security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
Files
acf4a404d59ca057b9e1e8416d34b6bf2b58afdd
blue-team-tools/tests/logsource.json
T

365 lines
18 KiB
JSON
Raw Normal View History

Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
{
"title": "Field name by logsource",
"version": "20221231",
"legit":{
"windows":{
"commun": ["EventID","Provider_Name"],
update logsource
2023-01-04 18:52:24 +01:00
"empty": [],
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
"category":{
Add linux auditd
2023-01-01 13:18:51 +01:00
"process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion",
"Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName",
"ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId",
"ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"],
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
"file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"],
Add linux auditd
2023-01-01 13:18:51 +01:00
"network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort",
"DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname",
"SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"],
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
"sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"],
"process_termination":["Image","ProcessGuid","ProcessId","User"],
"driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"],
Add linux auditd
2023-01-01 13:18:51 +01:00
"image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid",
"ProcessId","Product","Signature","SignatureStatus","Signed","User"],
"create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress",
"StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"],
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
"raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"],
Add linux auditd
2023-01-01 13:18:51 +01:00
"process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId",
"SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"],
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
"raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"],
"file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
"registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"],
"registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"],
"registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"],
"registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
"registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
"create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"],
"pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"],
"wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"],
"dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"],
"file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"],
"clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"],
"process_tampering":["Image","ProcessGuid","ProcessId","Type","User"],
"file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"],
"ps_module":["ContextInfo","UserData","Payload"],
Check field name
2023-01-02 10:59:51 +01:00
"ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"],
"file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"],
update logsource
2023-01-04 18:52:24 +01:00
"file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"],
"ps_classic_start":[],
"ps_classic_provider_start":[],
"sysmon_error":[]
Add linux auditd
2023-01-01 13:18:51 +01:00
},
Check field name
2023-01-02 10:59:51 +01:00
"service":{
feat: add bitlocker channel
2023-01-02 22:19:32 +01:00
"bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"],
Check field name
2023-01-02 10:59:51 +01:00
"bits-client":["RemoteName","LocalName","processPath","processId"],
"codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer",
"RequestedPolicy","ValidatedPolicy","Status"],
"diagnosis-scripted": ["PackagePath","PackageId"],
"firewall-as":["Action","ApplicationPath","ModifyingApplication"],
Update field name
2023-01-02 15:49:45 +01:00
"ldap_debug":["ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","ProcessId"],
"ntlm":["CallerPID","ClientDomainName","ClientLUID","ClientUserName","DomainName","MechanismOID",
"ProcessName","SChannelName","SChannelType","TargetName","UserName","WorkstationName"],
"openssh":["process","payload"],
"security-mitigations":["ProcessPathLength","ProcessPath","ProcessCommandLineLength","ProcessCommandLine",
"ProcessId","ProcessCreateTime","ProcessStartKey","ProcessSignatureLevel",
"ProcessSectionSignatureLevel","ProcessProtection","TargetThreadId","TargetThreadCreateTime",
"RequiredSignatureLevel","SignatureLevel","ImageNameLength","ImageName"],
"shell-core":["Name","AppID","Flags"],
"smbclient-security":["Reason","Status","ShareNameLength","ShareName","ObjectNameLength","ObjectName",
"UserNameLength","UserName","ServerNameLength","ServerName"],
"taskscheduler":["TaskName","UserContext","Path","ProcessID","Priority"],
update logsource
2023-01-04 18:52:24 +01:00
"terminalservices-localsessionmanager":["User","SessionID","Address"],
"iis":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method",
"cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status",
"sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent",
"cs-referer","cs-cookie"],
"application":[],
"sysmon":[],
"powershell":[],
"powershell-classic":[],
"security":[],
"system":[],
"windefend":[],
"wmi":[],
"microsoft-servicebus-client":[],
"printservice-operational":[],
"driver-framework":[],
"dns-server-analytic":[],
"dns-server":[],
"printservice-admin":[],
"msexchange-management":[],
Add win_vhdmp_mount_iso
2023-01-09 10:19:41 +01:00
"applocker":[],
"vhdmp":[]
Check field name
2023-01-02 10:59:51 +01:00
}
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
},
"linux":{
update logsource
2023-01-04 18:52:24 +01:00
"commun": [],
"empty": [],
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
"category":{
Add linux auditd
2023-01-01 13:18:51 +01:00
"process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName",
"CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes",
"ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"],
"network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname",
"SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort",
"DestinationPortName"],
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
"process_termination": ["ProcessGuid","ProcessId","Image","User"],
"raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"],
"file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
"sysmon_status": ["Configuration","ConfigurationFileHash"],
Keep only sysmon linux used
2022-12-31 19:14:40 +01:00
"file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"]
Add linux auditd
2023-01-01 13:18:51 +01:00
},
"service":{
"auditd": ["a0","a1","a2","a3","a4","a5","a6","a7","a8","a9",
"acct","acl","action","added","addr","apparmor","arch","argc","audit_backlog_limit","audit_backlog_wait_time",
"audit_enabled","audit_failure","auid","banners","bool","bus","cap_fe,cap_fi","cap_fp","cap_fver","cap_pa","cap_pe","cap_pi",
"cap_pp","capability","category","cgroup","changed","cipher","class","cmd","code","comm","compat","cwd","daddr","data",
"default-context","dev","dev","device","dir","direction","dmac","dport","egid","enforcing","entries","errno","euid","exe",
"exit","fam","family","fd","fe","feature","fi","file","flags","format","fp","fsgid","fsuid","fver","gid","grantors","grp",
"hook","hostname","icmp_type","id","igid","img-ctx","inif","ino","inode","inode_gid","inode_uid","invalid_context","ioctlcmd",
"ip","ipid","ipx-net","item","items","iuid","kernel","key","kind","ksize","laddr","len","list","lport","mac","macproto","maj",
"major","minor","mode","model","msg","name","nametype","nargs","net","new","new_gid","new_lock","new_pe","new_pi","new_pp",
"new-chardev","new-disk","new-enabled","new-fs","new-level","new-log_passwd","new-mem","new-net","new-range","new-rng","new-role",
"new-seuser","new-vcpu","nlnk-fam","nlnk-grp","nlnk-pid","oauid","obj","obj_gid","obj_uid","ocomm","oflag","ogid","old","old_enforcing",
"old_lock","old_pa","old_pe","old_pi","old_pp","old_prom","old_val","old-auid","old-chardev","old-disk","old-enabled","old-fs",
"old-level","old-log_passwd","old-mem","old-net","old-range","old-rng","old-role","old-ses","old-seuser","old-vcpu","op","opid",
"oses","ouid","outif","pa","parent","path","pe","per","perm","perm_mask","permissive","pfs","pi","pid","pp","ppid","printer",
"proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid",
"scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid",
"sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user",
update logsource
2023-01-04 18:52:24 +01:00
"uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"],
"vsftpd":[],
"sshd":[],
"syslog":[],
"guacamole":[],
"auth":[],
"clamav":[],
"modsecurity":[],
"sudo":[],
"cron":[]
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
}
Update field name
2023-01-02 15:49:45 +01:00
},
"empty":{
update logsource
2023-01-04 18:52:24 +01:00
"commun": [],
Filename normalisation
2023-01-07 08:52:11 +01:00
"empty": ["not_found"],
Update field name
2023-01-02 15:49:45 +01:00
"category":{
"proxy":["c-uri","c-uri-extension","c-uri-query","c-uri-stem","c-useragent","cs-bytes","cs-cookie",
"cs-host","cs-method","r-dns","cs-referrer","cs-version","sc-bytes","sc-status","src_ip","dst_ip",
"cs-uri"],
Use W3C cs-uri-query
2023-01-02 18:56:34 +01:00
"webserver":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method",
"cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status",
"sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent",
update logsource
2023-01-04 18:52:24 +01:00
"cs-referer","cs-cookie"],
"antivirus":[],
"database":[],
"dns":[],
"firewall":[]
Update field name
2023-01-02 15:49:45 +01:00
},
"service":{
update logsource
2023-01-04 18:52:24 +01:00
"apache":[],
"netflow":[]
Update field name
2023-01-02 15:49:45 +01:00
}
update logsource
2023-01-04 18:52:24 +01:00
},
"cisco":{
"commun": [],
"empty": [],
"category":{},
"service":{
Update logsource.json
2023-01-10 21:53:35 +01:00
"aaa":[],
"bgp":[],
"ldp":[]
update logsource
2023-01-04 18:52:24 +01:00
}
},
"django":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"python":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
Filename normalisation
2023-01-07 08:52:11 +01:00
"qualys":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
update logsource
2023-01-04 18:52:24 +01:00
"rpc_firewall":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"ruby_on_rails":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
Filename normalisation
2023-01-07 08:52:11 +01:00
},
"modsecurity":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
update logsource
2023-01-04 18:52:24 +01:00
"spring":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"sql":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"aws":{
"commun": [],
"empty": [],
"category":{},
"service":{
"cloudtrail":[]
}
},
"azure":{
"commun": [],
"empty": [],
"category":{},
"service":{
"activitylogs":[],
"auditlogs":[],
"azureactivity":[],
update logsource
2023-01-04 19:36:37 +01:00
"microsoft365portal":[],
update logsource
2023-01-04 18:52:24 +01:00
"signinlogs":[]
}
},
"gcp":{
"commun": [],
"empty": [],
"category":{},
"service":{
"gcp.audit":[]
}
},
"google_workspace":{
"commun": [],
"empty": [],
"category":{},
"service":{
"google_workspace.admin":[]
}
},
"m365":{
"commun": [],
"empty": [],
"category":{},
"service":{
"exchange":[],
"threat_detection":[],
"threat_management":[]
}
},
"okta":{
"commun": [],
"empty": [],
"category":{},
"service":{
"okta":[]
}
},
"onelogin":{
"commun": [],
"empty": [],
"category":{},
"service":{
"onelogin.events":[]
}
},
Update logsource.json
2023-01-10 21:53:35 +01:00
"huawei":{
"commun": [],
"empty": [],
"category":{},
"service":{
"bgp":[]
}
},
"juniper":{
"commun": [],
"empty": [],
"category":{},
"service":{
"bgp":[]
}
},
update logsource
2023-01-04 18:52:24 +01:00
"zeek":{
"commun": [],
"empty": [],
"category":{
},
"service":{
"kerberos":[],
"smb_files":[],
"rdp":[],
"http":[],
"dns":[],
"dce_rpc":[],
"x509":[]
}
},
"macos":{
"commun": [],
"empty": [],
"category":{
"process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName",
"CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes",
"ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"],
"network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname",
"SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort",
"DestinationPortName"],
"process_termination": ["ProcessGuid","ProcessId","Image","User"],
"raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"],
"file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
"sysmon_status": ["Configuration","ConfigurationFileHash"],
"file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"]
},
"service":{
}
}
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
},
"addon":{
"windows":{
"category":{
"process_creation": ["GrandparentCommandLine"],
"network_connection": ["CommandLine","ParentImage"],
Add linux auditd
2023-01-01 13:18:51 +01:00
"create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage",
"SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine",
"IsInitialThread","RemoteCreation"],
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
"file_delete": ["CommandLine","ParentImage","ParentCommandLine"],
"file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"],
"image_load": ["CommandLine"],
Check field name
2023-01-02 10:59:51 +01:00
"process_access": ["SourceCommandLine","CallTraceExtended"],
"file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"],
"file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"]
update logsource
2023-01-04 18:52:24 +01:00
},
"service":{}
Add sysmon linux v1.0.2
2022-12-31 18:08:11 +01:00
}
}
add new test
2022-12-30 16:00:42 +01:00
}
Reference in New Issue Copy Permalink