utmstack
diff --git a/‎filters/aws/aws.yml‎
Lines changed: 1308 additions & 4 deletions b/‎filters/aws/aws.yml‎
Lines changed: 1308 additions & 4 deletions
diff --git a/‎filters/office365/o365-all.conf‎
Lines changed: 0 additions & 17 deletions b/‎filters/office365/o365-all.conf‎
Lines changed: 0 additions & 17 deletions
diff --git a/‎filters/office365/o365.yml‎
Lines changed: 85 additions & 0 deletions b/‎filters/office365/o365.yml‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎filters/sophos/sophos_central.yml‎
Lines changed: 51 additions & 0 deletions b/‎filters/sophos/sophos_central.yml‎
Lines changed: 51 additions & 0 deletions
@@ -0,0 +1,85 @@
+# Microsoft 365 filter
+# Based on Official documentation
+# See https://learn.microsoft.com/en-us/compliance/assurance/assurance-microsoft-365-audit-log-collection
+# https://learn.microsoft.com/es-es/office/office-365-management-api/aip-unified-audit-logs-best-practices
+# https://learn.microsoft.com/en-us/purview/audit-log-activities
+pipeline:
+  - dataTypes:
+      - o365
+    steps:
+      - json:
+          source: raw
+
+      - rename:  
+          from:
+            - log.AppAccessContext.AADSessionId
+          to: log.appAccessContextAADSessionId
+
+      - rename:  
+          from:
+            - log.AppAccessContext.APIId
+          to: log.appAccessContextAPIId
+
+      - rename:  
+          from:
+            - log.AppAccessContext.ClientAppId
+          to: log.appAccessContextClientAppId
+
+      - rename:  
+          from:
+            - log.AppAccessContext.CorrelationId
+          to: log.appAccessContextCorrelationId
+
+      - rename:  
+          from:
+            - log.AppAccessContext.IssuedAtTime
+          to: log.deviceTime
+
+      - rename:  
+          from:
+            - log.AppAccessContext.UniqueTokenId
+          to: log.appAccessContextUniqueTokenId
+
+      - rename:  
+          from:
+            - log.ClientIPAddress
+          to: origin.ip
+
+      - rename:  
+          from:
+            - log.Operation
+          to: action
+
+      - rename:  
+          from:
+            - log.Version
+          to: log.version
+
+      - rename:  
+          from:
+            - log.ClientIP
+          to: log.clientIP
+
+      - rename:  
+          from:
+            - log.ResultStatus
+          to: actionResult
+
+      - rename:  
+          from:
+            - log.UserId
+          to: origin.user
+
+      # Drop unnecessary events
+      - drop:
+          where:
+            variables:
+              - get: action
+                as: action
+                oftype: string
+            expression: action=="SupervisionRuleMatch" || action=="SupervisoryReviewTag" || action=="ComplianceManagerAutomationChange" || action=="LabelContentExplorerAccessedItem" || action=="CreateCopilotPlugin" || action=="CreateCopilotPromptBook" || action=="DeleteCopilotPlugin" || action=="DeleteCopilotPromptBook" || action=="DisableCopilotPlugin" || action=="DisableCopilotPromptBook" || action=="EnableCopilotPlugin" || action=="EnableCopilotPromptBook" || action=="CopilotInteraction" || action=="UpdateCopilotPlugin" || action=="UpdateCopilotPromptBook" || action=="UpdateCopilotSettings" || action=="ApproveDisposal" || action=="ExtendRetention" || action=="RelabelItem" || action=="SearchUpdated" || action=="CaseUpdated" || action=="SearchPermissionUpdated" || action=="HoldUpdated" || action=="PreviewItemDownloaded" || action=="PreviewItemListed" || action=="SearchCreated" || action=="CaseAdded" || action=="HoldCreated" || action=="SearchRemoved" || action=="HoldRemoved" || action=="SearchExportDownloaded" || action=="SearchPreviewed" || action=="SearchResultsPurged" || action=="RemovedSearchResultsSentToZoom" || action=="RemovedSearchExported" || action=="RemovedSearchPreviewed" || action=="RemovedSearchResultsPurged