Skip to content

Instantly share code, notes, and snippets.

@andrewkroh

andrewkroh/event1.json

Last active August 2, 2022 15:22
Show Gist options
  • Save andrewkroh/9e4c3bef0adf7b87f3ad6e54c3f4d89f to your computer and use it in GitHub Desktop.
Save andrewkroh/9e4c3bef0adf7b87f3ad6e54c3f4d89f to your computer and use it in GitHub Desktop.
Download ZIP
Winlogbeat - Sysmon Processing for ECS (Elastic Common Schema)
Raw
event1.json
{
"@timestamp": "2019-01-29T19:10:47.538Z",
"beat": {
"hostname": "DESKTOP",
"name": "DESKTOP",
"version": "6.3.2"
},
"event": {
"kind": "event"
},
"event_data": {
"CommandLine": "\"C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe\" --type=renderer --disable-features=AsyncWheelEvents,TouchpadAndWheelScrollLatching --service-pipe-token=277FCE2F7F406947CD65BFCC15BFF95B --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=en-US --log-file=\"C:\\Program Files (x86)\\Steam\\logs\\cef_log.txt\" --product-version=\"Valve Steam Client\" --webview-urls=http://localhost/*,http://steamloopback.host/*,https://steamloopback.host/*,https://localhost/* --disable-spell-checking --buildid=1546909276 --steamid=0 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=277FCE2F7F406947CD65BFCC15BFF95B --renderer-client-id=12 --mojo-platform-channel-handle=3672 /prefetch:1",
"Company": "Valve Corporation",
"CurrentDirectory": "C:\\Program Files (x86)\\Steam\\",
"Description": "Steam Client WebHelper",
"FileVersion": "04.89.17.15",
"Hashes": "SHA1=2A304C53EC566F1BDE54A7332F16270DAF8A29F9",
"Image": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe",
"IntegrityLevel": "Low",
"LogonGuid": "{5EC82B62-7CA4-5C50-0000-0020005E9B99}",
"LogonId": "0x999b5e00",
"ParentCommandLine": "\"C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe\" \"-lang=en_US\" \"-cachedir=C:\\Users\\jimmy\\AppData\\Local\\Steam\\htmlcache\" \"-steampid=796\" \"-buildid=1546909276\" \"-steamid=0\" \"-steamuniverse=Dev\" \"-clientui=C:\\Program Files (x86)\\Steam\\clientui\" --disable-spell-checking --disable-out-of-process-pac --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-features=TouchpadAndWheelScrollLatching,AsyncWheelEvents --enable-media-stream --disable-smooth-scrolling --num-raster-threads=4 --enable-direct-write \"--log-file=C:\\Program Files (x86)\\Steam\\logs\\cef_log.txt\"",
"ParentImage": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe",
"ParentProcessGuid": "{5EC82B62-7CBC-5C50-0000-00101786AA99}",
"ParentProcessId": "12180",
"ProcessGuid": "{5EC82B62-A537-5C50-0000-00102E8A8F9A}",
"ProcessId": "3752",
"Product": "Steam Client WebHelper",
"TerminalSessionId": "30",
"User": "DESKTOP\\jimmy",
"UtcTime": "2019-01-29 19:10:47.523"
},
"event_id": 1,
"hash": {
"sha1": "2a304c53ec566f1bde54a7332f16270daf8a29f9"
},
"host": {
"hostname": "DESKTOP",
"name": "DESKTOP"
},
"log": {
"level": "Information"
},
"log_name": "Microsoft-Windows-Sysmon/Operational",
"message": "Process Create:\nRuleName: \nUtcTime: 2019-01-29 19:10:47.523\nProcessGuid: {5EC82B62-A537-5C50-0000-00102E8A8F9A}\nProcessId: 3752\nImage: C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe\nFileVersion: 04.89.17.15\nDescription: Steam Client WebHelper\nProduct: Steam Client WebHelper\nCompany: Valve Corporation\nCommandLine: \"C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe\" --type=renderer --disable-features=AsyncWheelEvents,TouchpadAndWheelScrollLatching --service-pipe-token=277FCE2F7F406947CD65BFCC15BFF95B --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --lang=en-US --log-file=\"C:\\Program Files (x86)\\Steam\\logs\\cef_log.txt\" --product-version=\"Valve Steam Client\" --webview-urls=http://localhost/*,http://steamloopback.host/*,https://steamloopback.host/*,https://localhost/* --disable-spell-checking --buildid=1546909276 --steamid=0 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=277FCE2F7F406947CD65BFCC15BFF95B --renderer-client-id=12 --mojo-platform-channel-handle=3672 /prefetch:1\nCurrentDirectory: C:\\Program Files (x86)\\Steam\\\nUser: DESKTOP-UV4J08C\\jimmy\nLogonGuid: {5EC82B62-7CA4-5C50-0000-0020005E9B99}\nLogonId: 0x999B5E00\nTerminalSessionId: 30\nIntegrityLevel: Low\nHashes: SHA1=2A304C53EC566F1BDE54A7332F16270DAF8A29F9\nParentProcessGuid: {5EC82B62-7CBC-5C50-0000-00101786AA99}\nParentProcessId: 