security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/tools/config/generic/sysmon.yml
T

191 lines
4.5 KiB
YAML
Raw Normal View History

fix: wording on sysmon mapping file
2020-06-24 17:49:42 +02:00
title: Conversion of Generic Rules into Sysmon Specific Rules
Configuration order checking
2019-04-23 00:54:10 +02:00
order: 10
Added generic sysmon configuration with process_execution config
2018-08-13 23:50:44 +02:00
logsources:
process_creation:
category: process_creation
product: windows
conditions:
EventID: 1
Added rewrite config to generic sysmon configuration
2018-08-14 21:28:17 +02:00
rewrite:
Stacked configurations
2018-09-12 23:31:51 +02:00
product: windows
Added rewrite config to generic sysmon configuration
2018-08-14 21:28:17 +02:00
service: sysmon
sysmon for linux - process_creation mapping
2021-10-15 14:46:13 +02:00
process_creation_linux:
category: process_creation
product: linux
conditions:
EventID: 1
rewrite:
product: linux
service: sysmon
Add missing sysmon EventID
2021-06-09 12:52:38 +02:00
file_change:
category: file_change
product: windows
conditions:
EventID: 2
rewrite:
product: windows
service: sysmon
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
network_connection:
category: network_connection
product: windows
conditions:
Introduced dns_query log source category
2020-07-05 23:29:51 +02:00
EventID: 3
rewrite:
product: windows
service: sysmon
config: network connection linux
2021-10-16 14:22:48 +02:00
network_connectio_linux:
category: network_connection
product: linux
conditions:
EventID: 3
rewrite:
product: linux
service: sysmon
Add missing sysmon EventID
2021-06-09 12:52:38 +02:00
sysmon_status:
category: sysmon_status
product: windows
conditions:
EventID:
- 4
- 16
rewrite:
product: windows
service: sysmon
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
process_terminated:
category: process_termination
Introduced dns_query log source category
2020-07-05 23:29:51 +02:00
product: windows
conditions:
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
EventID: 5
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
rewrite:
product: windows
service: sysmon
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
driver_loaded:
category: driver_load
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
product: windows
conditions:
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
EventID: 6
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
rewrite:
product: windows
service: sysmon
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
image_loaded:
category: image_load
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
product: windows
conditions:
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
EventID: 7
rewrite:
product: windows
service: sysmon
create_remote_thread:
category: create_remote_thread
product: windows
conditions:
EventID: 8
rewrite:
product: windows
service: sysmon
raw_access_thread:
category: raw_access_thread
product: windows
conditions:
EventID: 9
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
product: windows
conditions:
EventID: 10
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
rewrite:
product: windows
service: sysmon
file_creation:
category: file_event
product: windows
conditions:
EventID: 11
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
rewrite:
product: windows
service: sysmon
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
registry_event:
category: registry_event
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
product: windows
conditions:
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
EventID:
- 12
- 13
- 14
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
rewrite:
product: windows
service: sysmon
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
create_stream_hash:
category: create_stream_hash
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
product: windows
conditions:
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
EventID: 15
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
rewrite:
product: windows
service: sysmon
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
pipe_created:
category: pipe_created
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
product: windows
conditions:
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
EventID:
- 17
- 18
rewrite:
product: windows
service: sysmon
wmi_event:
category: wmi_event
product: windows
conditions:
EventID:
- 19
- 20
- 21
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
rewrite:
product: windows
service: sysmon
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
dns_query:
category: dns_query
product: windows
conditions:
EventID: 22
- Modified rules to use categories instead of hardcoded event IDs
2021-04-15 01:40:31 +02:00
rewrite:
product: windows
service: sysmon
file_delete:
category: file_delete
product: windows
conditions:
add EventID 26
2021-09-29 08:53:22 +02:00
EventID:
- 23
- 26
- Created new categories for sysmon events
2020-09-30 20:44:14 +02:00
rewrite:
product: windows
Add missing sysmon EventID
2021-06-09 12:52:38 +02:00
service: sysmon
clipboard_capture:
category: clipboard_capture
product: windows
conditions:
EventID: 24
rewrite:
product: windows
service: sysmon
process_tampering:
category: process_tampering
product: windows
conditions:
EventID: 25
rewrite:
product: windows
service: sysmon
sysmon_error:
category: sysmon_error
product: windows
conditions:
add sysmon mapping
2021-08-05 10:54:58 +02:00
EventID: 255
rewrite:
product: windows
service: sysmon
Reference in New Issue Copy Permalink