From 2a09fbd1e9710b1cb4c37846a111b92ffb58369d Mon Sep 17 00:00:00 2001 From: Alex Dworjan Date: Tue, 17 Oct 2023 08:00:10 -0400 Subject: [PATCH] added extra event ID for malicious content review --- .ansible-sign/sha256sum.txt | 2 +- .ansible-sign/sha256sum.txt.sig | 22 ++++++++++---------- roles/winlogbeat/templates/winlogbeat.yml.j2 | 4 ++-- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.ansible-sign/sha256sum.txt b/.ansible-sign/sha256sum.txt index b4c1f2d..8bffd26 100644 --- a/.ansible-sign/sha256sum.txt +++ b/.ansible-sign/sha256sum.txt @@ -53,7 +53,7 @@ fba914c608f1a6ccdad971355139b98f0670fc8e7d51d13dca7a6e65bdc82429 roles/snort_bu eec62140ff6f456fb2fd45adaa8f69866c23ca8ec124ab1abfea08bcca7dccc6 roles/winlogbeat/defaults/main.yml a06c3bed9503b47cfa11d61ff3609dde83b4599b522160f5e14f13088df5ebaf roles/winlogbeat/handlers/main.yml 9780c8e92510aba03fff312c5cc461d8f1b866b269311e16628da76a95bfbafb roles/winlogbeat/tasks/main.yml -e660b5b443d6d5eb425109179d47772f67c9127925888cb5b7e09ada2112b652 roles/winlogbeat/templates/winlogbeat.yml.j2 +862d892300d6fa0c92d6272448c9ebfbb11087845d2d05b9f43d27041a4d05ba roles/winlogbeat/templates/winlogbeat.yml.j2 f15fd50d2ee1d7cd5043153a707948b5897de8b1a544b226b33d493f4fe98f95 snortbuildconfig.yml 117d2f3e9d48d0d59d5dcfca9c9829295c1039c7204784c68978778db75e288a templates/cpu-rules.yml.j2 ff3bc0d052a72eb88bf093b9a2b9f31946032ab78dc7c4c742017f161f38763f templates/disk-rules.yml.j2 diff --git a/.ansible-sign/sha256sum.txt.sig b/.ansible-sign/sha256sum.txt.sig index 64225d9..0ee09dc 100644 --- a/.ansible-sign/sha256sum.txt.sig +++ b/.ansible-sign/sha256sum.txt.sig @@ -1,14 +1,14 @@ -----BEGIN PGP SIGNATURE----- -iQGzBAABCAAdFiEE/bJvyFHKKJdaZDOLTiIiIXrUDNEFAmUtrp8ACgkQTiIiIXrU -DNGeiwv/WssO6HnFNJ0kq009L6znhC+7RrLfVG9BKj6ZFYWLL9UIULaDfUoWsnsC -rjjhs6sEHhF0apm7AE+MgiMTsVEtbCLv7gktf2Q8B21yqhp9qUB6AXzRXT8uQ0IX -d/uevuVEe2BInI/QaWJeuOeXWRismwmsqLlv0H8uVrF645KSuzpu6QBrH2BrHQhR -S5I5+XBIS/PAWaAl8COxIylNo/SAzOG4jdd1Rg9TXW8b5eRJ+cGoHjkF6M6cse3U -8Ew/swkm6/IoxYkcNzAaGHmxIBdlHisEBgeVmbCkTgN2sSkCpRT++R8hboBMzNkQ -xSMeomnYNwugGFJlXVsgxCxP3J4wehtrAPPWjZ2c29iLFmnZ5qOJ/QaI2QI++0sw -1COPU4P4CJTIw7QRHaRGZYz+I6K5S0SUtdfVtkjZtQXUWEf4NkjUJvHBwgKMj2VS -tyxOxG5qb4L79qL9UtXde6m7vUV6RnrTJrzGZPCqoRTDFarjllmLniQNWAStHTB/ -UvsTDWJC -=EYzE +iQGzBAABCAAdFiEE/bJvyFHKKJdaZDOLTiIiIXrUDNEFAmUudz8ACgkQTiIiIXrU +DNFx5Qv+NjhzzV8iEp32OVUbPjkeC+dcaaSXFAAiEvsqaFn5Hja/kIUy0DFlM4WU +/mcoIPWAvHv9n4j4yTZ5mInaI668nxQ/+vH0MiiO9iZmQDcNt9GLVZ59MqgmeXBF +ZPm+gw6pvmzvb86VQPIM4HtlTbzJ5pEFd5VEXOfB+VSS2SbzG/xyEm3Dk1hN42sO +fXrJ6LdRQIO8SgvBf3+CX5tds0/7f8A1bCOsxw2kshUTH9PSlD7xxU2GV2DJfQUZ +Qzkhh9MJvLBgRN2Ug58DGSm/JUp4XvcM3/3So2F4gF79XiU2dTIt3QlgfpCJ8Ho0 +3xViG7JssS/nevtO2aGQPc1aQiKfmOrbY2f+QuxZKGz1/FzlMTDgmiV8x2SwjA54 +H2aE4f4z3ol3cCioJHfIxxEb65jjr/I12gMFIjILpJU0HXXN8i8yJFR8MxWDwOP7 +C1+1LclejsQWpeVRBPFlASuBABjodBo/fv5EnI64fEqFMquBKh8VH/iFJSyorbNz +n5vOMEz8 +=DZdl -----END PGP SIGNATURE----- diff --git a/roles/winlogbeat/templates/winlogbeat.yml.j2 b/roles/winlogbeat/templates/winlogbeat.yml.j2 index 6ff05dd..e97301d 100644 --- a/roles/winlogbeat/templates/winlogbeat.yml.j2 +++ b/roles/winlogbeat/templates/winlogbeat.yml.j2 @@ -18,10 +18,10 @@ winlogbeat.event_logs: - name: Microsoft-Windows-Sysmon/Operational - name: Windows PowerShell - event_id: 400, 403, 600, 800 + event_id: 200, 400, 403, 500, 501, 600, 800 - name: Microsoft-Windows-PowerShell/Operational - event_id: 4103, 4104, 4105, 4106 + event_id: 4100, 4103, 4104, 4105, 4106 - name: ForwardedEvents tags: [forwarded]