12180\nParentImage: C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe\nParentCommandLine: \"C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe\" \"-lang=en_US\" \"-cachedir=C:\\Users\\jimmy\\AppData\\Local\\Steam\\htmlcache\" \"-steampid=796\" \"-buildid=1546909276\" \"-steamid=0\" \"-steamuniverse=Dev\" \"-clientui=C:\\Program Files (x86)\\Steam\\clientui\" --disable-spell-checking --disable-out-of-process-pac --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-features=TouchpadAndWheelScrollLatching,AsyncWheelEvents --enable-media-stream --disable-smooth-scrolling --num-raster-threads=4 --enable-direct-write \"--log-file=C:\\Program Files (x86)\\Steam\\logs\\cef_log.txt\"",
"opcode": "Info",
"process": {
"args": [
"C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe",
"--type=renderer",
"--disable-features=AsyncWheelEvents,TouchpadAndWheelScrollLatching",
"--service-pipe-token=277FCE2F7F406947CD65BFCC15BFF95B",
"--enable-blink-features=ResizeObserver,Worklet,AudioWorklet",
"--lang=en-US",
"C:\\Program Files (x86)\\Steam\\logs\\cef_log.txt",
"Valve Steam Client",
"--webview-urls=http://localhost/*,http://steamloopback.host/*,https://steamloopback.host/*,https://localhost/*",
"--disable-spell-checking",
"--buildid=1546909276",
"--steamid=0",
"--device-scale-factor=1",
"--num-raster-threads=4",
"--enable-main-frame-before-activation",
"--service-request-channel-token=277FCE2F7F406947CD65BFCC15BFF95B",
"--renderer-client-id=12",
"--mojo-platform-channel-handle=3672",
"/prefetch:1"
],
"executable": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe",
"guid": "{5EC82B62-A537-5C50-0000-00102E8A8F9A}",
"name": "steamwebhelper.exe",
"parent": {
"args": [
"C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe",
"-lang=en_US",
"-cachedir=C:\\Users\\jimmy\\AppData\\Local\\Steam\\htmlcache",
"-steampid=796",
"-buildid=1546909276",
"-steamid=0",
"-steamuniverse=Dev",
"-clientui=C:\\Program Files (x86)\\Steam\\clientui",
"--disable-spell-checking",
"--disable-out-of-process-pac",
"--enable-blink-features=ResizeObserver,Worklet,AudioWorklet",
"--disable-features=TouchpadAndWheelScrollLatching,AsyncWheelEvents",
"--enable-media-stream",
"--disable-smooth-scrolling",
"--num-raster-threads=4",
"--enable-direct-write",
"--log-file=C:\\Program Files (x86)\\Steam\\logs\\cef_log.txt"
],
"executable": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win7x64\\steamwebhelper.exe",
"guid": "{5EC82B62-7CBC-5C50-0000-00101786AA99}",
"name": "steamwebhelper.exe",
"pid": 12180
},
"pid": 3752,
"working_directory": "C:\\Program Files (x86)\\Steam\\"
},
"process_id": 4004,
"provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"record_number": "1433879",
"source_name": "Microsoft-Windows-Sysmon",
"task": "Process Create (rule: ProcessCreate)",
"thread_id": 2704,
"type": "wineventlog",
"user": {
"domain": "jimmy",
"name": "DESKTOP"
},
"version": 5
}
Raw
winlogbeat-sysmon.js
var sysmon = (function () {
var transformEvent1 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
{s: "event_data.CommandLine", d: "process.args"},
{s: "event_data.CurrentDirectory", d: "process.working_directory"},
{s: "event_data.ParentProcessGuid", d: "process.parent.guid"},
{s: "event_data.ParentProcessId", d: "process.parent.pid", t: "long"},
{s: "event_data.ParentImage", d: "process.parent.executable"},
{s: "event_data.ParentCommandLine", d: "process.parent.args"},
]).run;
var transformEvent2 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
{s: "event_data.TargetFilename", d: "file.path"},
]).run;
var transformEvent3 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
{s: "event_data.Protocol", d: "network.transport"},
{s: "event_data.SourceIp", d: "source.ip"},
{s: "event_data.SourceHostname", d: "source.domain"},
{s: "event_data.SourcePort", d: "source.port", t: "long"},
{s: "event_data.DestinationIp", d: "destination.ip"},
{s: "event_data.DestinationHostname", d: "destination.domain"},
{s: "event_data.DestinationPort", d: "destination.port", t: "long"},
{s: "event_data.DestinationPortName", d: "network.protocol"},
]).run;
var transformEvent4 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
]).run;
var transformEvent5 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
]).run;
