Cyb3rWard0g · inzlain · May 1, 2019 · May 1, 2019 · May 1, 2019 · May 1, 2019
diff --git a/docker/helk-kibana/scripts/kibana-setup.sh b/docker/helk-kibana/scripts/kibana-setup.sh
@@ -35,7 +35,7 @@ done
 # ******** Set Trial License Variables ***************
 if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; then
   # *********** Creating Kibana index-patterns ***************
-  declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-powershell-*" "mitre-attack-*" "elastalert_status" "elastalert_status_status" "elastalert_status_error" "elastalert_status_silence" "elastalert_status_past" "sysmon-join-*")
+  declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-defender-*" "logs-endpoint-winevent-powershell-*" "mitre-attack-*" "elastalert_status" "elastalert_status_status" "elastalert_status_error" "elastalert_status_silence" "elastalert_status_past" "sysmon-join-*")
   echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Creating Kibana Index Patterns..."
   for index in ${!index_patterns[@]}; do
       echo "[++++++] creating kibana index ${index_patterns[${index}]}"
@@ -116,7 +116,7 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; the
   '
 else
   # *********** Creating Kibana index-patterns ***************
-  declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-powershell-*" "mitre-attack-*" "elastalert_status" "elastalert_status_status" "elastalert_status_error" "elastalert_status_silence" "elastalert_status_past" "sysmon-join-*")
+  declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-defender-*" "logs-endpoint-winevent-powershell-*" "mitre-attack-*" "elastalert_status" "elastalert_status_status" "elastalert_status_error" "elastalert_status_silence" "elastalert_status_past" "sysmon-join-*")
 
   echo "[+++] Creating Kibana Index Patterns..."
   for index in ${!index_patterns[@]}; do
@@ -159,4 +159,4 @@ else
           sleep 1
       done
   done
-fi
+fi
diff --git a/docker/helk-logstash/output_templates/60-winevent-defender-template.json b/docker/helk-logstash/output_templates/60-winevent-defender-template.json
@@ -0,0 +1,51 @@
+{
+  "order": 60,
+  "index_patterns": [ "logs-endpoint-winevent-defender-*" ],
+  "version": 2019050101,
+  "mappings":{
+    "doc":{
+      "properties":{
+        "defender_action_id":{"type":"keyword"},
+        "defender_action_name":{"type":"keyword"},
+        "defender_additional_actions":{"type":"keyword"},
+        "defender_additional_actions_id":{"type":"keyword"},
+        "defender_additional_actions_string": { "type": "text", "norms": false, "analyzer": "standard", "fields": { "keyword": { "type": "keyword" } } },
+        "defender_category_description":{"type":"keyword"},
+        "defender_category_id":{"type":"keyword"},
+        "defender_category_name":{"type":"keyword"},
+        "defender_configuration":{"type":"keyword"},
+        "defender_detection_id":{"type":"keyword"},
+        "defender_detection_time":{"type":"date"},
+        "defender_engine_version":{"type":"keyword"},
+        "defender_error_code":{"type":"keyword"},
+        "defender_error_description": { "type": "text", "norms": false, "analyzer": "standard", "fields": { "keyword": { "type": "keyword" } } },
+        "defender_execution_id":{"type":"keyword"},
+        "defender_execution_name":{"type":"keyword"},
+        "defender_feature_id":{"type":"keyword"},
+        "defender_feature_name":{"type":"keyword"},
+        "defender_fwlink":{"type":"keyword"},
+        "defender_origin_id":{"type":"keyword"},
+        "defender_origin_name":{"type":"keyword"},
+        "defender_platform_version":{"type":"keyword"},
+        "defender_post_clean_status":{"type":"keyword"},
+        "defender_pre_execution_status":{"type":"keyword"},
+        "defender_product_name":{"type":"keyword"},
+        "defender_product_version":{"type":"keyword"},
+        "defender_remediation_user":{"type":"keyword"},
+        "defender_severity_id":{"type":"keyword"},
+        "defender_severity_name":{"type":"keyword"},
+        "defender_signature_version":{"type":"keyword"},
+        "defender_source_id":{"type":"keyword"},
+        "defender_source_name":{"type":"keyword"},
+        "defender_state":{"type":"keyword"},
+        "defender_status_code":{"type":"keyword"},
+        "defender_status_description":{"type":"keyword"},
+        "defender_threat_id":{"type":"keyword"},
+        "defender_threat_name": { "type": "text", "norms": false, "analyzer": "standard", "fields": { "keyword": { "type": "keyword" } } },
+        "defender_threat_name_trojan": { "type": "text", "norms": false, "analyzer": "standard", "fields": { "keyword": { "type": "keyword" } } },
+        "defender_type_id":{"type":"keyword"},
