CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

sysmon fix by bryant

Browse Source
This commit is contained in:
doug
2022-09-19 14:47:45 -04:00
parent 4c2ac9dd93
commit fdffac83e1
3 changed files with 181 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
salt/elasticsearch/files/ingest/sysmon
View File

@@ -25,6 +25,11 @@
{ "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } },
{ "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } },
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } },
{ "kv": {"field": "winlog.event_data.Hashes", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "kv": {"field": "winlog.event_data.Hash", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
{ "rename": { "field": "file.hash.IMPHASH", "target_field": "hash.imphash", "ignore_missing":true } },
{ "rename": { "field": "file.hash.MD5", "target_field": "hash.md5", "ignore_missing":true } },
{ "rename": { "field": "file.hash.SHA256", "target_field": "hash.sha256", "ignore_missing":true } },
{ "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } },
@@ -64,6 +69,10 @@
{ "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.TargetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.QueryResults", "target_field": "dns.answers.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.QueryName", "target_field": "dns.query.name", "ignore_missing": true } },
{ "remove": { "field": "winlog.event_data.Hash", "ignore_missing": true } },
{ "remove": { "field": "winlog.event_data.Hashes", "ignore_missing": true } },
{ "community_id": {} }
]
}

30
salt/elasticsearch/templates/component/so/so-scan-mappings.json
View File

@@ -62,6 +62,13 @@
}
}
}
},
"elf": {
"properties": {
"sections": {
"properties": {
"entropy": {
"type": "long"
}
}
}
@@ -69,3 +76,26 @@
}
}
}
}
}
}
}

86
salt/soc/defaults.yaml
View File

@@ -656,6 +656,49 @@ soc:
- destination.geo.country_iso_code
- user.name
- source.ip
'::process_terminated':
- soc_timestamp
- process.executable
- process.pid
- winlog.computer_name
'::file_create':
- soc_timestamp
- file.target
- process.executable
- process.pid
- winlog.computer_name
'::registry_value_set':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::process_creation':
- soc_timestamp
- process.command_line
- process.pid
- process.parent.executable
- process.working_directory
'::registry_create_delete':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::dns_query':
- soc_timestamp
- dns.query.name
- dns.answers.name
- process.executable
- winlog.computer_name
'::file_create_stream_hash':
- soc_timestamp
- file.target
- hash.md5
- hash.sha256
- process.executable
- process.pid
- winlog.computer_name
queryBaseFilter:
queryToggleFilters:
- name: caseExcludeToggle
@@ -1373,6 +1416,49 @@ soc:
- destination.geo.country_iso_code
- user.name
- source.ip
'::process_terminated':
- soc_timestamp
- process.executable
- process.pid
- winlog.computer_name
'::file_create':
- soc_timestamp
- file.target
- process.executable
- process.pid
- winlog.computer_name
'::registry_value_set':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::process_creation':
- soc_timestamp
- process.command_line
- process.pid
- process.parent.executable
- process.working_directory
'::registry_create_delete':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
'::dns_query':
- soc_timestamp
- dns.query.name
- dns.answers.name
- process.executable
- winlog.computer_name
'::file_create_stream_hash':
- soc_timestamp
- file.target
- hash.md5
- hash.sha256
- process.executable
- process.pid
- winlog.computer_name
queryBaseFilter:
queryToggleFilters:
- name: caseExcludeToggle,