CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

update sysmon ingest parser and Sysmon File dashboard

Browse Source
This commit is contained in:
doug
2023-01-03 09:02:17 -05:00
parent 8d797ad9df
commit 4e5d1d587e
2 changed files with 110 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
salt/elasticsearch/files/ingest/sysmon
View File

@@ -4,14 +4,39 @@
{ "set": { "field": "event.code", "value": "{{winlog.event_id}}", "override": true } }, { "set": { "field": "event.code", "value": "{{winlog.event_id}}", "override": true } },
{ "set": { "field": "event.module", "value": "sysmon", "override": true } }, { "set": { "field": "event.module", "value": "sysmon", "override": true } },
{ "set": { "if": "ctx.winlog?.computer_name != null", "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true } }, { "set": { "if": "ctx.winlog?.computer_name != null", "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true } },
{ "set": { "if": "ctx.event?.code == '3'", "field": "event.category", "value": "host,process,network", "override": true } },
{ "set": { "if": "ctx.event?.code == '1'", "field": "event.category", "value": "host,process", "override": true } }, { "set": { "if": "ctx.event?.code == '1'", "field": "event.category", "value": "host,process", "override": true } },
{ "set": { "if": "ctx.event?.code == '2'", "field": "event.category", "value": "host,file", "override": true } },
{ "set": { "if": "ctx.event?.code == '3'", "field": "event.category", "value": "host,process,network", "override": true } },
{ "set": { "if": "ctx.event?.code == '4'", "field": "event.category", "value": "host", "override": true } },
{ "set": { "if": "ctx.event?.code == '5'", "field": "event.category", "value": "host,process", "override": true } }, { "set": { "if": "ctx.event?.code == '5'", "field": "event.category", "value": "host,process", "override": true } },
{ "set": { "if": "ctx.event?.code == '6'", "field": "event.category", "value": "host,driver", "override": true } }, { "set": { "if": "ctx.event?.code == '6'", "field": "event.category", "value": "host,driver", "override": true } },
{ "set": { "if": "ctx.event?.code == '7'", "field": "event.category", "value": "host,process", "override": true } },
{ "set": { "if": "ctx.event?.code == '8'", "field": "event.category", "value": "host,process", "override": true } },
{ "set": { "if": "ctx.event?.code == '9'", "field": "event.category", "value": "host,file", "override": true } },
{ "set": { "if": "ctx.event?.code == '10'", "field": "event.category", "value": "host,process", "override": true } },
{ "set": { "if": "ctx.event?.code == '11'", "field": "event.category", "value": "host,file", "override": true } },
{ "set": { "if": "ctx.event?.code == '12'", "field": "event.category", "value": "host,registry", "override": true } },
{ "set": { "if": "ctx.event?.code == '13'", "field": "event.category", "value": "host,registry", "override": true } },
{ "set": { "if": "ctx.event?.code == '14'", "field": "event.category", "value": "host,registry", "override": true } },
{ "set": { "if": "ctx.event?.code == '15'", "field": "event.category", "value": "host,file", "override": true } },
{ "set": { "if": "ctx.event?.code == '16'", "field": "event.category", "value": "host", "override": true } },
{ "set": { "if": "ctx.event?.code == '17'", "field": "event.category", "value": "host,pipe", "override": true } },
{ "set": { "if": "ctx.event?.code == '18'", "field": "event.category", "value": "host,pipe", "override": true } },
{ "set": { "if": "ctx.event?.code == '19'", "field": "event.category", "value": "host,wmi", "override": true } },
{ "set": { "if": "ctx.event?.code == '20'", "field": "event.category", "value": "host,wmi", "override": true } },
{ "set": { "if": "ctx.event?.code == '21'", "field": "event.category", "value": "host,wmi", "override": true } },
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.category", "value": "network", "override": true } }, { "set": { "if": "ctx.event?.code == '22'", "field": "event.category", "value": "network", "override": true } },
{ "set": { "if": "ctx.event?.code == '23'", "field": "event.category", "value": "host,file", "override": true } },
{ "set": { "if": "ctx.event?.code == '24'", "field": "event.category", "value": "host,clipboard", "override": true } },
{ "set": { "if": "ctx.event?.code == '25'", "field": "event.category", "value": "host,process", "override": true } },
{ "set": { "if": "ctx.event?.code == '26'", "field": "event.category", "value": "host,file", "override": true } },
{ "set": { "if": "ctx.event?.code == '27'", "field": "event.category", "value": "host,file", "override": true } },
{ "set": { "if": "ctx.event?.code == '28'", "field": "event.category", "value": "host,file", "override": true } },
{ "set": { "if": "ctx.event?.code == '255'", "field": "event.category", "value": "host", "override": true } },
{ "set": { "if": "ctx.event?.code == '1'", "field": "event.dataset", "value": "process_creation", "override": true } }, { "set": { "if": "ctx.event?.code == '1'", "field": "event.dataset", "value": "process_creation", "override": true } },
{ "set": { "if": "ctx.event?.code == '2'", "field": "event.dataset", "value": "process_changed_file", "override": true } }, { "set": { "if": "ctx.event?.code == '2'", "field": "event.dataset", "value": "process_changed_file", "override": true } },
{ "set": { "if": "ctx.event?.code == '3'", "field": "event.dataset", "value": "network_connection", "override": true } }, { "set": { "if": "ctx.event?.code == '3'", "field": "event.dataset", "value": "network_connection", "override": true } },
{ "set": { "if": "ctx.event?.code == '4'", "field": "event.dataset", "value": "service_state_changed", "override": true } },
{ "set": { "if": "ctx.event?.code == '5'", "field": "event.dataset", "value": "process_terminated", "override": true } }, { "set": { "if": "ctx.event?.code == '5'", "field": "event.dataset", "value": "process_terminated", "override": true } },
{ "set": { "if": "ctx.event?.code == '6'", "field": "event.dataset", "value": "driver_loaded", "override": true } }, { "set": { "if": "ctx.event?.code == '6'", "field": "event.dataset", "value": "driver_loaded", "override": true } },
{ "set": { "if": "ctx.event?.code == '7'", "field": "event.dataset", "value": "image_loaded", "override": true } }, { "set": { "if": "ctx.event?.code == '7'", "field": "event.dataset", "value": "image_loaded", "override": true } },
@@ -24,7 +49,19 @@
{ "set": { "if": "ctx.event?.code == '14'", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } }, { "set": { "if": "ctx.event?.code == '14'", "field": "event.dataset", "value": "registry_key_value_rename", "override": true } },
{ "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } }, { "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } },
{ "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } }, { "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } },
{ "set": { "if": "ctx.event?.code == '17'", "field": "event.dataset", "value": "pipe_created", "override": true } },
{ "set": { "if": "ctx.event?.code == '18'", "field": "event.dataset", "value": "pipe_connected", "override": true } },
{ "set": { "if": "ctx.event?.code == '19'", "field": "event.dataset", "value": "wmi_event_filter", "override": true } },
{ "set": { "if": "ctx.event?.code == '20'", "field": "event.dataset", "value": "wmi_event_consumer", "override": true } },
{ "set": { "if": "ctx.event?.code == '21'", "field": "event.dataset", "value": "wmi_event_consumer_to_filter","override": true } },
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } }, { "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } },
{ "set": { "if": "ctx.event?.code == '23'", "field": "event.dataset", "value": "file_delete_archived", "override": true } },
{ "set": { "if": "ctx.event?.code == '24'", "field": "event.dataset", "value": "clipboard_change", "override": true } },
{ "set": { "if": "ctx.event?.code == '25'", "field": "event.dataset", "value": "process_tampering", "override": true } },
{ "set": { "if": "ctx.event?.code == '26'", "field": "event.dataset", "value": "file_delete", "override": true } },
{ "set": { "if": "ctx.event?.code == '27'", "field": "event.dataset", "value": "file_block_executable", "override": true } },
{ "set": { "if": "ctx.event?.code == '28'", "field": "event.dataset", "value": "file_block_shredding", "override": true } },
{ "set": { "if": "ctx.event?.code == '255'", "field": "event.dataset", "value": "error", "override": true } },
{ "kv": { "field": "winlog.event_data.Hashes", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } }, { "kv": { "field": "winlog.event_data.Hashes", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "kv": { "field": "winlog.event_data.Hash", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } }, { "kv": { "field": "winlog.event_data.Hash", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "rename": { "field": "file.hash.IMPHASH", "target_field": "hash.imphash", "ignore_missing": true } }, { "rename": { "field": "file.hash.IMPHASH", "target_field": "hash.imphash", "ignore_missing": true } },

2
salt/soc/defaults.yaml
View File

@@ -1401,7 +1401,7 @@ soc:
query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
- name: Sysmon File - name: Sysmon File
description: File activity captured by Sysmon description: File activity captured by Sysmon
query: '(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable' query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable'
- name: Sysmon Network - name: Sysmon Network
description: Network activity captured by Sysmon description: Network activity captured by Sysmon
query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'