+        "defender_type_name":{"type":"keyword"}
+      }
+    }
+  }
+}
diff --git a/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf b/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf
@@ -0,0 +1,178 @@
+# HELK Windows Defender filter file
+# HELK build Stage: Alpha
+# Author: Alain Homewood (@inzlain)
+# License: GPL-3.0
+
+filter {
+  if [log_name] == "Microsoft-Windows-Windows Defender/Operational" {
+    mutate { add_field => { "z_logstash_pipeline" => "1536" } }
+    # Generic fields common accross many Defender event IDs
+    mutate {
+      rename => {
+        "computer_name" => "host_name"
+        "Engine Version" => "defender_engine_version"
+        "Error Code" => "defender_error_code"
+        "Error Description" => "defender_error_description"
+        "Platform Version" => "defender_platform_version"
+        "Product Name" => "defender_product_name"
+        "Product Version" => "defender_product_version"
+        "Signature Version" => "defender_signature_version"
+      }
+    }
+
+    # Event ID 1000: MALWAREPROTECTION_SCAN_STARTED
+    # Event ID 1001: MALWAREPROTECTION_SCAN_COMPLETED
+    # Event ID 1002: MALWAREPROTECTION_SCAN_CANCELLED
+    # Event ID 1003: MALWAREPROTECTION_SCAN_PAUSED
+    # Event ID 1004: MALWAREPROTECTION_SCAN_RESUMED
+    # Event ID 1005: MALWAREPROTECTION_SCAN_FAILED
+    # Event ID 1006: MALWAREPROTECTION_MALWARE_DETECTED
+    # Event ID 1007: MALWAREPROTECTION_MALWARE_ACTION_TAKEN
+    # Event ID 1008: MALWAREPROTECTION_MALWARE_ACTION_FAILED
+    # Event ID 1009: MALWAREPROTECTION_QUARANTINE_RESTORE
+    # Event ID 1010: MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
+    # Event ID 1011: MALWAREPROTECTION_QUARANTINE_DELETE
+    # Event ID 1012: MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
+    # Event ID 1013: MALWAREPROTECTION_MALWARE_HISTORY_DELETE
+    # Event ID 1014: MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
+    # Event ID 1015: MALWAREPROTECTION_BEHAVIOR_DETECTED
+    # Not implemented
+
+    # Event ID 1116: MALWAREPROTECTION_STATE_MALWARE_DETECTED
+    # Event ID 1117: MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
+    if [event_id] == 1116 or [event_id] == 1117 {
+      mutate { add_field => { "z_logstash_pipeline" => "1536_1" } }
+      mutate {
+        # Future Improvements:
+        # 1. Path can contain multiple items seperated by semicolons - these could be split out into invidiual items
+        # 2. Path can contain command lines or AMSI references instead of file path - this should be parsed properly for things that aren't file paths
+        rename => {
+          "Action ID" => "defender_action_id"
+          "Action Name" => "defender_action_name"
+          "Additional Actions ID" => "defender_additional_actions_id"
+          "Additional Actions String" => "defender_additional_actions_string"
+          "Additional Actions" => "defender_additional_actions"
+          "Category Description" => "defender_category_description"
+          "Category ID" => "defender_category_id"
+          "Category Name" => "defender_category_name"
+          "Detection ID" => "defender_detection_id"
+          "Detection Time" => "defender_detection_time"
+          "Execution ID" => "defender_execution_id"
+          "Execution Name" => "defender_execution_name"
+          "FWLink" => "defender_fwlink"
+          "Origin ID" => "defender_origin_id"
+          "Origin Name" => "defender_origin_name"
+          "Path" => "file_path"
+          "Post Clean Status" => "defender_post_clean_status"
+          "Pre Execution Status" => "defender_pre_execution_status"
+          "Process Name" => "process_name"
+          "Remediation User" => "defender_remediation_user"
+          "Severity ID" => "defender_severity_id"
+          "Severity Name" => "defender_severity_name"
+          "Source ID" => "defender_source_id"
+          "Source Name" => "defender_source_name"
+          "State" => "defender_state"
+          "Status Code" => "defender_status_code"
+          "Status Description" => "defender_status_description"
+          "Threat ID" => "defender_threat_id"    
+          "Threat Name Trojan" => "defender_threat_name_trojan"
+          "Threat Name" => "defender_threat_name"
+          "Type ID" => "defender_type_id"
+          "Type Name" => "defender_type_name"
+        }
+      }
+      if [Detection User] {  
+        grok {
+          match => { "Detection User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" }
+          remove_field => [ "Detection User" ]
+          tag_on_failure => [ "_User_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
+        }
+      }
+    }
+
+    # Event ID 1118: MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED
+    # Event ID 1119: MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
+    # Not implemented
+
+    # Event ID 1020: MALWAREPROTECTION_THREAT_HASH
+    # Not implemented
+
+    # Event ID 1150: MALWAREPROTECTION_SERVICE_HEALTHY
+    # Event ID 1151: MALWAREPROTECTION_SERVICE_HEALTH_REPORT
+    # Not implemented
+
+    # Event ID 2000: MALWAREPROTECTION_SIGNATURE_UPDATED
+    # Event ID 2001: MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED
+    # Event ID 2002: MALWAREPROTECTION_ENGINE_UPDATED
+    # Event ID 2003: MALWAREPROTECTION_ENGINE_UPDATE_FAILED
+    # Event ID 2004: MALWAREPROTECTION_SIGNATURE_REVERSION
+    # Event ID 2005: MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE
+    # Event ID 2006: MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
+    # Event ID 2007: MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE
+    # Event ID 2010: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
+    # Event ID 2011: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
+    # Event ID 2012: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
+    # Event ID 2013: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
+    # Event ID 2020: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
+    # Event ID 2021: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED
+    # Event ID 2030: MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED
+    # Event ID 2031: MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
+    # Event ID 2040: MALWAREPROTECTION_OS_EXPIRING
+    # Event ID 2041: MALWAREPROTECTION_OS_EOL
+    # Event ID 2042: MALWAREPROTECTION_PROTECTION_EOL
+    # Not implemented
+
+    # Event ID 3002: MALWAREPROTECTION_RTP_FEATURE_FAILURE
+    # Event ID 3007: MALWAREPROTECTION_RTP_FEATURE_RECOVERED
+    # Not implemented
+
+    # Event ID 5000: MALWAREPROTECTION_RTP_ENABLED
+    # Event ID 5001: MALWAREPROTECTION_RTP_DISABLED
+    # No filter required
+
+    # Event ID 5004: MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
+      if [event_id] == 5004 {
+      mutate { add_field => { "z_logstash_pipeline" => "1536_2" } }
+      mutate {
+        rename => {
+          "Configuration" => "defender_configuration"
+          "Feature ID" => "defender_feature_id"
+          "Feature Name" => "defender_feature_name"
+        }
+      }
+    }
+
+    # Event ID 5007: MALWAREPROTECTION_CONFIG_CHANGED
+    if [event_id] == 5007 {
+      mutate { add_field => { "z_logstash_pipeline" => "1536_3" } }
+      if [New Value] {  
+        grok {
+          match => { "New Value" => "%{GREEDYDATA:registry_key_path}\\%{GREEDYDATA:registry_key_value_name}\s=\s%{GREEDYDATA:registry_key_value_data}" }
+          remove_field => [ "New Value" ]
+          tag_on_failure => [ "_Registry_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
+        }
+      }
+      if [Old Value] {  
+        grok {
+          match => { "Old Value" => ".*\s=\s%{GREEDYDATA:registry_value_old_data}" }
+          remove_field => [ "Old Value" ]
+          tag_on_failure => [ "_Registry_grokparsefailure", "_grokparsefailure", "_parsefailure" ]
+        }
+      }
+    }
+
+    # Event ID 5008: MALWAREPROTECTION_ENGINE_FAILURE
+    # Not implemented
+
+    # Event ID 5009: MALWAREPROTECTION_ANTISPYWARE_ENABLED
+    # Event ID 5010: MALWAREPROTECTION_ANTISPYWARE_DISABLED
+    # Event ID 5011: MALWAREPROTECTION_ANTIVIRUS_ENABLED
+    # Event ID 5012: MALWAREPROTECTION_ANTIVIRUS_DISABLED
+    # Not implemented
+
+    # Event ID 5100: MALWAREPROTECTION_EXPIRATION_WARNING_STATE
+    # Event ID 5101: MALWAREPROTECTION_DISABLED_EXPIRED_STATE
+    # Not implemented
+
+  }
+}
diff --git a/docker/helk-logstash/pipeline/9963-winevent-defender-output.conf b/docker/helk-logstash/pipeline/9963-winevent-defender-output.conf
@@ -0,0 +1,16 @@
+# HELK Windows Defender output file
+# HELK build Stage: Alpha
+# Author: Alain Homewood (@inzlain)
+# License: GPL-3.0
+
+output {
+  if [log_name] == "Microsoft-Windows-Windows Defender/Operational" {
+    elasticsearch {
+      hosts => ["helk-elasticsearch:9200"]
+      index => "logs-endpoint-winevent-defender-%{+YYYY.MM.dd}"
+      document_id => "%{[@metadata][log_hash]}"
+      user => 'elastic'
+      #password => 'elasticpassword'
+    }
+  }
+}
diff --git a/winlogbeat/winlogbeat.yml b/winlogbeat/winlogbeat.yml
@@ -24,6 +24,9 @@ winlogbeat.event_logs:
     ignore_older: 30m
   - name: Microsoft-Windows-WMI-Activity/Operational
     event_id: 5857,5858,5859,5860,5861
+  - name: Microsoft-Windows-Windows Defender/Operational
+    event_id: 1116,1117,5000,5001,5007
+    ignore_older: 30m
 
 #----------------------------- Kafka output --------------------------------
 output.kafka: