update windows-events filter

JocLRojas · JocLRojas · commit 71d20147f790 · 2026-04-01T18:44:31.000+03:00
diff --git a/filters/windows/windows-events.yml b/filters/windows/windows-events.yml
@@ -296,19 +296,14 @@ pipeline:
 
       - rename:
           from:
-            - log.log.level
+            - log.level
           to: log.severityLabel
 
       - rename:
           from:
             - log.api
           to: log.api
 
-      - rename:
-          from:
-            - log.channel
-          to: log.channel
-
       - rename:
           from:
             - log.ecs.version
@@ -334,6 +329,56 @@ pipeline:
             - log.data.ObjectType
           to: log.eventDataObjectType
 
+      - rename:
+          from:
+            - log.data.OperationType
+          to: log.eventDataOperationType
+
+      - rename:
+          from:
+            - log.data.TicketEncryptionType
+          to: log.eventDataTicketEncryptionType
+
+      - rename:
+          from:
+            - log.data.PreAuthType
+          to: log.eventDataPreAuthType
+
+      - rename:
+          from:
+            - log.data.TicketOptions
+          to: log.eventDataTicketOptions
+
+      - rename:
+          from:
+            - log.data.ProcessPath
+          to: log.eventDataProcessPath
+
+      - rename:
+          from:
+            - log.data.ImagePath
+          to: log.eventDataImagePath
+
+      - rename:
+          from:
+            - log.data.ServiceType
+          to: log.eventDataServiceType
+
+      - rename:
+          from:
+            - log.data.StartType
+          to: log.eventDataStartType
+
+      - rename:
+          from:
+            - log.data.FileName
+          to: log.eventDataFileName
+
+      - rename:
+          from:
+            - log.data.LinkName
+          to: log.eventDataLinkName
+
       - rename:
           from:
             - log.data.AccessList
@@ -374,6 +419,26 @@ pipeline:
             - log.data.TransactionId
           to: log.eventDataTransactionId
 
+      - rename:
+          from:
+            - log.data.ScriptBlockText
+          to: log.eventDataScriptBlockText
+
+      - rename:
+          from:
+            - log.data.MessageNumber
+          to: log.eventDataMessageNumber
+
+      - rename:
+          from:
+            - log.data.MessageTotal
+          to: log.eventDataMessageTotal
+
+      - rename:
+          from:
+            - log.data.ScriptBlockId
+          to: log.eventDataScriptBlockId
+
       - cast:
           to: "int"
           fields:
@@ -403,7 +468,7 @@ pipeline:
 
       # Drop unnecessary events
       - drop:
-          where: "oneOf('log.eventCode', [0, 1, 43, 44, 1040, 1042, 1105, 1500, 1501, 4608, 4609, 4614, 4615, 4616, 4626, 4627, 4650, 4651, 4652, 4653, 4654, 4655, 4659, 4665, 4666, 4667, 4668, 4688, 4689, 4696, 4709, 4710, 4711, 4712, 4778, 4779, 4826, 4864, 4866, 4898, 4899, 4902, 4904, 4905, 4906, 4909, 4910, 4911, 4928, 4929, 4930, 4931, 4932, 4933, 4934, 4935, 4936, 4937, 4944, 4945, 4951, 4952, 4953, 4957, 4958, 4965, 4979, 4980, 4981, 4982, 4983, 4984, 4985, 5024, 5027, 5028, 5029, 5033, 5034, 5035, 5038, 5039, 5051, 5056, 5057, 5058, 5059, 5060, 5061, 5062, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5071, 5120, 5121, 5122, 5123, 5125, 5126, 5127, 5137, 5138, 5139, 5141, 5145, 5168, 5169, 5170, 5376, 5377, 5378, 5379, 5380, 5381, 5440, 5441, 5442, 5443, 5444, 5446, 5450, 5451, 5452, 5456, 5457, 5458, 5459, 5460, 5461, 5462, 5463, 5464, 5465, 5466, 5467, 5468, 5471, 5472, 5473, 5474, 5477, 5478, 5712, 5888, 5889, 5890, 6145, 6274, 6275, 6281, 6400, 6401, 6402, 6403, 6405, 6406, 6407, 6408, 6409, 6410, 6417, 6418, 6423, 6424, 7040, 8191, 10000, 10010, 16384, 16394, 24578, 24579, 24581, 24582, 24583, 24584, 24586, 24588, 24592, 24593, 24594, 24595, 24621])"
+          where: "oneOf('log.eventCode', [0, 1, 43, 44, 1040, 1042, 1105, 1500, 1501, 4608, 4609, 4614, 4615, 4616, 4626, 4627, 4650, 4651, 4652, 4653, 4654, 4655, 4659, 4665, 4666, 4667, 4668, 4689, 4696, 4709, 4710, 4711, 4712, 4778, 4779, 4826, 4864, 4866, 4898, 4899, 4902, 4904, 4905, 4906, 4909, 4910, 4911, 4928, 4929, 4930, 4931, 4932, 4933, 4934, 4935, 4936, 4937, 4944, 4945, 4951, 4952, 4953, 4957, 4958, 4965, 4979, 4980, 4981, 4982, 4983, 4984, 4985, 5024, 5027, 5028, 5029, 5033, 5034, 5035, 5038, 5039, 5051, 5056, 5057, 5058, 5059, 5060, 5061, 5062, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5071, 5120, 5121, 5122, 5123, 5125, 5126, 5127, 5137, 5138, 5139, 5141, 5145, 5168, 5169, 5170, 5376, 5377, 5378, 5379, 5380, 5381, 5440, 5441, 5442, 5443, 5444, 5446, 5450, 5451, 5452, 5456, 5457, 5458, 5459, 5460, 5461, 5462, 5463, 5464, 5465, 5466, 5467, 5468, 5471, 5472, 5473, 5474, 5477, 5478, 5712, 5888, 5889, 5890, 6145, 6274, 6275, 6281, 6400, 6401, 6402, 6403, 6405, 6406, 6407, 6408, 6409, 6410, 6417, 6418, 6423, 6424, 7040, 8191, 10000, 10010, 16384, 16394, 24578, 24579, 24581, 24582, 24583, 24584, 24586, 24588, 24592, 24593, 24594, 24595, 24621])"
 
       # Decoding event code
       - add:
@@ -2949,7 +3014,6 @@ pipeline:
             - log.agent
             - log.host
             - log.computer_name
-            - log.data
             - log.process
             - log.metadata
             - log.event
