From e3d32c7871253a39dc5ea76c3da9f4f7ec57023e Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 4 Jan 2023 07:38:18 -0500 Subject: [PATCH] Improve default sysmon fields and add new network_connection fields --- salt/soc/files/soc/hunt.eventfields.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 9c0c9b114..12800cf25 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -42,7 +42,6 @@ ":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location" ], ":strelka:file": ["soc_timestamp", "file.name", "file.size", "hash.md5", "file.source", "file.mime_type", "log.id.fuid" ], ":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ], - ":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ], ":windows_eventlog:": ["soc_timestamp", "user.name" ], ":elasticsearch:": ["soc_timestamp", "agent.name", "message", "log.level", "metadata.version", "metadata.pipeline", "event.dataset" ], ":kibana:": ["soc_timestamp", "host.name", "message", "kibana.log.meta.req.headers.x-real-ip", "event.dataset" ], @@ -52,7 +51,9 @@ ":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ], ":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ], ":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ], - "::process_terminated": ["soc_timestamp", "process.executable", "process.pid", "winlog.computer_name"], + ":sysmon:": ["soc_timestamp", "event.dataset", "process.executable", "user.name", "file.target", "dns.query.name", "winlog.event_data.TargetObject" ], + "::network_connection": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ], + "::process_terminated": ["soc_timestamp", "process.executable", "process.pid", "winlog.computer_name"], "::file_create": ["soc_timestamp", "file.target", "process.executable", "process.pid", "winlog.computer_name"], "::registry_value_set": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"], "::process_creation": ["soc_timestamp","process.command_line", "process.pid", "process.parent.executable", "process.working_directory"],