CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Imphash mappings

Browse Source
This commit is contained in:
Josh Brower
2024-02-22 08:59:33 -05:00
parent 0a9022ba6a
commit c886e72793
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/soc/files/soc/sigma_so_pipeline.yaml
View File

@@ -16,12 +16,14 @@ transformations:
src_port: source.port
dst_ip: destination.ip.keyword
dst_port: destination.port
winlog.event_data.User: user.name
- id: hashes_process-creation
type: field_name_mapping
mapping:
winlog.event_data.sha256: process.hash.sha256
winlog.event_data.sha1: process.hash.sha1
winlog.event_data.md5: process.hash.md5
winlog.event_data.Imphash: process.pe.imphash
rule_conditions:
- type: logsource
product: windows
@@ -32,6 +34,7 @@ transformations:
winlog.event_data.sha256: dll.hash.sha256
winlog.event_data.sha1: dll.hash.sha1
winlog.event_data.md5: dll.hash.md5
winlog.event_data.Imphash: dll.pe.imphash
rule_conditions:
- type: logsource
product: windows
@@ -42,6 +45,7 @@ transformations:
winlog.event_data.sha256: dll.hash.sha256
winlog.event_data.sha1: dll.hash.sha1
winlog.event_data.md5: dll.hash.md5
winlog.event_data.Imphash: dll.pe.imphash
rule_conditions:
- type: logsource
product: windows