valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1b215e3aaf
SigmaHQ/tools/config/devo-windows.yml

145 lines
3.9 KiB
YAML
Raw Blame History

title: Devo sourcetype mappings for windows sources
order: 20
backends:
- devo
logsources:
windows:
product: windows
index: box.all.win
windows-category-process_creation:
product: windows
category: process_creation
windows-service-powershell:
product: windows
service: powershell
windows-service-powershell-classic:
product: windows
service: powershell-classic
windows-service-security:
product: windows
service: security
windows-service-sysmon:
product: windows
service: security
windows-category-registry_event:
product: windows
category: registry_event
windows-category-process_access:
product: windows
category: process_access
windows-service-windefend:
product: windows
service: windefend
windows-service-windef:
product: windows
service: windef
windows_defender:
product: windows_defender
index: box.all.win
windows-service-taskscheduler:
product: windows
service: taskscheduler
windows-service-wmi:
product: windows
service: wmi
windows-service-system:
product: windows
service: system
windows-category-network_connection:
product: windows
category: network_connection
windows-category-image_load:
product: windows
category: image_load
windows-category-file_event:
product: windows
category: file_event
windows-category-driver_load:
product: windows
category: driver_load
windows-service-applocker:
product: windows
service: applocker
windows-service-dns-server:
product: windows
service: dns-server
windows-service-ntlm:
product: windows
service: ntlm
windows-service-driver-framework:
product: windows
service: driver-framework
windows-category-create_remote_thread:
product: windows
category: create_remote_thread
windows-category-create_stream_hash:
product: windows
category: create_stream_hash
windows-category-dns_query:
product: windows
category: dns_query
windows-category-file_delete:
product: windows
category: file_delete
windows-category-pipe_created:
product: windows
category: pipe_created
windows-category-raw_access_thread:
product: windows
category: raw_access_thread
windows-category-wmi_event:
product: windows
category: wmi_event
fieldmappings:
EventID: eventID
HostName: machine
HostApplication: ProcessName # ???
Message: message
CommandLine: procCmdLine
Commandline: procCmdLine
ProcessCommandline: procCmdLine
ProcessCommandLine: procCmdLine
Image: serviceFileName
User: username
TaskName: category
TargetFilename: serviceFileName # ???
ServiceName: service
ProcessName: callerProcName
OriginalFilename: serviceFileName
OriginalFileName: serviceFileName
MachineName: machine
LogonId: subjectLogonId
GroupName: groupName
EventType: eventType
Description: message
Details: extMessage
ObjectName: objName
CreatorProcessName: parentProcessName
ServiceFileName: serviceFileName
ObjectType: objType
Keywords: keywords
SubjectLogonId: subjectLogonId
UserName: username
Status: status
SourceNetworkAddress: srcIp
AccountName: account
ObjectValueName: objValueName
LogonProcessName: procName
TargetUserName: targetUsername
WorkstationName: workstation
SubjectUserName: subjectUsername
Source: sourceName
Destination: dstIp
TargetImage: serviceFileName
CallingProcessName: callerProcName
TargetName: targetUsername
FileName: serviceFileName
TargetObject: objName
DestinationHostname: machine
DestinationIp: dstIp
DestinationIsIpv6: dstIp
ImageLoaded: serviceFileName
ScriptBlockText: select str(jqeval(jqcompile(".columns.data.EventData.ScriptBlockText"), jsonparse(message))) as ScriptBlockText
DestinationPort: select int(trim(split(split(rawMessage, "Destination Port:", 1), "&", 0))) as destinationPort / where eventID > 5100 or eventID < 5199
Reference in New Issue View Git Blame Copy Permalink