var transformEvent6 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ImageLoaded", d: "file.path"},
]).run;
var transformEvent7 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
{s: "event_data.ImageLoaded", d: "file.path"},
]).run;
var transformEvent8 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.SourceProcessGuid", d: "process.guid"},
{s: "event_data.SourceProcessId", d: "process.pid", t: "long"},
{s: "event_data.SourceImage", d: "process.executable"},
]).run;
var transformEvent9 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
{s: "event_data.Device", d: "file.path"},
]).run;
var transformEvent10 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.SourceProcessGUID", d: "process.guid"},
{s: "event_data.SourceProcessId", d: "process.pid", t: "long"},
{s: "event_data.SourceThreadId", d: "process.thread.id", t: "long"},
{s: "event_data.SourceImage", d: "process.executable"},
]).run;
var transformEvent11 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
{s: "event_data.TargetFilename", d: "file.path"},
]).run;
var transformEvent12 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
]).run;
var transformEvent13 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
]).run;
var transformEvent14 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
]).run;
var transformEvent15 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.Image", d: "process.executable"},
{s: "event_data.TargetFilename", d: "file.path"},
]).run;
var transformEvent16 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
]).run;
var transformEvent17 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.PipeName", d: "file.name"},
{s: "event_data.Image", d: "process.executable"},
]).run;
var transformEvent18 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ProcessGuid", d: "process.guid"},
{s: "event_data.ProcessId", d: "process.pid", t: "long"},
{s: "event_data.PipeName", d: "file.name"},
{s: "event_data.Image", d: "process.executable"},
]).run;
var transformEvent19 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
]).run;
var transformEvent20 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.Destination", d: "process.executable"},
]).run;
var transformEvent21 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
]).run;
var transformEvent255 = new processor.Transform([
{s: "event_data.UtcTime", d: "@timestamp", t: "date"},
{s: "event_data.ID", d: "error.code"},
]).run;
var addHashes = function(evt, key) {
var hashes = evt.get(key);
hashes.split(",").forEach(function(hash){
var parts = hash.split("=");
if (parts.length !== 2) {
return;
}
var key = parts[0].toLowerCase();
var value = parts[1].toLowerCase();
evt.put("hash."+key, value);
});
};
var addNetworkDirection = function(evt) {
switch (evt.get("event_data.Initiated")) {
case "true":
evt.put("network.direction", "outbound");
break;
case "false":
evt.put("network.direction", "inbound");
break;
}
};
var addNetworkType = function(evt) {
switch (evt.get("event_data.SourceIsIpv6")) {
case "true":
evt.put("network.type", "ipv6");
break;
case "false":
evt.put("network.type", "ipv4");
break;
}
};
var addProcessNameFromPath = function(evt, nameField, exeField) {
var name = evt.get(nameField);
if (name) {
return;
}
var exe = evt.get(exeField);
evt.put(nameField, filepath.base(exe, "windows"));
};
var addUser = function(evt) {
var userParts = evt.get("event_data.User").split("\\");
if (userParts.length === 2) {
evt.delete("user");
evt.put("user.name", userParts[0]);
evt.put("user.domain", userParts[1]);
}
};
var splitProcessArgs = function(evt, argsField) {
var commandLine = evt.get(argsField);
if (!commandLine) {
return;
}
evt.put(argsField, textutil.splitCommandLine(commandLine));
};
return {
// Event ID 1 - Process Create.
1: function(evt) {
transformEvent1();
addProcessNameFromPath(evt, "process.name", "process.executable");
splitProcessArgs(evt, "process.args");
addUser(evt);
addHashes(evt, "event_data.Hashes");
addProcessNameFromPath(evt, "process.parent.name", "process.parent.executable");
splitProcessArgs(evt, "process.parent.args");
},
// Event ID 2 - File creation time changed.
2: function(evt) {
transformEvent2();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 3 - Network connection detected.
3: function(evt) {
transformEvent3();
addProcessNameFromPath(evt, "process.name", "process.executable");
