{INT:window} - - - RECEIVE( %{INT:pid})?" 
  apply_on: message
 statics:
    - meta: service
      value: tcp
    - meta: log_type
      value: iptables_drop
    - meta: source_ip
      expression: "evt.Parsed.src_ip"
    - target: evt.StrTime
      expression: evt.Parsed.date
	onsuccess: next_stage
	filter: "evt.Parsed.program == 'windows-firewall' and evt.Parsed.message contains ' DROP TCP ' and evt.Parsed.message contains ' RECEIVE'"
	name: crowdsecurity/windows-firewall-logs
	description: "Parse windows firewall drop logs"
	grok:
	pattern: "%{TIMESTAMP_ISO8601:date} DROP TCP %{IP:src_ip} %{IP:dst_ip} %{INT:src_port} %{INT:dst_port} %{INT:size} %{WORD:flags} %{INT:tcpsyn} %{INT:tcpack} %{INT:window} - - - RECEIVE( %{INT:pid})?"
	apply_on: message
	statics:
	- meta: service
	value: tcp
	- meta: log_type
	value: iptables_drop
	- meta: source_ip
	expression: "evt.Parsed.src_ip"
	- target: evt.StrTime
	expression: evt.Parsed.date