SimSama
83 lines
2.2 KiB
YAML
83 lines
2.2 KiB
YAML
title: Fortisiem Windows log source conditions
|
|
order: 10
|
|
backends:
|
|
- fortisiem
|
|
logsources:
|
|
process_creation:
|
|
category: process_creation
|
|
product: windows
|
|
conditions:
|
|
eventType: Win-Sysmon-1-Create-Process
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
network_connection:
|
|
category: network_connection
|
|
product: windows
|
|
conditions:
|
|
eventType:
|
|
- Win-Sysmon-3-Network-Connect*
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
dns_query:
|
|
category: dns_query
|
|
product: windows
|
|
conditions:
|
|
eventType: Win-Sysmon-22-DNS-Query
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_event:
|
|
category: registry_event
|
|
product: windows
|
|
conditions:
|
|
eventType:
|
|
- Win-Sysmon-12-Registry-*
|
|
- Win-Sysmon-13-Registry-*
|
|
- Win-Sysmon-14-Registry-*
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_creation:
|
|
category: file_event
|
|
product: windows
|
|
conditions:
|
|
eventType: Win-Sysmon-11-FileCreate
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_access:
|
|
category: process_access
|
|
product: windows
|
|
conditions:
|
|
eventType: Win-Sysmon-10-ProcessAccess
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
image_loaded:
|
|
category: image_load
|
|
product: windows
|
|
conditions:
|
|
eventType: Win-Sysmon-7-Image-Loaded
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
driver_loaded:
|
|
category: driver_load
|
|
product: windows
|
|
conditions:
|
|
eventType: Win-Sysmon-6-Driver-Loaded
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_terminated:
|
|
category: process_termination
|
|
product: windows
|
|
conditions:
|
|
eventType: Win-Sysmon-5-Process-Terminated
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
|