From 5754365c6d1b5dd35c855e6ca4fcb3c8a826bed1 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@gmail.com>
Date: Wed, 4 Jan 2023 07:42:24 -0500
Subject: [PATCH] Improve default sysmon fields and add new network_connection
 fields

---
 salt/soc/defaults.yaml | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 87ad5c633..857f245d1 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -496,16 +496,6 @@ soc:
       - event.severity_label
       - log.id.uid
       - network.community_id
-    ':sysmon:':
-      - soc_timestamp
-      - source.ip
-      - source.port
-      - destination.ip
-      - destination.port
-      - source.hostname
-      - event.dataset
-      - process.executable
-      - user.name
     ':windows_eventlog:':
       - soc_timestamp
       - user.name
@@ -570,6 +560,24 @@ soc:
       - destination.geo.country_iso_code
       - user.name
       - source.ip
+    ':sysmon:':
+      - soc_timestamp
+      - event.dataset
+      - process.executable
+      - user.name
+      - file.target
+      - dns.query.name
+      - winlog.event_data.TargetObject
+    '::network_connection':
+      - soc_timestamp
+      - source.ip
+      - source.port
+      - destination.ip
+      - destination.port
+      - source.hostname
+      - event.dataset
+      - process.executable
+      - user.name
     '::process_terminated': 
       - soc_timestamp
       - process.executable