" || action=="SearchReportRemoved" || action=="SearchResultsSentToZoom" || action=="SearchStarted" || action=="SearchExported" || action=="SearchReport" || action=="SearchStopped" || action=="SearchViewed" || action=="ViewedSearchExported" || action=="ViewedSearchPreviewed" || action=="AddRemediatedData" || action=="BurnJob" || action=="CreateWorkingSet" || action=="CreateWorkingSetSearch" || action=="CreateTag" || action=="DeleteWorkingSetSearch" || action=="DeleteTag" || action=="DownloadDocument" || action=="UpdateTag" || action=="ExportJob" || action=="UpdateWorkingSetSearch" || action=="PreviewWorkingSetSearch" || action=="ErrorRemediationJob" || action=="TagFiles" || action=="TagJob" || action=="ViewDocument" || action=="Copy" || action=="Create" || action=="ApplyRecordLabel" || action=="HardDelete" || action=="Send" || action=="Update" || action=="FileAccessed" || action=="FileAccessedExtended" || action=="ComplianceSettingChanged" || action=="LockRecord" || action=="UnlockRecord" || action=="FileCheckedIn" || action=="FileCheckedOut" || action=="FileCopied" || action=="FileDeletedFirstStageRecycleBin" || action=="FileDeletedSecondStageRecycleBin" || action=="RecordDelete" || action=="DocumentSensitivityMismatchDetected" || action=="FileCheckOutDiscarded" || action=="FileDownloaded" || action=="FileModifiedExtended" || action=="FilePreviewed" || action=="SearchQueryPerformed" || action=="FileRecycled" || action=="FolderRecycled" || action=="FileVersionsAllMinorsRecycled" || action=="FileVersionsAllRecycled" || action=="FileVersionRecycled" || action=="FileRestored" || action=="FileUploaded" || action=="PageViewed" || action=="PageViewedExtended" || action=="ClientViewSignaled" || action=="PagePrefetched" || action=="FolderCopied" || action=="FolderCreated" || action=="FolderDeletedFirstStageRecycleBin" || action=="FolderDeletedSecondStageRecycleBin" || action=="FolderRestored" || action=="InformationBarriersInsightsReportCompleted" || action=="InformationBarriersInsightsReportOneDriveSectionQueried" || action=="InformationBarriersInsightsReportSchedule" || action=="InformationBarriersInsightsReportSharePointSectionQueried" || action=="updateddeviceconfiguration" || action=="UpdatedPolicyConfigPriority" || action=="BackupPolicyActivated" || action=="RestoreTaskActivated" || action=="BackupItemAdded" || action=="BackupItemRemoved" || action=="RestoreTaskCompleted" || action=="DraftRestoreTaskCreated" || action=="NewBackupPolicyCreated" || action=="DraftRestoreTaskDeleted" || action=="DraftRestoreTaskEdited" || action=="BackupPolicyPaused" || action=="GetBackupItem" || action=="ViewBackupPolicyDetails" || action=="GetRestoreTaskDetails" || action=="ListAllBackupPolicies" || action=="ListAllBackupItemsInPolicies" || action=="ListAllBackupItemsInTenant" || action=="ListAllBackupItemsInWorkload" || action=="GetAllRestoreArtifactsInTask" || action=="ListAllRestorePoints" || action=="ListAllRestoreTasks" || action=="BackupItemRestoreCompleted" || action=="BackupItemRestoreTriggered" || action=="SetAdvancedFeatures" || action=="RunAntiVirusScan" || action=="LogsCollection" || action=="TaggingConfigurationUpdated" || action=="AlertExcelDownloaded" || action=="RemediationActionAdded" || action=="RemediationActionUpdated" || action=="SensorCreated" || action=="SensorDeploymentAccessKeyReceived" || action=="SensorDeploymentAccessKeyUpdated" || action=="SensorActivationMethodConfigurationUpdated" || action=="DomainControllerCoverageExcelDownloaded" || action=="MonitoringAlertUpdated" || action=="ReportDownloaded" || action=="AlertNotificationsRecipientAdded" || action=="MonitoringAlertNotificationRecipientAdded" || action=="WorkspaceCreated" || action=="AddCommentToIncident." || action=="AssignUserToIncident" || action=="UpdateIncidentStatus" || action=="AddTagsToIncident" || action=="RemoveTagsFromIncident" || action=="CreateComment" || action=="CreateForm" || action=="MoveForm" || action=="ViewForm" || action=="PreviewForm" || action=="ExportForm" || action=="AllowShareFormForCopy" || action=="DisallowShareFormForCopy" || action=="AddFormCoauthor" || action=="RemoveFormCoauthor" || action=="ViewRuntimeForm" || action=="CreateResponse" || action=="UpdateResponse" || action=="ViewResponses" || action=="ViewResponse" || action=="GetSummaryLink" || action=="DeleteSummaryLink" || action=="ProInvitation" || action=="ListForms" || action=="SubmitResponse" || action=="ConnectToExcelWorkbook" || action=="CollectionCreated" || action=="CollectionUpdated" || action=="CollectionHardDeleted" || action=="CollectionSoftDeleted" || action=="CollectionRenamed" || action=="MovedFormIntoCollection" || action=="MovedFormOutofCollection" || action=="PlanCopied" || action=="TaskAssigned" || action=="TaskCompleted" || action=="PlanListRead" || action=="TaskListRead" || action=="ProjectCreated" || action=="RoadmapCreated" || action=="RoadmapItemCreated" || action=="TaskCreated" || action=="ProjectListAccessed" || action=="RoadmapAccessed" || action=="RoadmapItemAccessed" || action=="TaskAccessed" || action=="AuditSearchCreated" || action=="AuditSearchCompleted" || action=="AuditSearchCancelled" || action=="AuditSearchExportJobCreated" || action=="AuditSearchExportJobCompleted" || action=="AuditSearchExportResultsDownloaded" || action=="EntityCreated" || action=="ClassificationAdded" || action=="ClassificationDefinitionCreated" || action=="GlossaryTermAssigned" || action=="GlossaryTermCreated" || action=="BotAddedToTeam" || action=="ChannelAdded" || action=="ConnectorAdded" || action=="MeetingDetail" || action=="MeetingParticipantDetail" || action=="MemberAdded" || action=="TabAdded" || action=="SensitivityLabelApplied" || action=="SensitivityLabelChanged" || action=="ChatCreated" || action=="TeamCreated" || action=="MessageDeleted" || action=="MessageEditedHasLink" || action=="MessagesExported" || action=="RecordingExported" || action=="TranscriptsExported" || action=="FailedValidation" || action=="ChatRetrieved" || action=="MessageHostedContentsListed" || action=="PerformedCardAction" || action=="MessageSent" || action=="AINotesUpdate" || action=="LiveNotesUpdate" || action=="AppPublishedToCatalog" || action=="MessageRead" || action=="InviteeResponded" || action=="ChannelOwnerResponded" || action=="MessagesListed" || action=="MessageCreatedHasLink" || action=="MessageCreatedNotification" || action=="MessageDeletedNotification" || action=="MessageUpdatedNotification" || action=="InviteSent" || action=="SubscribedToMessages" || action=="AppUpdatedInCatalog" || action=="ChatUpdated" || action=="MessageUpdated" || action=="TabUpdated" || action=="AppUpgraded" || action=="MessageSent" || action=="ScheduleGroupAdded" || action=="ShiftAdded" || action=="TimeOffAdded" || action=="OpenShiftAdded" || action=="ScheduleShared" || action=="ClockedIn" || action=="ClockedOut" || action=="BreakEnded" || action=="TimeClockEntryAdded" || action=="RequestAdded" || action=="RequestRespondedTo" || action=="WorkforceIntegrationAdded" || action=="OffShiftDialogAccepted" || action=="CreateUpdateRequest" || action=="EditUpdateRequest" || action=="SubmitUpdate" || action=="ViewUpdate" || action=="AcceptedSharingLinkOnFolder" || action=="FolderSharingLinkShared" || action=="LinkedEntityCreated" || action=="SubTaskCreated" || action=="TaskCreated" || action=="TaskRead" || action=="TaskListCreated" || action=="TaskListRead" || action=="AccessedOdataLink" || action=="CanceledQuery" || action=="DeletedResult" || action=="DownloadedReport" || action=="ExecutedQuery" || action=="UploadedOrgData" || action=="ViewedExplore" || action=="QuarantineReleaseRequestDeny" || action=="QuarantinePreview" || action=="QuarantineReleaseRequest" || action