From 216d821d286efd4e5a2eaf6b4ae713cfeb65ce3a Mon Sep 17 00:00:00 2001
From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
Date: Mon, 8 Aug 2022 10:28:08 +0900
Subject: [PATCH] update profiles

---
 config/default_profile.yaml | 11 +++--------
 config/profiles.yaml        | 19 ++++++++++++++-----
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/config/default_profile.yaml b/config/default_profile.yaml
index f8fc4100..394b6546 100644
--- a/config/default_profile.yaml
+++ b/config/default_profile.yaml
@@ -2,14 +2,9 @@
 Timestamp: "%Timestamp%"
 Computer: "%Computer%"
 Channel: "%Channel%"
-Level: "%Level%"
 EventID: "%EventID%"
-MitreAttack: "%MitreTactics%"
-MitreTags: "%MitreTags%"
-OtherTags: "%OtherTags%"
+Level: "%Level%"
+MitreTactics: "%MitreTactics%"
 RecordID: "%RecordID%"
 RuleTitle: "%RuleTitle%"
-Details: "%Details%"
-RecordInformation: "%RecordInformation%"
-RuleFile: "%RuleFile%"
-EvtxFile: "%EvtxFile%"
\ No newline at end of file
+Details: "%Details%"
\ No newline at end of file
diff --git a/config/profiles.yaml b/config/profiles.yaml
index 78348ee2..26bcfa34 100644
--- a/config/profiles.yaml
+++ b/config/profiles.yaml
@@ -1,3 +1,4 @@
+#Standard profile minus MITRE ATT&CK Tactics and Record ID.
 minimal:
     Timestamp: "%Timestamp%"
     Computer: "%Computer%"
@@ -13,32 +14,40 @@ standard:
     Channel: "%Channel%"
     EventID: "%EventID%"
     Level: "%Level%"
-    Tags: "%MitreAttack%"
+    MitreTactics: "%MitreTactics%"
     RecordID: "%RecordID%"
     RuleTitle: "%RuleTitle%"
     Details: "%Details%"
 
-verbose-1:
+#Standard profile plus MitreTags(MITRE techniques, software and groups), rule filename and EVTX filename.
+verbose:
     Timestamp: "%Timestamp%"
     Computer: "%Computer%"
     Channel: "%Channel%"
     EventID: "%EventID%"
     Level: "%Level%"
-    Tags: "%MitreAttack%"
+    MitreTactics: "%MitreTactics%"
+    MitreTags: "%MitreTags%"
+    OtherTags: "%OtherTags%"
     RecordID: "%RecordID%"
     RuleTitle: "%RuleTitle%"
     Details: "%Details%"
     RuleFile: "%RuleFile%"
     EvtxFile: "%EvtxFile%"
 
-verbose-2:
+#Verbose-1 profile plus all field information. (Warning: this will more than double the output file size!)
+verbose-all-field-info:
     Timestamp: "%Timestamp%"
     Computer: "%Computer%"
     Channel: "%Channel%"
     EventID: "%EventID%"
     Level: "%Level%"
-    Tags: "%MitreAttack%"
+    MitreTactics: "%MitreTactics%"
+    MitreTags: "%MitreTags%"
+    OtherTags: "%OtherTags%"
     RecordID: "%RecordID%"
     RuleTitle: "%RuleTitle%"
     Details: "%Details%"
+    RuleFile: "%RuleFile%"
+    EvtxFile: "%EvtxFile%"
     AllFieldInfo: "%RecordInformation%"
\ No newline at end of file