Merge pull request #1659 from SigmaHQ/config-adjustments

refactor: THOR config adjustments
2024-11-07 09:48:58 +00:00 · 2021-07-08 15:37:04 +02:00 · 2021-07-08 15:37:04 +02:00 · a6952540c9
commit a6952540c9
parent db8cc0ee2d 5e7f1f3a36
1 changed files with 46 additions and 14 deletions
--- a/tools/config/thor.yml
+++ b/tools/config/thor.yml
@ -89,14 +89,27 @@ logsources:
    rewrite:
      product: windows
      service: sysmon
-  registry_event:
+  registry_event1:
    category: registry_event
    product: windows
    conditions:
-      EventID: 
-        - 12 
-        - 13 
-        - 14
+      EventID: 12
+    rewrite:
+      product: windows
+      service: sysmon
+  registry_event2:
+    category: registry_event
+    product: windows
+    conditions:
+      EventID: 13
+    rewrite:
+      product: windows
+      service: sysmon
+  registry_event3:
+    category: registry_event
+    product: windows
+    conditions:
+      EventID: 14
    rewrite:
      product: windows
      service: sysmon
@ -108,24 +121,43 @@ logsources:
    rewrite:
      product: windows
      service: sysmon
-  pipe_created:
+  pipe_created1:
    category: pipe_created
    product: windows
    conditions:
-      EventID: 
-        - 17
-        - 18
+      EventID: 17
    rewrite:
      product: windows
      service: sysmon
-  wmi_event:
+  pipe_created2:
+    category: pipe_created
+    product: windows
+    conditions:
+      EventID: 18
+    rewrite:
+      product: windows
+      service: sysmon
+  wmi_event1:
    category: wmi_event
    product: windows
    conditions:
-      EventID: 
-        - 19
-        - 20
-        - 21
+      EventID: 19
+    rewrite:
+      product: windows
+      service: sysmon
+  wmi_event2:
+    category: wmi_event
+    product: windows
+    conditions:
+      EventID: 20
+    rewrite:
+      product: windows
+      service: sysmon
+  wmi_event3:
+    category: wmi_event
+    product: windows
+    conditions:
+      EventID: 21
    rewrite:
      product: windows
      service: sysmon