frack113
82 lines
8.2 KiB
JSON
82 lines
8.2 KiB
JSON
{
|
|
"title": "Field name by logsource",
|
|
"version": "20221231",
|
|
"legit":{
|
|
"windows":{
|
|
"commun": ["EventID","Provider_Name"],
|
|
"category":{
|
|
"process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion","Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"],
|
|
"file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort","DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname","SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"],
|
|
"sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"],
|
|
"process_termination":["Image","ProcessGuid","ProcessId","User"],
|
|
"driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"],
|
|
"image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid","ProcessId","Product","Signature","SignatureStatus","Signed","User"],
|
|
"create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress","StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"],
|
|
"raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"],
|
|
"process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId","SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"],
|
|
"raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
|
|
"registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"],
|
|
"registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"],
|
|
"registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"],
|
|
"registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
|
|
"registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
|
|
"create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"],
|
|
"wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"],
|
|
"dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"],
|
|
"file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"],
|
|
"process_tampering":["Image","ProcessGuid","ProcessId","Type","User"],
|
|
"file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"],
|
|
"ps_module":["ContextInfo","UserData","Payload"],
|
|
"ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"]
|
|
}
|
|
},
|
|
"linux":{
|
|
"category":{
|
|
"SYSMONEVENT_ERROR": ["ID","Description"],
|
|
"process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName","CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes","ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"],
|
|
"SYSMONEVENT_FILE_TIME": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","PreviousCreationUtcTime","User"],
|
|
"network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname","SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort","DestinationPortName"],
|
|
"SYSMONEVENT_SERVICE_STATE_CHANGE": ["State","Version","SchemaVersion"],
|
|
"process_termination": ["ProcessGuid","ProcessId","Image","User"],
|
|
"SYSMONEVENT_DRIVER_LOAD": ["ImageLoaded","Hashes","Signed","Signature","SignatureStatus"],
|
|
"SYSMONEVENT_IMAGE_LOAD": ["ProcessGuid","ProcessId","Image","ImageLoaded","FileVersion","Description","Product","Company","OriginalFileName","Hashes","Signed","Signature","SignatureStatus","User"],
|
|
"SYSMONEVENT_CREATE_REMOTE_THREAD": ["SourceProcessGuid","SourceProcessId","SourceImage","TargetProcessGuid","TargetProcessId","TargetImage","NewThreadId","StartAddress","StartModule","StartFunction","SourceUser","TargetUser"],
|
|
"raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"],
|
|
"SYSMONEVENT_ACCESS_PROCESS": ["SourceProcessGUID","SourceProcessId","SourceThreadId","SourceImage","TargetProcessGUID","TargetProcessId","TargetImage","GrantedAccess","CallTrace","SourceUser","TargetUser"],
|
|
"file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
|
|
"SYSMONEVENT_REG_KEY": ["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"],
|
|
"SYSMONEVENT_REG_SETVALUE": ["EventType","ProcessGuid","ProcessId","Image","TargetObject","Details","User"],
|
|
"SYSMONEVENT_REG_NAME": ["EventType","ProcessGuid","ProcessId","Image","TargetObject","NewName","User"],
|
|
"SYSMONEVENT_FILE_CREATE_STREAM_HASH": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","Hash","Contents","User"],
|
|
"sysmon_status": ["Configuration","ConfigurationFileHash"],
|
|
"SYSMONEVENT_CREATE_NAMEDPIPE": ["EventType","ProcessGuid","ProcessId","PipeName","Image","User"],
|
|
"SYSMONEVENT_CONNECT_NAMEDPIPE": ["EventType","ProcessGuid","ProcessId","PipeName","Image","User"],
|
|
"SYSMONEVENT_WMI_FILTER": ["EventType","Operation","User","EventNamespace","Name","Query"],
|
|
"SYSMONEVENT_WMI_CONSUMER": ["EventType","Operation","User","Name","Type","Destination"],
|
|
"SYSMONEVENT_WMI_BINDING": ["EventType","Operation","User","Consumer","Filter"],
|
|
"SYSMONEVENT_DNS_QUERY": ["ProcessGuid","ProcessId","QueryName","QueryStatus","QueryResults","Image","User"],
|
|
"file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"],
|
|
"SYSMONEVENT_CLIPBOARD": ["ProcessGuid","ProcessId","Image","Session","ClientInfo","Hashes","Archived","User"],
|
|
"SYSMONEVENT_PROCESS_IMAGE_TAMPERING": ["ProcessGuid","ProcessId","Image","Type","User"],
|
|
"SYSMONEVENT_FILE_DELETE_DETECTED": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable"]
|
|
}
|
|
}
|
|
},
|
|
"addon":{
|
|
"windows":{
|
|
"category":{
|
|
"process_creation": ["GrandparentCommandLine"],
|
|
"network_connection": ["CommandLine","ParentImage"],
|
|
"create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage","SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine","IsInitialThread","RemoteCreation"],
|
|
"file_delete": ["CommandLine","ParentImage","ParentCommandLine"],
|
|
"file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"],
|
|
"image_load": ["CommandLine"],
|
|
"process_access": ["SourceCommandLine","CallTraceExtended"]
|
|
}
|
|
}
|
|
}
|
|
} |