From 1b4d4cfb8220e571186b0740f91ed8770dfda59d Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 9 Jun 2021 12:52:38 +0200 Subject: [PATCH] Add missing sysmon EventID --- tools/config/generic/sysmon.yml | 41 ++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index e9d81e1fd..46d3c39be 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -9,6 +9,14 @@ logsources: rewrite: product: windows service: sysmon + file_change: + category: file_change + product: windows + conditions: + EventID: 2 + rewrite: + product: windows + service: sysmon network_connection: category: network_connection product: windows @@ -17,6 +25,16 @@ logsources: rewrite: product: windows service: sysmon + sysmon_status: + category: sysmon_status + product: windows + conditions: + EventID: + - 4 + - 16 + rewrite: + product: windows + service: sysmon process_terminated: category: process_termination product: windows @@ -128,4 +146,25 @@ logsources: EventID: 23 rewrite: product: windows - service: sysmon \ No newline at end of file + service: sysmon + clipboard_capture: + category: clipboard_capture + product: windows + conditions: + EventID: 24 + rewrite: + product: windows + service: sysmon + process_tampering: + category: process_tampering + product: windows + conditions: + EventID: 25 + rewrite: + product: windows + service: sysmon + sysmon_error: + category: sysmon_error + product: windows + conditions: + EventID: 255 \ No newline at end of file