CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve default sysmon fields and add new network_connection fields

Browse Source
This commit is contained in:
Doug Burks
2023-01-04 07:42:24 -05:00
committed by GitHub
parent 761fbd0edf
commit 5754365c6d
1 changed files with 18 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
salt/soc/defaults.yaml
View File

@@ -496,16 +496,6 @@ soc:
- event.severity_label - event.severity_label
- log.id.uid - log.id.uid
- network.community_id - network.community_id
':sysmon:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- event.dataset
- process.executable
- user.name
':windows_eventlog:': ':windows_eventlog:':
- soc_timestamp - soc_timestamp
- user.name - user.name
@@ -570,6 +560,24 @@ soc:
- destination.geo.country_iso_code - destination.geo.country_iso_code
- user.name - user.name
- source.ip - source.ip
':sysmon:':
- soc_timestamp
- event.dataset
- process.executable
- user.name
- file.target
- dns.query.name
- winlog.event_data.TargetObject
'::network_connection':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- event.dataset
- process.executable
- user.name
'::process_terminated': '::process_terminated':
- soc_timestamp - soc_timestamp
- process.executable - process.executable