addUser(evt);
addNetworkDirection(evt);
addNetworkType(evt);
},
// Event ID 4 - Sysmon service state changed.
4: function(evt) {
transformEvent4();
},
// Event ID 5 - Process terminated.
5: function(evt) {
transformEvent5();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 6 - Driver loaded.
6: function(evt) {
transformEvent6();
addHashes(evt, "event_data.Hashes");
},
// Event ID 7 - Image loaded.
7: function(evt) {
transformEvent7();
addProcessNameFromPath(evt, "process.name", "process.executable");
addHashes(evt, "event_data.Hashes");
},
// Event ID 8 - CreateRemoteThread detected.
8: function(evt) {
transformEvent8();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 9 - RawAccessRead detected.
9: function(evt) {
transformEvent9();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 10 - Process accessed.
10: function(evt) {
transformEvent10();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 11 - File created.
11: function(evt) {
transformEvent11();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 12 - Registry object added or deleted.
12: function(evt) {
transformEvent12();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 13 - Registry value set.
13: function(evt) {
transformEvent13();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 14 - Registry object renamed.
14: function(evt) {
transformEvent14();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 15 - File stream created.
15: function(evt) {
transformEvent15();
addProcessNameFromPath(evt, "process.name", "process.executable");
addHashes(evt, "event_data.Hash");
},
// Event ID 16 - Sysmon config state changed.
16: function(evt) {
transformEvent16();
},
// Event ID 17 - Pipe Created.
17: function(evt) {
transformEvent17();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 18 - Pipe Connected.
18: function(evt) {
transformEvent18();
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 19 - WmiEventFilter activity detected.
19: function(evt) {
transformEvent19();
addUser(evt);
},
// Event ID 20 - WmiEventConsumer activity detected.
20: function(evt) {
transformEvent20();
addUser(evt);
addProcessNameFromPath(evt, "process.name", "process.executable");
},
// Event ID 21 - WmiEventConsumerToFilter activity detected.
21: function(evt) {
transformEvent21();
addUser(evt);
},
// Event ID 255 - Error report.
255: function(evt) {
transformEvent255();
},
process: function(evt) {
var event_id = evt.get("event_id");
var processor= this[event_id];
if (processor === undefined) {
throw "unexpected sysmon event_id";
}
processor(evt);
},
};
})();
function processCommon(evt) {
evt.rename("computer_name", "host.hostname");
evt.put("event.kind", "event");
evt.rename("level", "log.level");
}
function process(evt) {
processCommon(evt);
switch (evt.fields.log_name) {
case "Microsoft-Windows-Sysmon/Operational":
sysmon.process(evt);
break;
}
}
Raw
winlogbeat.yml
winlogbeat.event_logs:
- name: - name: Microsoft-Windows-Sysmon/Operational
processors:
- script:
when.equals.type: wineventlog
type: javascript
file: pipelines/winlogbeat*.js
output.elasticsearch.hosts:
- "http://localhost:9200"
@james-mchugh
Copy link

I know this is a bit late, but can you please provide some context behind this gist? I am interested in doing sysmon to ECS mapping through filebeat. I would use winlogbeat, but I do not have access to the machine generating the logs. Is this doing the mapping on an ES ingest node? If so, could this same mapping be done within a filebeat config? I have tried to do so, but I was unable to import the processor via require('processor'). I am assuming this is because the processor package is only available to ES ingest nodes.

@andrewkroh
Copy link
Author

This was an early demo example.

This pipeline is now the Sysmon module in Winlogbeat. https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-modules.html

This is executed by the script processor present in Beats.

@james-mchugh
Copy link

Thanks for the quick response. I managed to get it working (well, it loads the module) by converting the processor.Transform instances to processor.Convert. I will take a look at the winlogbeat sysmon module and see if I can use that instead. Thank you again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment