tools/sigma/config/eventdict.py

event = {
    1: ('childproc_count','[1 to *]'),
    # 2: Change time,
    3: ('netconn_count','[1 to *]'),
    # 4: sysmon state change
    # 5: Process termincated
    6: ('modload_count','[1 to *]'),
    7: ('modload_count','[1 to *]'),
    8: ('crossproc_count', '[1 to *]'),
    # 9: Raw Access Read
    10: ('crossproc_count', '[1 to *]'),
    11: ('filemod_count','[1 to *]'),
    12: ('regmod_count','[1 to *]'),
    13: ('regmod_count','[1 to *]'),
    14: ('',''),
    15: ('',''),
    16: ('',''),
    17: ('',''),
    18: ('',''),
    19: ('',''),
    20: ('',''),
    21: ('',''),
    # 15 File create stream hash
}
module carbonblack 2019-10-18 14:04:38 +07:00			`event = {`
update carbonblack module 2019-10-18 17:51:31 +07:00			`1: ('childproc_count','[1 to *]'),`
module carbonblack 2019-10-18 14:04:38 +07:00			`# 2: Change time,`
update carbonblack module 2019-10-18 17:51:31 +07:00			`3: ('netconn_count','[1 to *]'),`
module carbonblack 2019-10-18 14:04:38 +07:00			`# 4: sysmon state change`
			`# 5: Process termincated`
update sigma 2020-02-03 09:47:06 +07:00			`6: ('modload_count','[1 to *]'),`
update carbonblack module 2019-10-18 17:51:31 +07:00			`7: ('modload_count','[1 to *]'),`
change to github 2020-02-28 16:56:48 +07:00			`8: ('crossproc_count', '[1 to *]'),`
module carbonblack 2019-10-18 14:04:38 +07:00			`# 9: Raw Access Read`
change to github 2020-02-28 16:56:48 +07:00			`10: ('crossproc_count', '[1 to *]'),`
update carbonblack module 2019-10-18 17:51:31 +07:00			`11: ('filemod_count','[1 to *]'),`
			`12: ('regmod_count','[1 to *]'),`
moreEventID 2019-11-28 21:34:52 +07:00			`13: ('regmod_count','[1 to *]'),`
			`14: ('',''),`
			`15: ('',''),`
			`16: ('',''),`
			`17: ('',''),`
			`18: ('',''),`
			`19: ('',''),`
			`20: ('',''),`
			`21: ('',''),`
module carbonblack 2019-10-18 14:04:38 +07:00			`# 15 File create stream hash`
			`}`