=="QuarantineViewHeader" || action=="UpdateUsageReportsPrivacySetting" || action=="NewAdaptiveScope" || action=="NewComplianceTag" || action=="NewRetentionCompliancePolicy" || action=="RemoveAdaptiveScope" || action=="RemoveComplianceTag" || action=="SetRestrictiveRetentionUI" || action=="ExchangeDataProactivelyPreserved" || action=="SharePointDataProactivelyPreserved" || action=="ListCreated" || action=="ListColumnCreated" || action=="ListContentTypeCreated" || action=="ListItemCreated" || action=="SiteColumnCreated" || action=="SiteContentTypeCreated" || action=="ListContentTypeDeleted" || action=="SiteColumnDeleted" || action=="SiteContentTypeDeleted" || action=="ListItemRecycled" || action=="ListItemRestored" || action=="ListColumnUpdated" || action=="ListContentTypeUpdated" || action=="SiteColumnUpdated" || action=="SiteContentTypeUpdated" || action=="SharingInvitationCreated" || action=="AccessRequestUpdated" || action=="SharingInvitationUpdated" || action=="SharingInvitationRevoked" || action=="AllowedDataLocationAdded" || action=="SiteGeoMoveCancelled" || action=="MigrationJobCompleted" || action=="SiteGeoMoveCompleted" || action=="SiteCollectionCreated" || action=="HubSiteOrphanHubDeleted" || action=="PreviewModeEnabledSet" || action=="LegacyWorkflowEnabledSet" || action=="OfficeOnDemandSet" || action=="PeopleResultsScopeSet" || action=="NewsFeedEnabledSet" || action=="HubSiteJoined" || action=="SiteCollectionQuotaModified" || action=="HubSiteRegistered" || action=="SiteGeoMoveScheduled" || action=="GeoQuotaAllocated" || action=="SiteAdminChangeRequest" || action=="ManagedSyncClientAllowed" || action=="FileSyncDownloadedFull" || action=="FileSyncUploadedFull" || action=="DataShareCreated" || action=="DataShareDeleted" || action=="GenerateCopyOfLakeData" || action=="DownloadCopyOfLakeData" || action=="SoftDeleteSettingsUpdated" || action=="CloseConversation" || action=="OpenConversation" || action=="MessageCreation" || action=="MessageDeleted" || action=="FileDownloaded" || action=="DataExport" || action=="ThreadAccessFailure" || action=="MarkedMessageChanged" || action=="RemoveCuratedTopic" || action=="UsagePolicyAcceptance" || action=="AdminThreadMuted" || action=="AdminThreadUnmuted" || action=="FileUpdateDescription" || action=="MessageUpdated" || action=="FileVisited" || action=="ThreadViewed" || action=="PulseSubmit" || action=="PulseCreate" || action=="PulseExtendDeadline" || action=="PulseInvite" || action=="PulseCancel" || action=="PulseShareResults" || action=="PulseCreateDraft" || action=="PulseDeleteDraft"
+      
+      # Removing unused fields
+      - delete:
+          fields:
+            - log.AppAccessContext
@@ -0,0 +1,51 @@
+# Sophos_Central filter using "SF syslog file guide 20.0", version 1.0.0
+
+# See: https://docs.sophos.com/nsg/sophos-firewall/20.0/pdf/sf-syslog-guide-20.0.pdf
+# and https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/TroubleshootingLogs/LogFileDetails/index.html#https-ftp-waf
+
+pipeline:
+  - dataTypes:
+      - sophos-central
+    steps:
+      - json:
+          source: raw
+
+      - rename:
+          from:
+            - log.coreremedyitems
+          to: log.coreremedyItems
+
+      - rename:
+          from:
+            - log.createdat
+          to: log.createdAt
+
+      - rename:
+          from:
+            - log.customerid
+          to: log.customerId
+
+      - rename:
+          from:
+            - log.endpointid
+          to: log.endpointId
+
+      - rename:
+          from:
+            - log.endpointtype
+          to: log.endpointType
+
+      - rename:
+          from:
+            - log.sourceinfo.ip
+          to: log.ip
+
+      - rename:
+          from:
+            - log.userid
+          to: log.userId
+
+      - rename:
+          from:
+            - log.sourceinfo
+          to: log.sourceInfo