tests/thor.yml

title: THOR
order: 20
backends:
    - thor
# this configuration differs from other configurations and can not be used
# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.
logsources:
    # log source configurations for generic sigma rules
    process_creation_1:
        category: process_creation
        product: windows
        conditions:
            EventID: 1
        rewrite:
            product: windows
            service: sysmon
    process_creation_2:
        category: process_creation
        product: windows
        conditions:
            EventID: 4688
        rewrite:
            product: windows
            service: security
        fieldmappings:
            Image: NewProcessName
            ParentImage: ParentProcessName
    network_connection:
        category: network_connection
        product: windows
        conditions:
            EventID: 3
        rewrite:
            product: windows
            service: sysmon
    sysmon_status1:
        category: sysmon_status
        product: windows
        conditions:
            EventID: 4
        rewrite:
            product: windows
            service: sysmon
    sysmon_status2:
        category: sysmon_status
        product: windows
        conditions:
            EventID: 16
        rewrite:
            product: windows
            service: sysmon
    process_terminated:
        category: process_termination
        product: windows
        conditions:
            EventID: 5
        rewrite:
            product: windows
            service: sysmon
    driver_loaded:
        category: driver_load
        product: windows
        conditions:
            EventID: 6
        rewrite:
            product: windows
            service: sysmon
    image_loaded:
        category: image_load
        product: windows
        conditions:
            EventID: 7
        rewrite:
            product: windows
            service: sysmon
    create_remote_thread:
        category: create_remote_thread
        product: windows
        conditions:
            EventID: 8
        rewrite:
            product: windows
            service: sysmon
    raw_access_thread:
        category: raw_access_thread
        product: windows
        conditions:
            EventID: 9
        rewrite:
            product: windows
            service: sysmon
    process_access:
        category: process_access
        product: windows
        conditions:
            EventID: 10
        rewrite:
            product: windows
            service: sysmon
    file_creation:
        category: file_event
        product: windows
        conditions:
            EventID: 11
        rewrite:
            product: windows
            service: sysmon
    registry_event1:
        category: registry_event
        product: windows
        conditions:
            EventID: 12
        rewrite:
            product: windows
            service: sysmon
    registry_event2:
        category: registry_event
        product: windows
        conditions:
            EventID: 13
        rewrite:
            product: windows
            service: sysmon
    registry_event3:
        category: registry_event
        product: windows
        conditions:
            EventID: 14
        rewrite:
            product: windows
            service: sysmon
    registry_add:
        category: registry_add
        product: windows
        conditions:
            EventID: 12
        rewrite:
            product: windows
            service: sysmon
    registry_delete:
        category: registry_delete
        product: windows
        conditions:
            EventID: 12
        rewrite:
            product: windows
            service: sysmon
    registry_set:
        category: registry_set
        product: windows
        conditions:
            EventID: 13
        rewrite:
            product: windows
            service: sysmon
    registry_rename:
        category: registry_rename
        product: windows
        conditions:
            EventID: 14
        rewrite:
            product: windows
            service: sysmon
    create_stream_hash:
        category: create_stream_hash
        product: windows
        conditions:
            EventID: 15
        rewrite:
            product: windows
            service: sysmon
    pipe_created1:
        category: pipe_created
        product: windows
        conditions:
            EventID: 17
        rewrite:
            product: windows
            service: sysmon
    pipe_created2:
        category: pipe_created
        product: windows
        conditions:
            EventID: 18
        rewrite:
            product: windows
            service: sysmon
    wmi_event1:
        category: wmi_event
        product: windows
        conditions:
            EventID: 19
        rewrite:
            product: windows
            service: sysmon
    wmi_event2:
        category: wmi_event
        product: windows
        conditions:
            EventID: 20
        rewrite:
            product: windows
            service: sysmon
    wmi_event3:
        category: wmi_event
        product: windows
        conditions:
            EventID: 21
        rewrite:
            product: windows
            service: sysmon
    dns_query:
        category: dns_query
        product: windows
        conditions:
            EventID: 22
        rewrite:
            product: windows
            service: sysmon
    file_delete:
        category: file_delete
        product: windows
        conditions:
            EventID: 23
        rewrite:
            product: windows
            service: sysmon
    clipboard_change:
        category: clipboard_change
        product: windows
        conditions:
            EventID: 24
        rewrite:
            product: windows
            service: sysmon
    process_tampering:
        category: process_tampering
        product: windows
        conditions:
            EventID: 25
        rewrite:
            product: windows
            service: sysmon
    file_delete_detected:
        category: file_delete_detected
        product: windows
        conditions:
            EventID: 26
        rewrite:
            product: windows
            service: sysmon
    file_block_executable:
        category: file_block_executable
        product: windows
        conditions:
            EventID: 27
        rewrite:
            product: windows
            service: sysmon
    file_block_shredding:
        category: file_block_shredding
        product: windows
        conditions:
            EventID: 28
        rewrite:
            product: windows
            service: sysmon
    file_executable_detected:
        category: file_executable_detected
        product: windows
        conditions:
            EventID: 29
        rewrite:
            product: windows
            service: sysmon
    sysmon_error:
        category: sysmon_error
        product: windows
        conditions:
            EventID: 255
        rewrite:
            product: windows
            service: sysmon
    # PowerShell Operational
    ps_module:
        category: ps_module
        product: windows
        conditions:
            EventID: 4103
        rewrite:
            product: windows
            service: powershell
    ps_script:
        category: ps_script
        product: windows
        conditions:
            EventID: 4104
        rewrite:
            product: windows
            service: powershell
    # Powershell "classic" channel
    ps_classic_start:
        category: ps_classic_start
        product: windows
        conditions:
            EventID: 400
        rewrite:
            product: windows
            service: powershell-classic
    ps_classic_provider_start:
        category: ps_classic_provider_start
        product: windows
        conditions:
            EventID: 600
        rewrite:
            product: windows
            service: powershell-classic
    ps_classic_script:
        category: ps_classic_script
        product: windows
        conditions:
            EventID: 800
        rewrite:
            product: windows
            service: powershell-classic
    # target system configurations
    windows-application:
        product: windows
        service: application
        sources:
            - "WinEventLog:Application"
    windows-security:
        product: windows
        service: security
        sources:
            - "WinEventLog:Security"
    windows-system:
        product: windows
        service: system
        sources:
            - "WinEventLog:System"
    windows-ntlm:
        product: windows
        service: ntlm
        sources:
            - "WinEventLog:Microsoft-Windows-NTLM/Operational"
    windows-sysmon:
        product: windows
        service: sysmon
        sources:
            - "WinEventLog:Microsoft-Windows-Sysmon/Operational"
    windows-powershell:
        product: windows
        service: powershell
        sources:
            - "WinEventLog:Microsoft-Windows-PowerShell/Operational"
            - "WinEventLog:PowerShellCore/Operational"
    windows-classicpowershell:
        product: windows
        service: powershell-classic
        sources:
            - "WinEventLog:Windows PowerShell"
    windows-taskscheduler:
        product: windows
        service: taskscheduler
        sources:
            - "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
    windows-wmi:
        product: windows
        service: wmi
        sources:
            - "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
    windows-dhcp:
        product: windows
        service: dhcp
        sources:
            - "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"
    windows-printservice-admin:
        product: windows
        service: printservice-admin
        sources:
            - "WinEventLog:Microsoft-Windows-PrintService/Admin"
    windows-smbclient-security:
        product: windows
        service: smbclient-security
        sources:
            - "WinEventLog:Microsoft-Windows-SmbClient/Security"
    windows-smbclient-connectivity:
        product: windows
        service: smbclient-connectivity
        sources:
            - "WinEventLog:Microsoft-Windows-SmbClient/Connectivity"
    windows-printservice-operational:
        product: windows
        service: printservice-operational
        sources:
            - "WinEventLog:Microsoft-Windows-PrintService/Operational"
    windows-terminalservices-localsessionmanager-operational:
        product: windows
        service: terminalservices-localsessionmanager
        sources:
            - 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
    windows-codeintegrity-operational:
        product: windows
        service: codeintegrity-operational
        sources:
            - "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"
    windows-applocker:
        product: windows
        service: applocker
        sources:
            - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
            - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
            - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
            - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
    windows-msexchange-management:
        product: windows
        service: msexchange-management
        sources:
            - 'WinEventLog:MSExchange Management'
    windows-defender:
        product: windows
        service: windefend
        sources:
            - 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
    windows-defender-antivirus-mapping:
        category: antivirus
        conditions:
            EventID:  # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
                - 1006
                - 1007
                - 1008
                - 1009
                - 1010
                - 1011
                - 1012
                - 1017
                - 1018
                - 1019
                - 1115
                - 1116
        rewrite:
            product: windows
            service: windefend
        fieldmappings:
            Signature: ThreatName
            Filename: Path
    windows-firewall-advanced-security:
        product: windows
        service: firewall-as
        sources:
            - 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
    windows-bits-client:
        product: windows
        service: bits-client
        sources:
            - 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
    windows-security-mitigations:
        product: windows
        service: security-mitigations
        sources:
            - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
            - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
    windows-diagnosis:
        product: windows
        service: diagnosis-scripted
        sources:
            - 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
    windows-shell-core:
        product: windows
        service: shell-core
        sources:
            - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
    windows-openssh:
        product: windows
        service: openssh
        sources:
            - 'WinEventLog:OpenSSH/Operational'
    windows-ldap-debug:
        product: windows
        service: ldap
        sources:
            - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
    windows-bitlocker:
        product: windows
        service: bitlocker
        sources:
            - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
    windows-vhdmp:
        product: windows
        service: vhdmp
        sources:
            - 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
    windows-appxdeployment-server:
        product: windows
        service: appxdeployment-server
        sources:
            - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
    windows-lsa-server:
        product: windows
        service: lsa-server
        sources:
            - 'WinEventLog:Microsoft-Windows-LSA/Operational'
    windows-appxpackaging-om:
        product: windows
        service: appxpackaging-om
        sources:
            - 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'
    windows-dns-client:
        product: windows
        service: dns-client
        sources:
            - 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'
    windows-appmodel-runtime:
        product: windows
        service: appmodel-runtime
        sources:
            - 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'
    windows-capi2:
        product: windows
        service: capi2
        sources:
            - 'WinEventLog:Microsoft-Windows-CAPI2/Operational'
    windows-certificateservicesclient-lifecycle:
        product: windows
        service: certificateservicesclient-lifecycle-system
        sources:
            - 'WinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'
    windows-kernel-shimengine:
        product: windows
        service: kernel-shimengine
        sources:
            - 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Operational'
            - 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Diagnostic'
    windows-application-experience:
        product: windows
        service: application-experience
        sources:
            - 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Telemetry'
            - 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'
    windows-ntfs:
        product: windows
        service: ntfs
        sources:
            - 'WinEventLog:Microsoft-Windows-Ntfs/Operational'
    windows-hyper-v-worker:
        product: windows
        service: hyper-v-worker
        sources:
            - 'WinEventLog:Microsoft-Windows-Hyper-V-Worker'
    windows-kernel-event-tracing:
        product: windows
        service: kernel-event-tracing
        sources:
            - 'WinEventLog:Microsoft-Windows-Kernel-EventTracing'
    windows-sense:
        product: windows
        service: sense
        sources:
            - 'WinEventLog:Microsoft-Windows-SENSE/Operational'
    windows-servicebus:
        product: windows
        service: servicebus-client
        sources:
            - 'WinEventLog:Microsoft-ServiceBus-Client/Admin'
            - 'WinEventLog:Microsoft-ServiceBus-Client/Operational'
    windows-iis-configuration:
        product: windows
        service: iis-configuration
        sources:
            - 'WinEventLog:Microsoft-IIS-Configuration/Operational'
    apache:
        category: webserver
        sources:
            - "File:/var/log/apache/*.log"
            - "File:/var/log/apache2/*.log"
            - "File:/var/log/httpd/*.log"
    linux-auth:
        product: linux
        service: auth
        sources:
            - "File:/var/log/auth.log"
            - "File:/var/log/auth.log.?"
    linux-syslog:
        product: linux
        service: syslog
        sources:
            - "File:/var/log/syslog"
            - "File:/var/log/syslog.?"
    logfiles:
        category: logfile
        sources:
            - "File:*.log"
    logfiles-appliances:
        category: appliance
        sources:
            - "File:*.log"
Restored thor.yml and fixed reference to it 2023-04-02 01:22:10 +02:00			`title: THOR`
			`order: 20`
			`backends:`
			`- thor`
			`# this configuration differs from other configurations and can not be used`
			`# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.`
			`logsources:`
			`# log source configurations for generic sigma rules`
			`process_creation_1:`
			`category: process_creation`
			`product: windows`
			`conditions:`
			`EventID: 1`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`process_creation_2:`
			`category: process_creation`
			`product: windows`
			`conditions:`
			`EventID: 4688`
			`rewrite:`
			`product: windows`
			`service: security`
			`fieldmappings:`
			`Image: NewProcessName`
			`ParentImage: ParentProcessName`
			`network_connection:`
			`category: network_connection`
			`product: windows`
			`conditions:`
			`EventID: 3`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`sysmon_status1:`
			`category: sysmon_status`
			`product: windows`
			`conditions:`
			`EventID: 4`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`sysmon_status2:`
			`category: sysmon_status`
			`product: windows`
			`conditions:`
			`EventID: 16`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`process_terminated:`
			`category: process_termination`
			`product: windows`
			`conditions:`
			`EventID: 5`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`driver_loaded:`
			`category: driver_load`
			`product: windows`
			`conditions:`
			`EventID: 6`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`image_loaded:`
			`category: image_load`
			`product: windows`
			`conditions:`
			`EventID: 7`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`create_remote_thread:`
			`category: create_remote_thread`
			`product: windows`
			`conditions:`
			`EventID: 8`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`raw_access_thread:`
			`category: raw_access_thread`
			`product: windows`
			`conditions:`
			`EventID: 9`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`process_access:`
			`category: process_access`
			`product: windows`
			`conditions:`
			`EventID: 10`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`file_creation:`
			`category: file_event`
			`product: windows`
			`conditions:`
			`EventID: 11`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`registry_event1:`
			`category: registry_event`
			`product: windows`
			`conditions:`
			`EventID: 12`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`registry_event2:`
			`category: registry_event`
			`product: windows`
			`conditions:`
			`EventID: 13`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`registry_event3:`
			`category: registry_event`
			`product: windows`
			`conditions:`
			`EventID: 14`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`registry_add:`
			`category: registry_add`
			`product: windows`
			`conditions:`
			`EventID: 12`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`registry_delete:`
			`category: registry_delete`
			`product: windows`
			`conditions:`
			`EventID: 12`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`registry_set:`
			`category: registry_set`
			`product: windows`
			`conditions:`
			`EventID: 13`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`registry_rename:`
			`category: registry_rename`
			`product: windows`
			`conditions:`
			`EventID: 14`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`create_stream_hash:`
			`category: create_stream_hash`
			`product: windows`
			`conditions:`
			`EventID: 15`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`pipe_created1:`
			`category: pipe_created`
			`product: windows`
			`conditions:`
			`EventID: 17`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`pipe_created2:`
			`category: pipe_created`
			`product: windows`
			`conditions:`
			`EventID: 18`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`wmi_event1:`
			`category: wmi_event`
			`product: windows`
			`conditions:`
			`EventID: 19`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`wmi_event2:`
			`category: wmi_event`
			`product: windows`
			`conditions:`
			`EventID: 20`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`wmi_event3:`
			`category: wmi_event`
			`product: windows`
			`conditions:`
			`EventID: 21`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`dns_query:`
			`category: dns_query`
			`product: windows`
			`conditions:`
			`EventID: 22`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`file_delete:`
			`category: file_delete`
			`product: windows`
			`conditions:`
			`EventID: 23`
			`rewrite:`
			`product: windows`
			`service: sysmon`
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements 2023-10-04 19:06:57 +02:00			`clipboard_change:`
			`category: clipboard_change`
			`product: windows`
			`conditions:`
			`EventID: 24`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`process_tampering:`
			`category: process_tampering`
			`product: windows`
			`conditions:`
			`EventID: 25`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`file_delete_detected:`
			`category: file_delete_detected`
			`product: windows`
			`conditions:`
			`EventID: 26`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`file_block_executable:`
			`category: file_block_executable`
Restored thor.yml and fixed reference to it 2023-04-02 01:22:10 +02:00			`product: windows`
			`conditions:`
			`EventID: 27`
			`rewrite:`
			`product: windows`
			`service: sysmon`
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements 2023-10-04 19:06:57 +02:00			`file_block_shredding:`
			`category: file_block_shredding`
			`product: windows`
			`conditions:`
			`EventID: 28`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`file_executable_detected:`
			`category: file_executable_detected`
			`product: windows`
			`conditions:`
			`EventID: 29`
			`rewrite:`
			`product: windows`
			`service: sysmon`
Restored thor.yml and fixed reference to it 2023-04-02 01:22:10 +02:00			`sysmon_error:`
			`category: sysmon_error`
			`product: windows`
			`conditions:`
			`EventID: 255`
			`rewrite:`
			`product: windows`
			`service: sysmon`
Merge PR #4482 From @nasbench - Add New Automation Workflows 2023-10-18 11:53:44 +02:00			`# PowerShell Operational`
Restored thor.yml and fixed reference to it 2023-04-02 01:22:10 +02:00			`ps_module:`
			`category: ps_module`
			`product: windows`
			`conditions:`
			`EventID: 4103`
			`rewrite:`
			`product: windows`
			`service: powershell`
			`ps_script:`
			`category: ps_script`
			`product: windows`
			`conditions:`
			`EventID: 4104`
			`rewrite:`
			`product: windows`
			`service: powershell`
Merge PR #4482 From @nasbench - Add New Automation Workflows 2023-10-18 11:53:44 +02:00			`# Powershell "classic" channel`
Restored thor.yml and fixed reference to it 2023-04-02 01:22:10 +02:00			`ps_classic_start:`
			`category: ps_classic_start`
			`product: windows`
			`conditions:`
			`EventID: 400`
			`rewrite:`
			`product: windows`
			`service: powershell-classic`
			`ps_classic_provider_start:`
			`category: ps_classic_provider_start`
			`product: windows`
			`conditions:`
			`EventID: 600`
			`rewrite:`
			`product: windows`
			`service: powershell-classic`
			`ps_classic_script:`
			`category: ps_classic_script`
			`product: windows`
			`conditions:`
			`EventID: 800`
			`rewrite:`
			`product: windows`
			`service: powershell-classic`
			`# target system configurations`
			`windows-application:`
			`product: windows`
			`service: application`
			`sources:`
			`- "WinEventLog:Application"`
			`windows-security:`
			`product: windows`
			`service: security`
			`sources:`
			`- "WinEventLog:Security"`
			`windows-system:`
			`product: windows`
			`service: system`
			`sources:`
			`- "WinEventLog:System"`
			`windows-ntlm:`
			`product: windows`
			`service: ntlm`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-NTLM/Operational"`
			`windows-sysmon:`
			`product: windows`
			`service: sysmon`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-Sysmon/Operational"`
			`windows-powershell:`
			`product: windows`
			`service: powershell`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-PowerShell/Operational"`
			`- "WinEventLog:PowerShellCore/Operational"`
			`windows-classicpowershell:`
			`product: windows`
			`service: powershell-classic`
			`sources:`
			`- "WinEventLog:Windows PowerShell"`
			`windows-taskscheduler:`
			`product: windows`
			`service: taskscheduler`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"`
			`windows-wmi:`
			`product: windows`
			`service: wmi`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"`
			`windows-dhcp:`
			`product: windows`
			`service: dhcp`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"`
			`windows-printservice-admin:`
			`product: windows`
			`service: printservice-admin`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-PrintService/Admin"`
			`windows-smbclient-security:`
			`product: windows`
			`service: smbclient-security`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-SmbClient/Security"`
feat: new rules, updates and fp fixes (#4162 ) 2023-04-11 13:04:22 +02:00			`windows-smbclient-connectivity:`
			`product: windows`
			`service: smbclient-connectivity`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-SmbClient/Connectivity"`
Restored thor.yml and fixed reference to it 2023-04-02 01:22:10 +02:00			`windows-printservice-operational:`
			`product: windows`
			`service: printservice-operational`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-PrintService/Operational"`
			`windows-terminalservices-localsessionmanager-operational:`
			`product: windows`
			`service: terminalservices-localsessionmanager`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'`
			`windows-codeintegrity-operational:`
			`product: windows`
			`service: codeintegrity-operational`
			`sources:`
			`- "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"`
			`windows-applocker:`
			`product: windows`
			`service: applocker`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'`
			`- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'`
			`- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'`
			`- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'`
			`windows-msexchange-management:`
			`product: windows`
			`service: msexchange-management`
			`sources:`
			`- 'WinEventLog:MSExchange Management'`
			`windows-defender:`
			`product: windows`
			`service: windefend`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'`
feat: map antivirus categoriy to Windows Defender logs 2023-05-19 14:27:56 +02:00			`windows-defender-antivirus-mapping:`
			`category: antivirus`
			`conditions:`
			`EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'`
			`- 1006`
			`- 1007`
			`- 1008`
			`- 1009`
			`- 1010`
			`- 1011`
			`- 1012`
			`- 1017`
			`- 1018`
			`- 1019`
chore: order event ids 2023-05-19 14:44:53 +02:00			`- 1115`
			`- 1116`
feat: map antivirus categoriy to Windows Defender logs 2023-05-19 14:27:56 +02:00			`rewrite:`
			`product: windows`
			`service: windefend`
			`fieldmappings:`
			`Signature: ThreatName`
			`Filename: Path`
Restored thor.yml and fixed reference to it 2023-04-02 01:22:10 +02:00			`windows-firewall-advanced-security:`
			`product: windows`
			`service: firewall-as`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'`
			`windows-bits-client:`
			`product: windows`
			`service: bits-client`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'`
			`windows-security-mitigations:`
			`product: windows`
			`service: security-mitigations`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'`
			`- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'`
			`windows-diagnosis:`
			`product: windows`
			`service: diagnosis-scripted`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'`
			`windows-shell-core:`
			`product: windows`
			`service: shell-core`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'`
			`windows-openssh:`
			`product: windows`
			`service: openssh`
			`sources:`
			`- 'WinEventLog:OpenSSH/Operational'`
			`windows-ldap-debug:`
			`product: windows`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`service: ldap`
Restored thor.yml and fixed reference to it 2023-04-02 01:22:10 +02:00			`sources:`
			`- 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'`
			`windows-bitlocker:`
			`product: windows`
			`service: bitlocker`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'`
			`windows-vhdmp:`
			`product: windows`
			`service: vhdmp`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-VHDMP/Operational'`
			`windows-appxdeployment-server:`
			`product: windows`
			`service: appxdeployment-server`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'`
			`windows-lsa-server:`
			`product: windows`
			`service: lsa-server`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-LSA/Operational'`
			`windows-appxpackaging-om:`
			`product: windows`
			`service: appxpackaging-om`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'`
			`windows-dns-client:`
			`product: windows`
			`service: dns-client`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'`
			`windows-appmodel-runtime:`
			`product: windows`
			`service: appmodel-runtime`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'`
feat: update logsource and rule 2023-05-19 00:05:05 +02:00			`windows-capi2:`
			`product: windows`
			`service: capi2`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-CAPI2/Operational'`
			`windows-certificateservicesclient-lifecycle:`
			`product: windows`
			`service: certificateservicesclient-lifecycle-system`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'`
Merge PR #4577 from @nasbench - Multiple Fixes & Updates 2023-12-21 21:04:18 +01:00			`windows-kernel-shimengine:`
			`product: windows`
			`service: kernel-shimengine`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Operational'`
			`- 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Diagnostic'`
			`windows-application-experience:`
			`product: windows`
			`service: application-experience`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Telemetry'`
			`- 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'`
			`windows-ntfs:`
			`product: windows`
			`service: ntfs`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Ntfs/Operational'`
			`windows-hyper-v-worker:`
			`product: windows`
			`service: hyper-v-worker`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Hyper-V-Worker'`
Merge PR #4681 from @nasbench - Add Missing Ref & Tags 2024-01-29 13:37:20 +01:00			`windows-kernel-event-tracing:`
			`product: windows`
			`service: kernel-event-tracing`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-Kernel-EventTracing'`
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes 2024-07-17 11:04:05 +02:00			`windows-sense:`
			`product: windows`
			`service: sense`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-SENSE/Operational'`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`windows-servicebus:`
			`product: windows`
			`service: servicebus-client`
			`sources:`
			`- 'WinEventLog:Microsoft-ServiceBus-Client/Admin'`
			`- 'WinEventLog:Microsoft-ServiceBus-Client/Operational'`
$frack113$ Merge PR #4935 from @frack113 - Add new IIS logsource and related rules 2024-10-06 22:44:05 +02:00			`windows-iis-configuration:`
			`product: windows`
			`service: iis-configuration`
			`sources:`
			`- 'WinEventLog:Microsoft-IIS-Configuration/Operational'`
Restored thor.yml and fixed reference to it 2023-04-02 01:22:10 +02:00			`apache:`
			`category: webserver`
			`sources:`
			`- "File:/var/log/apache/*.log"`
			`- "File:/var/log/apache2/*.log"`
			`- "File:/var/log/httpd/*.log"`
			`linux-auth:`
			`product: linux`
			`service: auth`
			`sources:`
			`- "File:/var/log/auth.log"`
			`- "File:/var/log/auth.log.?"`
			`linux-syslog:`
			`product: linux`
			`service: syslog`
			`sources:`
			`- "File:/var/log/syslog"`
			`- "File:/var/log/syslog.?"`
			`logfiles:`
			`category: logfile`
			`sources:`
			`- "File:*.log"`
Merge PR #4826 from @nasbench - Add coverage for CVE-2024-3400 2024-04-24 14:59:24 +02:00			`logfiles-appliances:`
			`category: appliance`
			`sources:`
			`- "File:*.log"`