CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9510 from Security-Onion-Solutions/fix/sysmon-fields-2.3

Browse Source 
Improve default sysmon fields and add new network_connection fields
This commit is contained in:
Doug Burks
2023-01-04 07:58:04 -05:00
committed by GitHub
parent 20d6ce1ce9 e3d32c7871
commit 08a5a9ab31
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/soc/files/soc/hunt.eventfields.json
View File

@@ -42,7 +42,6 @@
":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location" ], ":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location" ],
":strelka:file": ["soc_timestamp", "file.name", "file.size", "hash.md5", "file.source", "file.mime_type", "log.id.fuid" ], ":strelka:file": ["soc_timestamp", "file.name", "file.size", "hash.md5", "file.source", "file.mime_type", "log.id.fuid" ],
":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ], ":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ],
":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
":windows_eventlog:": ["soc_timestamp", "user.name" ], ":windows_eventlog:": ["soc_timestamp", "user.name" ],
":elasticsearch:": ["soc_timestamp", "agent.name", "message", "log.level", "metadata.version", "metadata.pipeline", "event.dataset" ], ":elasticsearch:": ["soc_timestamp", "agent.name", "message", "log.level", "metadata.version", "metadata.pipeline", "event.dataset" ],
":kibana:": ["soc_timestamp", "host.name", "message", "kibana.log.meta.req.headers.x-real-ip", "event.dataset" ], ":kibana:": ["soc_timestamp", "host.name", "message", "kibana.log.meta.req.headers.x-real-ip", "event.dataset" ],
@@ -52,6 +51,8 @@
":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ], ":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ],
":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ], ":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ],
":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ], ":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ],
":sysmon:": ["soc_timestamp", "event.dataset", "process.executable", "user.name", "file.target", "dns.query.name", "winlog.event_data.TargetObject" ],
"::network_connection": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
"::process_terminated": ["soc_timestamp", "process.executable", "process.pid", "winlog.computer_name"], "::process_terminated": ["soc_timestamp", "process.executable", "process.pid", "winlog.computer_name"],
"::file_create": ["soc_timestamp", "file.target", "process.executable", "process.pid", "winlog.computer_name"], "::file_create": ["soc_timestamp", "file.target", "process.executable", "process.pid", "winlog.computer_name"],
"::registry_value_set": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"], "::registry_value_set": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"],