Florian Roth
74 lines
1.7 KiB
YAML
74 lines
1.7 KiB
YAML
title: Conversion of Generic Rules into Sysmon Specific Rules
|
|
order: 10
|
|
logsources:
|
|
process_creation:
|
|
category: process_creation
|
|
product: windows
|
|
conditions:
|
|
EventID: 1
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
network_connection:
|
|
category: network_connection
|
|
product: windows
|
|
conditions:
|
|
EventID:
|
|
- 3
|
|
- 22
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_event:
|
|
category: registry_event
|
|
product: windows
|
|
conditions:
|
|
EventID:
|
|
- 12
|
|
- 13
|
|
- 14
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_creation:
|
|
category: file_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 11
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_access:
|
|
category: process_access
|
|
product: windows
|
|
conditions:
|
|
EventID: 10
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
image_loaded:
|
|
category: image_load
|
|
product: windows
|
|
conditions:
|
|
EventID: 7
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
driver_loaded:
|
|
category: driver_load
|
|
product: windows
|
|
conditions:
|
|
EventID: 6
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_terminated:
|
|
category: process_termination
|
|
product: windows
|
|
conditions:
|
|
EventID: 5
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
|