trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
086df6f53424cd47addc2bcdd2685e96a3b56c09
DetectionLab/Vagrant/resources/splunk_server/sysmon_ta_props.conf
Chris Long 34889a8bb6 Many Splunk fixes, add sponsors list to README
2020-08-06 23:50:10 -07:00

67 lines
5.3 KiB
Plaintext
Raw Blame History

##Below fields extractions have been moved from [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
#SEDCMD-pwd_rule1 = s/ -pw ([^\s\<])+/ -pw ***MASK***/g
REPORT-sysmon = sysmon-eventid,sysmon-version,sysmon-level,sysmon-task,sysmon-opcode,sysmon-keywords,sysmon-created,sysmon-record,sysmon-correlation,sysmon-channel,sysmon-computer,sysmon-sid,sysmon-data,sysmon-md5,sysmon-sha1,sysmon-sha256,sysmon-imphash,sysmon-hashes,sysmon-filename,sysmon-registry,sysmon-dns-record-data,sysmon-dns-ip-data
FIELDALIAS-src_ip = SourceIp AS src_ip
FIELDALIAS-src_host = SourceHostname AS src_host
EVAL-src = if(isnotnull(SourceHostname),SourceHostname,SourceIp)
FIELDALIAS-src_port = SourcePort AS src_port
FIELDALIAS-app = Image AS app
FIELDALIAS-dest_ip = DestinationIp AS dest_ip
FIELDALIAS-dest_host = DestinationHostname AS dest_host
EVAL-dest = case(EventCode=="3" AND isnotnull(DestinationHostname),DestinationHostname,EventCode=="3",DestinationIp,EventCode=="1" OR EventCode == "11" OR EventCode == "12" OR EventCode == "13" OR EventCode == "14", Computer)
FIELDALIAS-dest_port = DestinationPort AS dest_port
EVAL-direction = if(Initiated=="true","outbound","inbound")
FIELDALIAS-dvc = Computer AS dvc
FIELDALIAS-transport = Protocol AS transport
EVAL-protocol = if(Initiated=="true",DestinationPortName,SourcePortName)
FIELDALIAS-session_id = ProcessGuid AS session_id
EVAL-vendor_product = "Microsoft Sysmon"
FIELDALIAS-cmdline = CommandLine AS cmdline
#Common fieldnames for Registry, Process, FileSystem Node in Endpoint Datamodel
EVAL-action = case(EventCode=="1","allowed",EventCode=="12" AND EventType=="CreateKey","created",EventCode=="12" AND (EventType=="DeleteKey" OR EventType=="DeleteValue") ,"deleted",EventCode=="13" AND EventType=="SetValue","modified",EventCode=="11" AND EventDescription=="File Created","created")
#Ports Node
EVAL-creation_time = case(EventCode=="3",UtcTime)
EVAL-state = case(EventCode=="3", "listening")
#Processes Node
EVAL-parent_process_exec = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18", replace(ParentImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")
FIELDALIAS-parent_process_id = ParentProcessId AS parent_process_id
FIELDALIAS-parent_process_guid = ParentProcessGuid AS parent_process_guid
FIELDALIAS-parent_process_path = ParentImage AS parent_process_path
FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory
EVAL-process_exec = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18" OR EventCode="22", replace(Image,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),EventCode=="6","System",EventCode=="8" OR EventCode=="10",replace(SourceImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")
FIELDALIAS-process_hash = Hashes AS process_hash
FIELDALIAS-process_guid = ProcessGuid AS process_guid
FIELDALIAS-process_id = ProcessId AS process_id
FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level
FIELDALIAS-process_path = Image AS process_path
FIELDALIAS-user_id = UserID AS user_id
REPORT-user_for_sysmon = User_as_user
FIELDALIAS-parent_process = ParentCommandLine AS parent_process
EVAL-parent_process_name = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18", replace(ParentImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")
FIELDALIAS-process = CommandLine AS process
EVAL-process_name = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18" OR EventCode="22", replace(Image,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),EventCode=="6","System",EventCode=="8" OR EventCode=="10",replace(SourceImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")
#Filesystem Node
FIELDALIAS-file_path = TargetFilename AS file_path
FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time
#Fields for ChangeAnalysis DM (old field names)
EVAL-object_category = case(EventCode=="11" OR EventCode=="2", "file", EventCode=="12" OR EventCode=="13" OR EventCode="14", "registry", EventCode=="19" OR EventCode=="20" OR EventCode="21", "wmi")
EVAL-object_path = case(EventCode=="12" OR EventCode=="13", TargetObject, EventCode=="14", NewName)
LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
FIELDALIAS-signature_id = EventCode AS signature_id
FIELDALIAS-eventid = EventCode AS EventID
#Registry Node
EVAL-registry_path = case(EventCode=="12" OR EventCode=="13" OR EventCode=="14", TargetObject)
EVAL-registry_value_name = case(EventCode=="13", Details)
EVAL-registry_key_name = case(EventCode=="12" OR EventCode=="13" OR EventCode=="14",replace(TargetObject,".+\\\\",""))
#DNS Node
FIELDALIAS-query = QueryName AS query
FIELDALIAS-replycode = QueryStatus AS reply_code_id
Reference in New Issue View Git Blame Copy Permalink