mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-07 01:32:47 +01:00
sysmon fix by bryant
This commit is contained in:
doug
@@ -25,6 +25,11 @@
|
||||
{ "set": { "if": "ctx.event?.code == '15'", "field": "event.dataset", "value": "file_create_stream_hash", "override": true } },
|
||||
{ "set": { "if": "ctx.event?.code == '16'", "field": "event.dataset", "value": "config_change", "override": true } },
|
||||
{ "set": { "if": "ctx.event?.code == '22'", "field": "event.dataset", "value": "dns_query", "override": true } },
|
||||
{ "kv": {"field": "winlog.event_data.Hashes", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
|
||||
{ "kv": {"field": "winlog.event_data.Hash", "target_field": "file.hash", "field_split": ",", "value_split": "=", "ignore_missing": true } },
|
||||
{ "rename": { "field": "file.hash.IMPHASH", "target_field": "hash.imphash", "ignore_missing":true } },
|
||||
{ "rename": { "field": "file.hash.MD5", "target_field": "hash.md5", "ignore_missing":true } },
|
||||
{ "rename": { "field": "file.hash.SHA256", "target_field": "hash.sha256", "ignore_missing":true } },
|
||||
{ "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
|
||||
{ "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } },
|
||||
@@ -64,6 +69,10 @@
|
||||
{ "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } },
|
||||
{ "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } },
|
||||
{ "rename": { "field": "winlog.event_data.TargetFilename", "target_field": "file.target", "ignore_missing": true } },
|
||||
{ "rename": { "field": "winlog.event_data.QueryResults", "target_field": "dns.answers.name", "ignore_missing": true } },
|
||||
{ "rename": { "field": "winlog.event_data.QueryName", "target_field": "dns.query.name", "ignore_missing": true } },
|
||||
{ "remove": { "field": "winlog.event_data.Hash", "ignore_missing": true } },
|
||||
{ "remove": { "field": "winlog.event_data.Hashes", "ignore_missing": true } },
|
||||
{ "community_id": {} }
|
||||
]
|
||||
}
|
||||
|
||||
@@ -62,6 +62,17 @@
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"elf": {
|
||||
"properties": {
|
||||
"sections": {
|
||||
"properties": {
|
||||
"entropy": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -69,3 +80,22 @@
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -656,6 +656,49 @@ soc:
|
||||
- destination.geo.country_iso_code
|
||||
- user.name
|
||||
- source.ip
|
||||
'::process_terminated':
|
||||
- soc_timestamp
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::file_create':
|
||||
- soc_timestamp
|
||||
- file.target
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::registry_value_set':
|
||||
- soc_timestamp
|
||||
- winlog.event_data.TargetObject
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::process_creation':
|
||||
- soc_timestamp
|
||||
- process.command_line
|
||||
- process.pid
|
||||
- process.parent.executable
|
||||
- process.working_directory
|
||||
'::registry_create_delete':
|
||||
- soc_timestamp
|
||||
- winlog.event_data.TargetObject
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::dns_query':
|
||||
- soc_timestamp
|
||||
- dns.query.name
|
||||
- dns.answers.name
|
||||
- process.executable
|
||||
- winlog.computer_name
|
||||
'::file_create_stream_hash':
|
||||
- soc_timestamp
|
||||
- file.target
|
||||
- hash.md5
|
||||
- hash.sha256
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
queryBaseFilter:
|
||||
queryToggleFilters:
|
||||
- name: caseExcludeToggle
|
||||
@@ -1373,6 +1416,49 @@ soc:
|
||||
- destination.geo.country_iso_code
|
||||
- user.name
|
||||
- source.ip
|
||||
'::process_terminated':
|
||||
- soc_timestamp
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::file_create':
|
||||
- soc_timestamp
|
||||
- file.target
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::registry_value_set':
|
||||
- soc_timestamp
|
||||
- winlog.event_data.TargetObject
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::process_creation':
|
||||
- soc_timestamp
|
||||
- process.command_line
|
||||
- process.pid
|
||||
- process.parent.executable
|
||||
- process.working_directory
|
||||
'::registry_create_delete':
|
||||
- soc_timestamp
|
||||
- winlog.event_data.TargetObject
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
'::dns_query':
|
||||
- soc_timestamp
|
||||
- dns.query.name
|
||||
- dns.answers.name
|
||||
- process.executable
|
||||
- winlog.computer_name
|
||||
'::file_create_stream_hash':
|
||||
- soc_timestamp
|
||||
- file.target
|
||||
- hash.md5
|
||||
- hash.sha256
|
||||
- process.executable
|
||||
- process.pid
|
||||
- winlog.computer_name
|
||||
queryBaseFilter:
|
||||
queryToggleFilters:
|
||||
- name: caseExcludeToggle,
|
||||
|
||||
Reference in New Issue
Block a user