security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/tools/config/generic/sysmon.yml
T
Florian Roth 6660be9753 config: network connection linux
2021-10-16 14:22:48 +02:00

191 lines
4.5 KiB
YAML
Raw Blame History

title: Conversion of Generic Rules into Sysmon Specific Rules
order: 10
logsources:
process_creation:
category: process_creation
product: windows
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
process_creation_linux:
category: process_creation
product: linux
conditions:
EventID: 1
rewrite:
product: linux
service: sysmon
file_change:
category: file_change
product: windows
conditions:
EventID: 2
rewrite:
product: windows
service: sysmon
network_connection:
category: network_connection
product: windows
conditions:
EventID: 3
rewrite:
product: windows
service: sysmon
network_connectio_linux:
category: network_connection
product: linux
conditions:
EventID: 3
rewrite:
product: linux
service: sysmon
sysmon_status:
category: sysmon_status
product: windows
conditions:
EventID:
- 4
- 16
rewrite:
product: windows
service: sysmon
process_terminated:
category: process_termination
product: windows
conditions:
EventID: 5
rewrite:
product: windows
service: sysmon
driver_loaded:
category: driver_load
product: windows
conditions:
EventID: 6
rewrite:
product: windows
service: sysmon
image_loaded:
category: image_load
product: windows
conditions:
EventID: 7
rewrite:
product: windows
service: sysmon
create_remote_thread:
category: create_remote_thread
product: windows
conditions:
EventID: 8
rewrite:
product: windows
service: sysmon
raw_access_thread:
category: raw_access_thread
product: windows
conditions:
EventID: 9
rewrite:
product: windows
service: sysmon
process_access:
category: process_access
product: windows
conditions:
EventID: 10
rewrite:
product: windows
service: sysmon
file_creation:
category: file_event
product: windows
conditions:
EventID: 11
rewrite:
product: windows
service: sysmon
registry_event:
category: registry_event
product: windows
conditions:
EventID:
- 12
- 13
- 14
rewrite:
product: windows
service: sysmon
create_stream_hash:
category: create_stream_hash
product: windows
conditions:
EventID: 15
rewrite:
product: windows
service: sysmon
pipe_created:
category: pipe_created
product: windows
conditions:
EventID:
- 17
- 18
rewrite:
product: windows
service: sysmon
wmi_event:
category: wmi_event
product: windows
conditions:
EventID:
- 19
- 20
- 21
rewrite:
product: windows
service: sysmon
dns_query:
category: dns_query
product: windows
conditions:
EventID: 22
rewrite:
product: windows
service: sysmon
file_delete:
category: file_delete
product: windows
conditions:
EventID:
- 23
- 26
rewrite:
product: windows
service: sysmon
clipboard_capture:
category: clipboard_capture
product: windows
conditions:
EventID: 24
rewrite:
product: windows
service: sysmon
process_tampering:
category: process_tampering
product: windows
conditions:
EventID: 25
rewrite:
product: windows
service: sysmon
sysmon_error:
category: sysmon_error
product: windows
conditions:
EventID: 255
rewrite:
product: windows
service: sysmon
Reference in New Issue View Git Blame Copy Permalink