{ "name": "windows", "title": "Windows", "version": "3.8.2", "release": "ga", "description": "Collect logs and metrics from Windows OS and services with Elastic Agent.", "type": "integration", "download": "/epr/windows/windows-3.8.2.zip", "path": "/package/windows/3.8.2", "icons": [ { "src": "/img/logo_windows.svg", "path": "/package/windows/3.8.2/img/logo_windows.svg", "title": "logo windows", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.14.0 || ^9.0.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/elastic-agent-data-plane" }, "categories": [ "os_system", "security", "observability" ], "signature_path": "/epr/windows/windows-3.8.2.zip.sig", "format_version": "3.2.1", "readme": "/package/windows/3.8.2/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/metricbeat-windows-service.png", "path": "/package/windows/3.8.2/img/metricbeat-windows-service.png", "title": "metricbeat windows service", "size": "3142x1834", "type": "image/png" }, { "src": "/img/applocker-windows-audit-and-blocked.png", "path": "/package/windows/3.8.2/img/applocker-windows-audit-and-blocked.png", "title": "applocker audited and blocked events", "size": "3040x2960", "type": "image/png" } ], "assets": [ "/package/windows/3.8.2/LICENSE.txt", "/package/windows/3.8.2/changelog.yml", "/package/windows/3.8.2/manifest.yml", "/package/windows/3.8.2/docs/README.md", "/package/windows/3.8.2/img/applocker-windows-audit-and-blocked.png", "/package/windows/3.8.2/img/logo_windows.svg", "/package/windows/3.8.2/img/metricbeat-windows-service.png", "/package/windows/3.8.2/data_stream/applocker_exe_and_dll/manifest.yml", "/package/windows/3.8.2/data_stream/applocker_exe_and_dll/sample_event.json", "/package/windows/3.8.2/data_stream/applocker_msi_and_script/manifest.yml", "/package/windows/3.8.2/data_stream/applocker_msi_and_script/sample_event.json", "/package/windows/3.8.2/data_stream/applocker_packaged_app_deployment/manifest.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_deployment/sample_event.json", "/package/windows/3.8.2/data_stream/applocker_packaged_app_execution/manifest.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_execution/sample_event.json", "/package/windows/3.8.2/data_stream/forwarded/manifest.yml", "/package/windows/3.8.2/data_stream/forwarded/sample_event.json", "/package/windows/3.8.2/data_stream/perfmon/manifest.yml", "/package/windows/3.8.2/data_stream/powershell/manifest.yml", "/package/windows/3.8.2/data_stream/powershell/sample_event.json", "/package/windows/3.8.2/data_stream/powershell_operational/manifest.yml", "/package/windows/3.8.2/data_stream/powershell_operational/sample_event.json", "/package/windows/3.8.2/data_stream/service/manifest.yml", "/package/windows/3.8.2/data_stream/sysmon_operational/manifest.yml", "/package/windows/3.8.2/data_stream/sysmon_operational/sample_event.json", "/package/windows/3.8.2/data_stream/windows_defender/manifest.yml", "/package/windows/3.8.2/data_stream/windows_defender/sample_event.json", "/package/windows/3.8.2/kibana/dashboard/windows-b28aaad0-2f2d-11ee-acdc-45d0efa0889d.json", "/package/windows/3.8.2/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json", "/package/windows/3.8.2/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json", "/package/windows/3.8.2/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json", "/package/windows/3.8.2/data_stream/applocker_exe_and_dll/fields/agent.yml", "/package/windows/3.8.2/data_stream/applocker_exe_and_dll/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/applocker_exe_and_dll/fields/beats.yml", "/package/windows/3.8.2/data_stream/applocker_exe_and_dll/fields/ecs.yml", "/package/windows/3.8.2/data_stream/applocker_exe_and_dll/fields/winlog.yml", "/package/windows/3.8.2/data_stream/applocker_msi_and_script/fields/agent.yml", "/package/windows/3.8.2/data_stream/applocker_msi_and_script/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/applocker_msi_and_script/fields/beats.yml", "/package/windows/3.8.2/data_stream/applocker_msi_and_script/fields/ecs.yml", "/package/windows/3.8.2/data_stream/applocker_msi_and_script/fields/winlog.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_deployment/fields/agent.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_deployment/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_deployment/fields/beats.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_deployment/fields/ecs.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_deployment/fields/winlog.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_execution/fields/agent.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_execution/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_execution/fields/beats.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_execution/fields/ecs.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_execution/fields/winlog.yml", "/package/windows/3.8.2/data_stream/forwarded/fields/agent.yml", "/package/windows/3.8.2/data_stream/forwarded/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/forwarded/fields/beats.yml", "/package/windows/3.8.2/data_stream/forwarded/fields/ecs.yml", "/package/windows/3.8.2/data_stream/forwarded/fields/fields.yml", "/package/windows/3.8.2/data_stream/forwarded/fields/winlog.yml", "/package/windows/3.8.2/data_stream/perfmon/fields/agent.yml", "/package/windows/3.8.2/data_stream/perfmon/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/perfmon/fields/fields.yml", "/package/windows/3.8.2/data_stream/powershell/fields/agent.yml", "/package/windows/3.8.2/data_stream/powershell/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/powershell/fields/beats.yml", "/package/windows/3.8.2/data_stream/powershell/fields/ecs.yml", "/package/windows/3.8.2/data_stream/powershell/fields/fields.yml", "/package/windows/3.8.2/data_stream/powershell/fields/winlog.yml", "/package/windows/3.8.2/data_stream/powershell_operational/fields/agent.yml", "/package/windows/3.8.2/data_stream/powershell_operational/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/powershell_operational/fields/beats.yml", "/package/windows/3.8.2/data_stream/powershell_operational/fields/ecs.yml", "/package/windows/3.8.2/data_stream/powershell_operational/fields/fields.yml", "/package/windows/3.8.2/data_stream/powershell_operational/fields/winlog.yml", "/package/windows/3.8.2/data_stream/service/fields/agent.yml", "/package/windows/3.8.2/data_stream/service/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/service/fields/fields.yml", "/package/windows/3.8.2/data_stream/sysmon_operational/fields/agent.yml", "/package/windows/3.8.2/data_stream/sysmon_operational/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/sysmon_operational/fields/beats.yml", "/package/windows/3.8.2/data_stream/sysmon_operational/fields/ecs.yml", "/package/windows/3.8.2/data_stream/sysmon_operational/fields/fields.yml", "/package/windows/3.8.2/data_stream/sysmon_operational/fields/winlog.yml", "/package/windows/3.8.2/data_stream/windows_defender/fields/agent.yml", "/package/windows/3.8.2/data_stream/windows_defender/fields/base-fields.yml", "/package/windows/3.8.2/data_stream/windows_defender/fields/beats.yml", "/package/windows/3.8.2/data_stream/windows_defender/fields/fields.yml", "/package/windows/3.8.2/data_stream/windows_defender/fields/winlog.yml", "/package/windows/3.8.2/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs", "/package/windows/3.8.2/data_stream/applocker_exe_and_dll/elasticsearch/ingest_pipeline/default.yml", "/package/windows/3.8.2/data_stream/applocker_msi_and_script/agent/stream/winlog.yml.hbs", "/package/windows/3.8.2/data_stream/applocker_msi_and_script/elasticsearch/ingest_pipeline/default.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_deployment/agent/stream/winlog.yml.hbs", "/package/windows/3.8.2/data_stream/applocker_packaged_app_deployment/elasticsearch/ingest_pipeline/default.yml", "/package/windows/3.8.2/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs", "/package/windows/3.8.2/data_stream/applocker_packaged_app_execution/elasticsearch/ingest_pipeline/default.yml", "/package/windows/3.8.2/data_stream/forwarded/agent/stream/winlog.yml.hbs", "/package/windows/3.8.2/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml", "/package/windows/3.8.2/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml", "/package/windows/3.8.2/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml", "/package/windows/3.8.2/data_stream/forwarded/elasticsearch/ingest_pipeline/security_default.yml", "/package/windows/3.8.2/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml", "/package/windows/3.8.2/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml", "/package/windows/3.8.2/data_stream/perfmon/agent/stream/stream.yml.hbs", "/package/windows/3.8.2/data_stream/powershell/agent/stream/winlog.yml.hbs", "/package/windows/3.8.2/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml", "/package/windows/3.8.2/data_stream/powershell_operational/agent/stream/winlog.yml.hbs", "/package/windows/3.8.2/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml", "/package/windows/3.8.2/data_stream/service/agent/stream/stream.yml.hbs", "/package/windows/3.8.2/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs", "/package/windows/3.8.2/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml", "/package/windows/3.8.2/data_stream/windows_defender/agent/stream/winlog.yml.hbs", "/package/windows/3.8.2/data_stream/windows_defender/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "windows", "title": "Windows logs and metrics", "description": "Collect logs and metrics from Windows instances", "inputs": [ { "type": "winlog", "title": "Collect events from the following Windows event log channels:", "description": "Collecting events from Windows event log" }, { "type": "windows/metrics", "title": "Collect Windows perfmon and service metrics", "description": "Collecting perfmon and service metrics from Windows instances" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "windows.applocker_exe_and_dll", "title": "Windows AppLocker/EXE and DLL logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "AppLocker/EXE and DLL", "description": "Microsoft-Windows-AppLocker/EXE and DLL channel", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "applocker_exe_and_dll" }, { "type": "logs", "dataset": "windows.applocker_msi_and_script", "title": "Windows AppLocker/MSI and Script logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "AppLocker/MSI and Script", "description": "Microsoft-Windows-AppLocker/MSI and Script channel", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "applocker_msi_and_script" }, { "type": "logs", "dataset": "windows.applocker_packaged_app_deployment", "title": "Windows AppLocker/Packaged app-Deployment logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Packaged app-Deployment", "description": "Microsoft-Windows-AppLocker/Packaged app-Deployment