Comments (3)
zschmerber
commented on June 30, 2024
another option would be to add a keys to the EventData{} values.
from kinesis-agent-windows.
zschmerber
commented on June 30, 2024
"EventData": [{ "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-1-1" }, "Admin$", "somecompany", 999, 7272, "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "%%1936", 832, "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-1" }, "me$", "somecompany", 996, "C:\\Windows\\System32\\svchost.exe", { "BinaryLength": 12, "AccountDomainSid": null, "Value": "1-1-1-1-11" }],
currently event data looks like this and has Values but no keys to identify the data. Is there an easy way to attach the keys ?
from kinesis-agent-windows.
zschmerber
commented on June 30, 2024
This seems to be the only way i can figure out how to extract the KV pairs from the data. There must be a better way.
`{
"Sources": [
{
"Id": "SecurityLog",
"SourceType": "WindowsEventLogSource",
"IncludeEventData": "true",
"LogName": "Security",
"CustomFilters": "ExcludeOwnSecurityEvents"
},
{
"Id": "SysmonSecurityLog",
"SourceType": "WindowsEventLogSource",
"IncludeEventData": "true",
"LogName": "Microsoft-Windows-Sysmon/Operational"
}
],
"Sinks": [
{
"Id": "KinesisStream",
"SinkType": "KinesisStream",
"StreamName": "prod-logs",
"Region": "us-west-2",
"ObjectDecorationEx": "Creator.Security ID={regexp_extract(_record, '\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\t(.+)\r',1)};Creator.Account Domain={regexp_extract(_record, '\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\t.+\r\n\tAccount Name:\t\t.+\r\n\tAccount Domain:\t\t(.+)\r',1)};Creator.Account Name={regexp_extract(_record, '\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\t.+\r\n\tAccount Name:\t\t(.+)\r',1)};Subject.Security ID={regexp_extract(_record, '\r\n\r\nSubject:\r\n\tSecurity ID:\t\t(.+)\r',1)};Subject.Security ID={regexp_extract(_record, '\r\n\r\nSubject :\r\n\tSecurity ID:\t\t(.+)\r',1)};Subject.Account Name={regexp_extract(_record, '\r\n\r\nSubject:\r\n\tSecurity ID:\t\t.+\r\n\tAccount Name:\t\t(.+)\r',1)};Subject.Account Name={regexp_extract(_record, '\r\n\r\nSubject :\r\n\tSecurity ID:\t\t.+\r\n\tAccount Name:\t\t(.+)\r',1)};Subject.Account Domain={regexp_extract(_record, '\r\n\r\nSubject:\r\n\tSecurity ID:\t\t.+\r\n\tAccount Name:\t\t.+\r\n\tAccount Domain:\t\t(.+)\r',1)};Subject.Account Domain={regexp_extract(_record, '\r\n\r\nSubject :\r\n\tSecurity ID:\t\t.+\r\n\tAccount Name:\t\t.+\r\n\tAccount Domain:\t\t(.+)\r',1)};Target.Security ID={regexp_extract(_record, '\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\t(.+)\r',1)};Target.Account Name={regexp_extract(_record, '\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\t.\r\n\tAccount Name:\t\t(.+)\r',1)};Target.Account Name={regexp_extract(_record, '\r\n\r\nAccount Whose Credentials Were Used:\r\n\tAccount Name:\t\t(.+)\r',1)};Target.Account Name={regexp_extract(_record, '\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\t.\r\n\tAccount Name:\t\t(.+)\r',1)};Target.Account Domain={regexp_extract(_record, '\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\t.+\r\n\tAccount Name:\t\t.+\r\n\tAccount Domain:\t\t(.+)\r',1)}",
"Format": "json",
}
],
"Pipes": [
{
"Id": "SecurityLogToKinesisStream",
"SourceRef": "SecurityLog",
"SinkRef": "KinesisStream"
},
{
"Id": "SysmonLogToKinesisStream",
"SourceRef": "SysmonSecurityLog",
"SinkRef": "KinesisStream"
}
],
"Telemetrics": {
"off": "true"
}
}
from kinesis-agent-windows.
Related Issues (20)
- Can we get a regular EXE to install the agent? HOT 9
- FileSystemWatcher in DirectorySource reliability? HOT 4
- Any plans to switch to .NET Core? HOT 5
- Can't Install the Agent HOT 12
- Update NLog to latest version, instead of BETA HOT 1
- WindowsEventLogSource Suppress Path supported HOT 1
- Amazon.KinesisFirehose.AmazonKinesisFirehoseException: Signature expired HOT 3
- Windows Sysmon Source Declarations HOT 2
- TimeStamp exception in valid timestamp HOT 15
- When build is executed nuget.exe is not found HOT 2
- Kinesis agent file deletion access HOT 2
- Kinesis agent moving files after processing (new feature?) HOT 1
- Is it possible that kinesis agent send to the wrong region? HOT 2
- Feature Request: Add Support for Configurable Log Group Retention HOT 1
- The support encoding of 'Sources' is too narrow. HOT 2
- WindowsETWEventSource does not include TraceEvent.ID
- PartitionKey per Source
- Unable to connect source and sink HOT 2
- Unable to use KTAP Agent Memory Metrics with AWS Compute Optimizer HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kinesis-agent-windows.