title: Conversion of Generic Rules into Sysmon Specific Rules order: 10 logsources: process_creation: category: process_creation product: windows conditions: EventID: 1 rewrite: product: windows service: sysmon process_creation_linux: category: process_creation product: linux conditions: EventID: 1 rewrite: product: linux service: sysmon file_change: category: file_change product: windows conditions: EventID: 2 rewrite: product: windows service: sysmon network_connection: category: network_connection product: windows conditions: EventID: 3 rewrite: product: windows service: sysmon network_connection_linux: category: network_connection product: linux conditions: EventID: 3 rewrite: product: linux service: sysmon sysmon_status: category: sysmon_status product: windows conditions: EventID: - 4 - 16 rewrite: product: windows service: sysmon sysmon_status_linux: category: sysmon_status product: linux conditions: EventID: 16 rewrite: product: linux service: sysmon process_terminated: category: process_termination product: windows conditions: EventID: 5 rewrite: product: windows service: sysmon process_terminated_linux: category: process_termination product: linux conditions: EventID: 5 rewrite: product: linux service: sysmon driver_loaded: category: driver_load product: windows conditions: EventID: 6 rewrite: product: windows service: sysmon image_loaded: category: image_load product: windows conditions: EventID: 7 rewrite: product: windows service: sysmon create_remote_thread: category: create_remote_thread product: windows conditions: EventID: 8 rewrite: product: windows service: sysmon raw_access_thread: category: raw_access_thread product: windows conditions: EventID: 9 rewrite: product: windows service: sysmon process_access: category: process_access product: windows conditions: EventID: 10 rewrite: product: windows service: sysmon raw_access_read_linux: category: raw_access_read product: linux conditions: EventID: 9 rewrite: product: linux service: sysmon file_creation: category: file_event product: windows conditions: EventID: 11 rewrite: product: windows service: sysmon file_creation_linux: category: file_event product: linux conditions: EventID: 11 rewrite: product: linux service: sysmon registry_add: category: registry_add product: windows conditions: EventID: 12 rewrite: product: windows service: sysmon registry_delete: category: registry_delete product: windows conditions: EventID: 12 rewrite: product: windows service: sysmon registry_set: category: registry_set product: windows conditions: EventID: 13 rewrite: product: windows service: sysmon registry_rename: category: registry_rename product: windows conditions: EventID: 14 rewrite: product: windows service: sysmon registry_event: category: registry_event product: windows conditions: EventID: - 12 - 13 - 14 rewrite: product: windows service: sysmon create_stream_hash: category: create_stream_hash product: windows conditions: EventID: 15 rewrite: product: windows service: sysmon pipe_created: category: pipe_created product: windows conditions: EventID: - 17 - 18 rewrite: product: windows service: sysmon wmi_event: category: wmi_event product: windows conditions: EventID: - 19 - 20 - 21 rewrite: product: windows service: sysmon dns_query: category: dns_query product: windows conditions: EventID: 22 rewrite: product: windows service: sysmon file_delete: category: file_delete product: windows conditions: EventID: - 23 - 26 rewrite: product: windows service: sysmon file_delete_linux: category: file_delete product: linux conditions: EventID: 23 rewrite: product: linux service: sysmon clipboard_capture: category: clipboard_capture product: windows conditions: EventID: 24 rewrite: product: windows service: sysmon process_tampering: category: process_tampering product: windows conditions: EventID: 25 rewrite: product: windows service: sysmon file_block: category: file_block product: windows conditions: EventID: 27 rewrite: product: windows service: sysmon sysmon_error: category: sysmon_error product: windows conditions: EventID: 255 rewrite: product: windows service: sysmon