sysmon fix by bryant

2026-02-09 00:33:49 +01:00 · 2022-09-19 14:47:45 -04:00
parent 4c2ac9dd93
commit fdffac83e1
3 changed files with 181 additions and 56 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -656,6 +656,49 @@ soc:
            - destination.geo.country_iso_code
            - user.name
            - source.ip
+          '::process_terminated':
+            - soc_timestamp
+            - process.executable
+            - process.pid
+            - winlog.computer_name
+          '::file_create':
+            - soc_timestamp
+            - file.target
+            - process.executable
+            - process.pid
+            - winlog.computer_name
+          '::registry_value_set':
+            - soc_timestamp
+            - winlog.event_data.TargetObject
+            - process.executable
+            - process.pid
+            - winlog.computer_name
+          '::process_creation':
+            - soc_timestamp
+            - process.command_line
+            - process.pid
+            - process.parent.executable
+            - process.working_directory
+          '::registry_create_delete':
+            - soc_timestamp
+            - winlog.event_data.TargetObject
+            - process.executable
+            - process.pid
+            - winlog.computer_name
+          '::dns_query':
+            - soc_timestamp
+            - dns.query.name
+            - dns.answers.name
+            - process.executable
+            - winlog.computer_name
+          '::file_create_stream_hash':
+            - soc_timestamp
+            - file.target
+            - hash.md5
+            - hash.sha256
+            - process.executable
+            - process.pid
+            - winlog.computer_name
        queryBaseFilter:
        queryToggleFilters:
          - name: caseExcludeToggle
@@ -1373,6 +1416,49 @@ soc:
            - destination.geo.country_iso_code
            - user.name
            - source.ip
+          '::process_terminated': 
+            - soc_timestamp
+            - process.executable
+            - process.pid
+            - winlog.computer_name
+          '::file_create': 
+            - soc_timestamp
+            - file.target
+            - process.executable
+            - process.pid
+            - winlog.computer_name
+          '::registry_value_set': 
+            - soc_timestamp
+            - winlog.event_data.TargetObject
+            - process.executable
+            - process.pid
+            - winlog.computer_name
+          '::process_creation':
+            - soc_timestamp
+            - process.command_line
+            - process.pid
+            - process.parent.executable
+            - process.working_directory
+          '::registry_create_delete':
+            - soc_timestamp
+            - winlog.event_data.TargetObject
+            - process.executable
+            - process.pid
+            - winlog.computer_name
+          '::dns_query':
+            - soc_timestamp
+            - dns.query.name
+            - dns.answers.name
+            - process.executable
+            - winlog.computer_name
+          '::file_create_stream_hash':
+            - soc_timestamp
+            - file.target
+            - hash.md5
+            - hash.sha256
+            - process.executable
+            - process.pid
+            - winlog.computer_name
        queryBaseFilter:
        queryToggleFilters:
          - name: caseExcludeToggle,