@@ -390,6 +390,51 @@ processors:
390390 description : Categorize events.
391391 lang : painless
392392 params :
393+ ActiveDirectoryServiceAccessRequest :
394+ category : [ database ]
395+ type : [ access ]
396+ kind : event
397+ outcome : success
398+ ActiveDirectoryAuthentication :
399+ category : [ authentication ]
400+ type : [ start ]
401+ kind : event
402+ outcome : success
403+ ActiveDirectoryServiceAccessRequestFailure :
404+ category : [ database ]
405+ type : [ access ]
406+ kind : event
407+ outcome : failure
408+ ActiveDirectoryIncomingLdapSearchRequest :
409+ category : [ database ]
410+ type : [ access ]
411+ kind : event
412+ outcome : unknown
413+ ActiveDirectoryAuthenticationFailure :
414+ category : [ authentication ]
415+ type : [ start ]
416+ kind : event
417+ outcome : failure
418+ ActiveDirectoryInteractiveDomainLogon :
419+ category : [ authentication ]
420+ type : [ start ]
421+ kind : event
422+ outcome : success
423+ ActiveDirectoryIncomingDceRpcRequest :
424+ category : [ api ]
425+ type : [ start ]
426+ kind : event
427+ outcome : unknown
428+ ActiveDirectoryIncomingPsExecExecution2 :
429+ category : [ process ]
430+ type : [ start ]
431+ kind : event
432+ outcome : success
433+ ActiveDirectoryIncomingDceRpcEpmRequest :
434+ category : [ api ]
435+ type : [ start ]
436+ kind : event
437+ outcome : unknown
393438 AcUninstallConfirmation :
394439 category : [ package ]
395440 type : [ deletion ]
@@ -1334,6 +1379,11 @@ processors:
13341379 type : [ change ]
13351380 kind : event
13361381 outcome : success
1382+ SudoCommandAttempt :
1383+ category : [ authentication ]
1384+ type : [ start ]
1385+ kind : event
1386+ outcome : unknown
13371387 SuspiciousCreateSymbolicLink :
13381388 category : [ malware, file ]
13391389 type : [ creation, info ]
@@ -2359,6 +2409,79 @@ processors:
23592409 ignore_failure : true
23602410 ignore_empty_value : true
23612411 if : ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2
2412+ - set :
2413+ field : user.name
2414+ copy_from : crowdstrike.SourceAccountSamAccountName
2415+ if : ctx.event?.action instanceof String && ctx.event.action.startsWith('ActiveDirectory')
2416+ ignore_empty_value : true
2417+ - set :
2418+ field : user.email
2419+ copy_from : crowdstrike.SourceAccountUserName
2420+ if : >-
2421+ ctx.event?.action instanceof String && ctx.event.action.startsWith('ActiveDirectory') &&
2422+ ctx.crowdstrike?.SourceAccountUserName instanceof String && ctx.crowdstrike.SourceAccountUserName.contains('@')
2423+ ignore_empty_value : true
2424+ - set :
2425+ field : user.id
2426+ copy_from : crowdstrike.SourceEndpointAccountObjectSid
2427+ if : ctx.event?.action instanceof String && ctx.event.action.startsWith('ActiveDirectory')
2428+ ignore_empty_value : true
2429+ - set :
2430+ field : user.domain
2431+ copy_from : crowdstrike.SourceAccountDomain
2432+ if : ctx.event?.action instanceof String && ctx.event.action.startsWith('ActiveDirectory')
2433+ ignore_empty_value : true
2434+ - set :
2435+ field : user.name
2436+ copy_from : crowdstrike.OriginalUserName
2437+ if : ctx.event?.action == 'TokenImpersonated'
2438+ ignore_empty_value : true
2439+ - set :
2440+ field : user.id
2441+ copy_from : crowdstrike.OriginalUserSid
2442+ if : ctx.event?.action == 'TokenImpersonated'
2443+ ignore_empty_value : true
2444+ - set :
2445+ field : user.target.name
2446+ copy_from : crowdstrike.ImpersonatedUserName
2447+ if : ctx.event?.action == 'TokenImpersonated'
2448+ ignore_empty_value : true
2449+ - set :
2450+ field : user.name
2451+ copy_from : crowdstrike.OriginalUserName
2452+ if : ctx.event?.action == 'SudoCommandAttempt'
2453+ ignore_empty_value : true
2454+ - set :
2455+ field : user.name
2456+ value : root
2457+ if : (ctx.user?.name == null || ctx.user.name == '') && ctx.event?.action == 'SudoCommandAttempt'
2458+ - set :
2459+ field : user.id
2460+ copy_from : crowdstrike.OriginalUserID
2461+ if : ctx.event?.action == 'SudoCommandAttempt'
2462+ ignore_empty_value : true
2463+ - set :
2464+ field : user.id
2465+ value : 0
2466+ if : ctx.user?.id == null && ctx.event?.action == 'SudoCommandAttempt'
2467+ - set :
2468+ field : user.target.name
2469+ copy_from : crowdstrike.NewUsername
2470+ if : ctx.event?.action == 'SudoCommandAttempt'
2471+ ignore_empty_value : true
2472+ - set :
2473+ field : user.target.name
2474+ value : root
2475+ if : (ctx.user?.target?.name == null || ctx.user.target.name == '') && ctx.event?.action == 'SudoCommandAttempt'
2476+ - set :
2477+ field : user.target.id
2478+ copy_from : crowdstrike.NewUserID
2479+ if : ctx.event?.action == 'SudoCommandAttempt'
2480+ ignore_empty_value : true
2481+ - set :
2482+ field : user.target.id
2483+ value : 0
2484+ if : ctx.user?.target?.id == null && ctx.event?.action == 'SudoCommandAttempt'
23622485 - append :
23632486 field : related.user
23642487 value : " {{{user.name}}}"
@@ -2376,6 +2499,12 @@ processors:
23762499 ignore_failure : true
23772500 allow_duplicates : false
23782501 if : ctx.user?.full_name != null
2502+ - append :
2503+ field : related.user
2504+ value : " {{{user.target.name}}}"
2505+ ignore_failure : true
2506+ allow_duplicates : false
2507+ if : ctx.user?.target?.name != null
23792508
23802509 # # Networking fields.
23812510 - set :
0 commit comments