Florian Roth
@@ -48,11 +48,11 @@ fieldmappings:
|
||||
Destination:
|
||||
EventID=20: wmi_consumer_destination
|
||||
DestinationHostname: dst_host_name
|
||||
DestinationIp: dst_ip
|
||||
DestinationIp: dst_ip_addr
|
||||
DestinationIsIpv6: dst_is_ipv6
|
||||
DestinationPort: dst_port
|
||||
DestinationPortName: dst_port_name
|
||||
Details:
|
||||
Details:
|
||||
EventID=13: registry_key_value
|
||||
Device: device_name
|
||||
EngineVersion: powershell.engine.version
|
||||
@@ -130,7 +130,7 @@ fieldmappings:
|
||||
State:
|
||||
EventID=4: service_state
|
||||
EventID=16: sysmon_configuration_state
|
||||
SubjectUserName:
|
||||
SubjectUserName:
|
||||
EventID=4624: user_reporter_name
|
||||
EventId=4648: user_name
|
||||
EventID=5140: user_name
|
||||
|
||||
Reference in New Issue
Block a user