frack113
51 lines
4.6 KiB
JSON
51 lines
4.6 KiB
JSON
{
|
|
"title": "Field name by logsource",
|
|
"version": "20221231",
|
|
"legit":{
|
|
"windows":{
|
|
"commun": ["EventID","Provider_Name"],
|
|
"category":{
|
|
"process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion","Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"],
|
|
"file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort","DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname","SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"],
|
|
"sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"],
|
|
"process_termination":["Image","ProcessGuid","ProcessId","User"],
|
|
"driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"],
|
|
"image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid","ProcessId","Product","Signature","SignatureStatus","Signed","User"],
|
|
"create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress","StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"],
|
|
"raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"],
|
|
"process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId","SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"],
|
|
"raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
|
|
"registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"],
|
|
"registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"],
|
|
"registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"],
|
|
"registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
|
|
"registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
|
|
"create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"],
|
|
"wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"],
|
|
"dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"],
|
|
"file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"],
|
|
"process_tampering":["Image","ProcessGuid","ProcessId","Type","User"],
|
|
"file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"ps_module":["ContextInfo","UserData","Payload"],
|
|
"ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"]
|
|
}
|
|
}
|
|
},
|
|
"addon":{
|
|
"windows":{
|
|
"category":{
|
|
"process_creation": ["GrandparentCommandLine"],
|
|
"network_connection": ["CommandLine","ParentImage"],
|
|
"create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage","SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine","IsInitialThread","RemoteCreation"],
|
|
"file_delete": ["CommandLine","ParentImage","ParentCommandLine"],
|
|
"file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"],
|
|
"image_load": ["CommandLine"],
|
|
"process_access": ["SourceCommandLine","CallTraceExtended"]
|
|
}
|
|
}
|
|
}
|
|
} |