Merge pull request #1546 from frack113/issues_1525

Add missing sysmon EventID
2021-06-10 09:05:35 +02:00
parent ced94bb728 1b4d4cfb82
commit 3dca4425d5
1 changed files with 40 additions and 1 deletions
@@ -9,6 +9,14 @@ logsources:
        rewrite:
            product: windows
            service: sysmon
+    file_change:
+        category: file_change
+        product: windows
+        conditions:
+            EventID: 2
+        rewrite:
+            product: windows
+            service: sysmon
    network_connection:
        category: network_connection
        product: windows
@@ -17,6 +25,16 @@ logsources:
        rewrite:
            product: windows
            service: sysmon
+    sysmon_status:
+        category: sysmon_status
+        product: windows
+        conditions:
+            EventID: 
+                - 4
+                - 16
+        rewrite:
+            product: windows
+            service: sysmon
    process_terminated:
        category: process_termination
        product: windows
@@ -128,4 +146,25 @@ logsources:
            EventID: 23
        rewrite:
            product: windows
-            service: sysmon
+            service: sysmon
+    clipboard_capture:
+        category: clipboard_capture
+        product: windows
+        conditions:
+            EventID: 24
+        rewrite:
+            product: windows
+            service: sysmon
+    process_tampering:
+        category: process_tampering
+        product: windows
+        conditions:
+            EventID: 25
+        rewrite:
+            product: windows
+            service: sysmon
+    sysmon_error:
+        category: sysmon_error
+        product: windows
+        conditions:
+            EventID: 255