feat: generic categories - thor config

2024-11-06 17:35:19 +00:00 · 2021-04-23 17:47:09 +02:00 · 2021-04-23 17:47:09 +02:00 · d766c12888
commit d766c12888
parent 1ff5e226ad
1 changed files with 120 additions and 0 deletions
--- a/tools/config/thor.yml
+++ b/tools/config/thor.yml
@ -25,6 +25,126 @@ logsources:
    fieldmappings:
      Image: NewProcessName
      ParentImage: ParentProcessName
+  network_connection:
+    category: network_connection
+    product: windows
+    conditions:
+      EventID: 3
+    rewrite:
+      product: windows
+      service: sysmon
+  process_terminated:
+    category: process_termination
+    product: windows
+    conditions:
+      EventID: 5
+    rewrite:
+      product: windows
+      service: sysmon
+  driver_loaded:
+    category: driver_load
+    product: windows
+    conditions:
+      EventID: 6
+    rewrite:
+      product: windows
+      service: sysmon
+  image_loaded:
+    category: image_load
+    product: windows
+    conditions:
+      EventID: 7
+    rewrite:
+      product: windows
+      service: sysmon
+  create_remote_thread:
+    category: create_remote_thread
+    product: windows
+    conditions:
+      EventID: 8
+    rewrite:
+      product: windows
+      service: sysmon
+  raw_access_thread:
+    category: raw_access_thread
+    product: windows
+    conditions:
+      EventID: 9
+    rewrite:
+      product: windows
+      service: sysmon
+  process_access:
+    category: process_access
+    product: windows
+    conditions:
+      EventID: 10
+    rewrite:
+      product: windows
+      service: sysmon       
+  file_creation:
+    category: file_event
+    product: windows
+    conditions:
+      EventID: 11
+    rewrite:
+      product: windows
+      service: sysmon
+  registry_event:
+    category: registry_event
+    product: windows
+    conditions:
+      EventID: 
+        - 12 
+        - 13 
+        - 14
+    rewrite:
+      product: windows
+      service: sysmon
+  create_stream_hash:
+    category: create_stream_hash
+    product: windows
+    conditions:
+      EventID: 15
+    rewrite:
+      product: windows
+      service: sysmon
+  pipe_created:
+    category: pipe_created
+    product: windows
+    conditions:
+      EventID: 
+        - 17
+        - 18
+    rewrite:
+      product: windows
+      service: sysmon
+  wmi_event:
+    category: wmi_event
+    product: windows
+    conditions:
+      EventID: 
+        - 19
+        - 20
+        - 21
+    rewrite:
+      product: windows
+      service: sysmon
+  dns_query:
+    category: dns_query
+    product: windows
+    conditions:
+      EventID: 22
+    rewrite:
+      product: windows
+      service: sysmon
+  file_delete:
+    category: file_delete
+    product: windows
+    conditions:
+      EventID: 23
+    rewrite:
+      product: windows
+      service: sysmon
  # target system configurations
  windows-application:
    product: windows