channel", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "applocker_packaged_app_deployment" }, { "type": "logs", "dataset": "windows.applocker_packaged_app_execution", "title": "Windows AppLocker/Packaged app-Execution logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Packaged app-Execution", "description": "Microsoft-Windows-AppLocker/Packaged app-Execution channel", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "applocker_packaged_app_execution" }, { "type": "logs", "dataset": "windows.forwarded", "title": "Windows forwarded events", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Forwarded", "description": "Collect ForwardedEvents channel logs", "enabled": true, "ingestion_method": "API" } ], "package": "windows", "elasticsearch": { "index_template.settings": { "analysis": { "analyzer": { "powershell_script_analyzer": { "pattern": "[\\W&&[^-]]+", "type": "pattern" } } } }, "ingest_pipeline.name": "default" }, "path": "forwarded" }, { "type": "metrics", "dataset": "windows.perfmon", "title": "Windows perfmon metrics", "release": "ga", "streams": [ { "input": "windows/metrics", "vars": [ { "name": "perfmon.group_measurements_by_instance", "type": "bool", "title": "Perfmon Group Measurements By Instance", "description": "Enabling this option will send all measurements with a matching perfmon instance as part of a single event", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "perfmon.ignore_non_existent_counters", "type": "bool", "title": "Perfmon Ignore Non Existent Counters", "description": "Enabling this option will make sure to ignore any errors caused by counters that do not exist", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "perfmon.refresh_wildcard_counters", "type": "bool", "title": "Perfmon Refresh Wildcard Counters", "description": "Enabling this option will cause the counter list to be retrieved after each fetch, rather than once at start time.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "perfmon.match_by_parent_instance", "type": "bool", "title": "Perfmon Match By Parent Instance", "description": "Enabling this option will cause all instances of the same parent (process name) to have the same instance value. Disable this option if you run multiple processes with the same name (e.g. IIS workers).", "multi": false, "required": false, "show_user": true, "default": true }, { "name": "perfmon.queries", "type": "yaml", "title": "Perfmon Queries", "description": "Will list the perfmon queries to execute, each query will have an `object` option, an optional `instance` contiguration and the actual counters", "multi": false, "required": true, "show_user": true, "default": "- object: 'Process'\n instance: [\"*\"]\n counters:\n - name: '% Processor Time'\n field: cpu_perc\n format: \"float\"\n - name: \"Working Set\"\n" }, { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "Windows perfmon metrics", "description": "Collect Windows perfmon metrics", "enabled": true, "ingestion_method": "API" } ], "package": "windows", "path": "perfmon" }, { "type": "logs", "dataset": "windows.powershell", "title": "Windows Powershell logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": true, "show_user": false, "default": "400, 403, 600, 800" }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Powershell", "description": "Windows Powershell channel", "enabled": true, "ingestion_method": "API" } ], "package": "windows", "elasticsearch": { "index_template.settings": { "analysis": { "analyzer": { "powershell_script_analyzer": { "pattern": "[\\W&&[^-]]+", "type": "pattern" } } } }, "ingest_pipeline.name": "default" }, "path": "powershell" }, { "type": "logs", "dataset": "windows.powershell_operational", "title": "Windows Powershell/Operational logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": true, "show_user": false, "default": "4103, 4104, 4105, 4106" }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Powershell Operational", "description": "Microsoft-Windows-Powershell/Operational channel", "enabled": true, "ingestion_method": "API" } ], "package": "windows", "elasticsearch": { "index_template.settings": { "analysis": { "analyzer": { "powershell_script_analyzer": { "pattern": "[\\W&&[^-]]+", "type": "pattern" } } } }, "ingest_pipeline.name": "default" }, "path": "powershell_operational" }, { "type": "metrics", "dataset": "windows.service", "title": "Windows service metrics", "release": "ga", "streams": [ { "input": "windows/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "60s" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/metricbeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": true } ], "template_path": "stream.yml.hbs", "title": "Windows service metrics", "description": "Collect Windows service metrics", "enabled": true, "ingestion_method": "API" } ], "package": "windows", "elasticsearch": {}, "path": "service" }, { "type": "logs", "dataset": "windows.sysmon_operational", "title": "Windows Sysmon/Operational events", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Sysmon Operational", "description": "Collect Microsoft-Windows-Sysmon/Operational channel logs", "enabled": true, "ingestion_method": "API" } ], "package": "windows", "path": "sysmon_operational" }, { "type": "logs", "dataset": "windows.windows_defender", "title": "Windows Defender logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Windows Defender", "description": "Microsoft-Windows-Windows Defender/Operational channel", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "windows_defender" } ] }