116 lines
3.2 KiB
YAML
116 lines
3.2 KiB
YAML
#Standard profile minus MITRE ATT&CK Tactics and Record ID.
|
|
minimal:
|
|
Timestamp: "%Timestamp%"
|
|
Computer: "%Computer%"
|
|
Channel: "%Channel%"
|
|
EventID: "%EventID%"
|
|
Level: "%Level%"
|
|
RuleTitle: "%RuleTitle%"
|
|
Details: "%Details%"
|
|
|
|
standard:
|
|
Timestamp: "%Timestamp%"
|
|
Computer: "%Computer%"
|
|
Channel: "%Channel%"
|
|
EventID: "%EventID%"
|
|
Level: "%Level%"
|
|
RecordID: "%RecordID%"
|
|
RuleTitle: "%RuleTitle%"
|
|
Details: "%Details%"
|
|
|
|
#Standard profile plus MitreTags(MITRE techniques, software and groups), rule filename and EVTX filename.
|
|
verbose:
|
|
Timestamp: "%Timestamp%"
|
|
Computer: "%Computer%"
|
|
Channel: "%Channel%"
|
|
EventID: "%EventID%"
|
|
Level: "%Level%"
|
|
MitreTactics: "%MitreTactics%"
|
|
MitreTags: "%MitreTags%"
|
|
OtherTags: "%OtherTags%"
|
|
RecordID: "%RecordID%"
|
|
RuleTitle: "%RuleTitle%"
|
|
Details: "%Details%"
|
|
RuleFile: "%RuleFile%"
|
|
EvtxFile: "%EvtxFile%"
|
|
|
|
#Verbose profile with all field information instead of the minimal fields defined in the Details field.
|
|
all-field-info:
|
|
Timestamp: "%Timestamp%"
|
|
Computer: "%Computer%"
|
|
Channel: "%Channel%"
|
|
EventID: "%EventID%"
|
|
Level: "%Level%"
|
|
RecordID: "%RecordID%"
|
|
RuleTitle: "%RuleTitle%"
|
|
AllFieldInfo: "%RecordInformation%"
|
|
RuleFile: "%RuleFile%"
|
|
EvtxFile: "%EvtxFile%"
|
|
|
|
#Verbose profile with all field information and tags.
|
|
all-field-info-verbose:
|
|
Timestamp: "%Timestamp%"
|
|
Computer: "%Computer%"
|
|
Channel: "%Channel%"
|
|
EventID: "%EventID%"
|
|
Level: "%Level%"
|
|
MitreTactics: "%MitreTactics%"
|
|
MitreTags: "%MitreTags%"
|
|
OtherTags: "%OtherTags%"
|
|
RecordID: "%RecordID%"
|
|
RuleTitle: "%RuleTitle%"
|
|
AllFieldInfo: "%RecordInformation%"
|
|
RuleFile: "%RuleFile%"
|
|
EvtxFile: "%EvtxFile%"
|
|
|
|
#Verbose profile plus all field information. (Warning: this will more than double the output file size!)
|
|
super-verbose:
|
|
Timestamp: "%Timestamp%"
|
|
Computer: "%Computer%"
|
|
Channel: "%Channel%"
|
|
EventID: "%EventID%"
|
|
Level: "%Level%"
|
|
MitreTactics: "%MitreTactics%"
|
|
MitreTags: "%MitreTags%"
|
|
OtherTags: "%OtherTags%"
|
|
RecordID: "%RecordID%"
|
|
RuleTitle: "%RuleTitle%"
|
|
Details: "%Details%"
|
|
RuleFile: "%RuleFile%"
|
|
EvtxFile: "%EvtxFile%"
|
|
AllFieldInfo: "%RecordInformation%"
|
|
|
|
#Output that is compatible to import the CSV into Timesketch
|
|
timesketch-minimal:
|
|
datetime: "%Timestamp%"
|
|
timestamp_desc: "hayabusa"
|
|
message: "%RuleTitle%"
|
|
Computer: "%Computer%"
|
|
Channel: "%Channel%"
|
|
EventID: "%EventID%"
|
|
Level: "%Level%"
|
|
MitreTactics: "%MitreTactics%"
|
|
MitreTags: "%MitreTags%"
|
|
OtherTags: "%OtherTags%"
|
|
RecordID: "%RecordID%"
|
|
Details: "%Details%"
|
|
RuleFile: "%RuleFile%"
|
|
EvtxFile: "%EvtxFile%"
|
|
|
|
#Output that is compatible to import the CSV into Timesketch
|
|
timesketch-verbose:
|
|
datetime: "%Timestamp%"
|
|
timestamp_desc: "hayabusa"
|
|
message: "%RuleTitle%"
|
|
Computer: "%Computer%"
|
|
Channel: "%Channel%"
|
|
EventID: "%EventID%"
|
|
Level: "%Level%"
|
|
MitreTactics: "%MitreTactics%"
|
|
MitreTags: "%MitreTags%"
|
|
OtherTags: "%OtherTags%"
|
|
RecordID: "%RecordID%"
|
|
Details: "%Details%"
|
|
RuleFile: "%RuleFile%"
|
|
EvtxFile: "%EvtxFile%"
|
|
AllFieldInfo: "%RecordInformation%" |