df0279c4d1
* rule updates-2021-11-26 * adjust trivial change in pull request issue coment Co-authored-by: DustInDark <nextsasasa@gmail.com>
150 lines
6.1 KiB
Plaintext
150 lines
6.1 KiB
Plaintext
AccessList,Event.EventData.AccessList
|
|
AccessMask,Event.EventData.AccessMask
|
|
Accesses,Event.EventData.Accesses
|
|
AccountName,Event.EventData.AccountName
|
|
Account_Name,Event.EventData.Account_Name
|
|
AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo
|
|
AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName
|
|
AttributeValue,Event.EventData.AttributeValue
|
|
AuditPolicyChanges,Event.EventData.AuditPolicyChanges
|
|
AuditSourceName,Event.EventData.AuditSourceName
|
|
AuthenticationPackageName,Event.EventData.AuthenticationPackageName
|
|
CallTrace,Event.EventData.CallTrace
|
|
Caller_Process_Name,Event.EventData.Caller_Process_Name
|
|
CallingProcessName,Event.EventData.CallingProcessName
|
|
Channel,Event.System.Channel
|
|
Client_Address,Event.EventData.Client_Address
|
|
CommandLine,Event.EventData.CommandLine
|
|
Company,Event.EventData.Company
|
|
Computer,Event.System.Computer
|
|
ComputerName,Event.System.Computer
|
|
ContextInfo,Event.EventData.ContextInfo
|
|
CurrentDirectory,Event.EventData.CurrentDirectory
|
|
Description,Event.EventData.Description
|
|
DestPort,Event.EventData.DestPort
|
|
Destination,Event.EventData.Destination
|
|
DestinationAddress,Event.EventData.DestinationAddress
|
|
DestinationHostname,Event.EventData.DestinationHostname
|
|
DestinationIp,Event.EventData.DestinationIp
|
|
DestinationIsIpv6,Event.EventData.DestinationIsIpv6
|
|
DestinationPort,Event.EventData.DestinationPort
|
|
Details,Event.EventData.Details
|
|
DetectionSource,Event.EventData.DetectionSource
|
|
Device,Event.EventData.Device
|
|
DeviceClassName,Event.EventData.DeviceClassName
|
|
DeviceDescription,Event.EventData.DeviceDescription
|
|
DeviceName,Event.EventData.DeviceName
|
|
DomainName,Event.EventData.SubjectDomainName
|
|
EngineVersion,Event.EventData.EngineVersion
|
|
EventID,Event.System.EventID
|
|
EventType,Event.EventData.EventType
|
|
FailureCode,Event.EventData.FailureCode
|
|
FileVersion,Event.EventData.FileVersion
|
|
GrantedAccess,Event.EventData.GrantedAccess
|
|
GroupName,Event.EventData.GroupName
|
|
GroupSid,Event.EventData.GroupSid
|
|
Hashes,Event.EventData.Hashes
|
|
HiveName,Event.EventData.HiveName
|
|
HostApplication,Event.EventData.HostApplication
|
|
HostName,Event.EventData.HostName
|
|
HostVersion,Event.EventData.HostVersion
|
|
Image,Event.EventData.Image
|
|
ImageLoaded,Event.EventData.ImageLoaded
|
|
ImagePath,Event.EventData.ImagePath
|
|
Imphash,Event.EventData.Hashes
|
|
Initiated,Event.EventData.Initiated
|
|
IntegrityLevel,Event.EventData.IntegrityLevel
|
|
IpAddress,Event.EventData.IpAddress
|
|
IpPort,Event.EventData.IpPort
|
|
JobTitle,Event.EventData.name
|
|
KeyLength,Event.EventData.KeyLength
|
|
Keywords,Event.System.Keywords
|
|
LDAPDisplayName,Event.EventData.LDAPDisplayName
|
|
LayerRTID,Event.EventData.LayerRTID
|
|
Level,Event.System.Level
|
|
LogFileClearedSubjectUserName,Event.UserData.LogFileCleared.SubjectUserName
|
|
LogonId,Event.EventData.LogonId
|
|
LogonProcessName,Event.EventData.LogonProcessName
|
|
LogonType,Event.EventData.LogonType
|
|
Logon_Account,Event.EventData.Logon_Account
|
|
MachineName,Event.EventData.MachineName
|
|
MemberName,Event.EventData.MemberName
|
|
MemberSid,Event.EventData.MemberSid
|
|
Message,Event.EventData
|
|
NewName,Event.EventData.NewName
|
|
NewValue,Event.EventData.NewValue
|
|
ObjectClass,Event.EventData.ObjectClass
|
|
ObjectName,Event.EventData.ObjectName
|
|
ObjectServer,Event.EventData.ObjectServer
|
|
ObjectType,Event.EventData.ObjectType
|
|
ObjectValueName,Event.EventData.ObjectValueName
|
|
Origin,Event.EventData.Origin
|
|
OriginalFileName,Event.EventData.OriginalFileName
|
|
OriginalFilename,Event.EventData.OriginalFileName
|
|
ParentCommandLine,Event.EventData.ParentCommandLine
|
|
ParentImage,Event.EventData.ParentImage
|
|
ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel
|
|
ParentProcessName,Event.EventData.ParentProcessName
|
|
ParentUser,Event.EventData.ParentUser
|
|
PasswordLastSet,Event.EventData.PasswordLastSet
|
|
Path,Event.EventData.Path
|
|
Payload,Event.EventData.Payload
|
|
PipeName,Event.EventData.PipeName
|
|
PreAuthType,Event.EventData.PreAuthType
|
|
PrivilegeList,Event.EventData.PrivilegeList
|
|
ProcessCommandLine,Event.EventData.ProcessCommandLine
|
|
ProcessName,Event.EventData.ProcessName
|
|
Product,Event.EventData.Product
|
|
Properties,Event.EventData.Properties
|
|
QNAME,Event.EventData.QNAME
|
|
QueryName,Event.EventData.QueryName
|
|
QueryResults,Event.EventData.QueryResults
|
|
QueryStatus,Event.EventData.QueryStatus
|
|
RelativeTargetName,Event.EventData.RelativeTargetName
|
|
SAMAccountName,Event.EventData.SamAccountName
|
|
ScriptBlockText,Event.EventData.ScriptBlockText
|
|
Service,Event.EventData.Service
|
|
ServiceFileName,Event.EventData.ServiceFileName
|
|
ServiceName,Event.EventData.ServiceName
|
|
ServicePrincipalNames,Event.EventData.ServicePrincipalNames
|
|
ShareName,Event.EventData.ShareName
|
|
SidHistory,Event.EventData.SidHistory
|
|
Signature,Event.EventData.Signature
|
|
Signed,Event.EventData.Signed
|
|
Source,Event.System.Provider_Name
|
|
SourceAddress,Event.EventData.SourceAddress
|
|
SourceImage,Event.EventData.SourceImage
|
|
SourceNetworkAddress,Event.EventData.SourceNetworkAddress
|
|
SourcePort,Event.EventData.SourcePort
|
|
Source_Network_Address,Event.EventData.Source_Network_Address
|
|
Source_WorkStation,Event.EventData.Source_WorkStation
|
|
StartFunction,Event.EventData.StartFunction
|
|
StartModule,Event.EventData.StartModule
|
|
Status,Event.EventData.Status
|
|
SubStatus,Event.EventData.SubStatus
|
|
SubjectDomainName,Event.EventData.SubjectDomainName
|
|
SubjectLogonId,Event.EventData.SubjectLogonId
|
|
SubjectUserName,Event.EventData.SubjectUserName
|
|
SubjectUserSid,Event.EventData.SubjectUserSid
|
|
TargetDomainName,Event.EventData.TargetDomainName
|
|
TargetFilename,Event.EventData.TargetFilename
|
|
TargetImage,Event.EventData.TargetImage
|
|
TargetLogonId,Event.EventData.TargetLogonId
|
|
TargetName,Event.EventData.TargetServerName
|
|
TargetObject,Event.EventData.TargetObject
|
|
TargetProcessAddress,Event.EventData.TargetProcessAddress
|
|
TargetSid,Event.EventData.TargetSid
|
|
TargetUserName,Event.EventData.TargetUserName
|
|
TaskName,Event.EventData.TaskName
|
|
TicketEncryptionType,Event.EventData.TicketEncryptionType
|
|
TicketOptions,Event.EventData.TicketOptions
|
|
Url,Event.EventData.url
|
|
User,Event.EventData.User
|
|
UserName,Event.EventData.UserName
|
|
Workstation,Event.EventData.Workstation
|
|
WorkstationName,Event.EventData.WorkstationName
|
|
keywords,Event.System.Keywords
|
|
param1,Event.EventData.param1
|
|
param2,Event.EventData.param2
|
|
service,Event.EventData.Service
|