valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b31ed47ccf
SigmaHQ/tools/config/stix-windows.yml
bar 9643e01b54 extension should use '..'
2020-07-26 12:16:48 +03:00

269 lines
6.2 KiB
YAML
Raw Blame History

title: STIX for Windows Logs
backends:
- stix
order: 40
logsources:
windows:
product: windows
fieldmappings:
AccessMask:
- x-windows:accessmask
Accesses:
- x-windows:accesses
AccountDomain:
- user-account:x_domain
AccountID:
- user-account:user_id
AccountName:
- user-account:account_login
- user-account:display_name
AccountSecurityID:
- user-account:x_security_id
CallTrace:
- x-windows:calltrace
ClientIP:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
ComputerName:
- x-host:name
Description:
- x-event:action
DestinationIsIpv6:
- x-windows:destisipv6
DestinationHostname:
- network-traffic:dst_ref.value
Device:
- file:name
ErrorCode:
- x-error:code
Event-ID:
- x-event:id
- x-event:code
EventID:
- x-event:id
- x-event:code
Event_ID:
- x-event:id
- x-event:code
EventType:
- x-event:action
ExtendedErrorCode:
- x-error:code
- x-error:id
FileDirectory:
- directory:path
FileExtension:
- file:x_extension
FileHash:
- file:hashes.SHA-256
- file:hashes.MD5
- file:hashes.SHA-1
FilePath:
- file:name
Filename:
- file:name
GrantedAccess:
- x-windows:grantedaccess
GroupDomain:
- x-group:domain
GroupID:
- x-group:id
GroupName:
- x-group:name
GroupSecurityID:
- x-group:security_id
HomeDirectory:
- directory:path
IMPHash:
- x-windows:imphash
Imphash:
- x-windows:imphash
Image:
- process:image_ref.name
ImageLoadedTempPath:
- process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path
ImageName:
- process:image_ref.name
ImagePath:
- process:image_ref.name
ImageTempPath:
- process:image_ref.x_temp_path
InitiatedConnection:
- x-windows:initiatedconnection
Initiated:
- x-windows:initiatedconnection
InitiatorUserName:
- user-account:user_id
- user-account:account_login
IntegrityLevel:
- x-windows:integritylevel
LoadedImage:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
LoadedImageName:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
LogonType:
- x-windows:logontype
MD5Hash:
- file:hashes.MD5
Message:
- x-event:original
NewName:
- windows-registry-key:key
ObjectName:
- x-windows:objectname
ObjectType:
- x-windows:objecttype
ParentCommandLine:
- process:parent_ref.command_line
ParentImage:
- process:parent_ref.image_ref.name
ParentImageName:
- process:parent_ref.image_ref.name
ParentProcessGuid:
- process:parent_ref.x_guid
ParentProcessName:
- process:parent_ref.image_ref.name
ParentProcessPath:
- process:parent_ref.image_ref.name
PipeName:
- x-windows:pipename
ProcessCommandLine:
- process:command_line
Command:
- process:command_line
CommandLine:
- process:command_line
ProcessGuid:
- process:x_guid
ProcessId:
- process:pid
ProcessName:
- process:image_ref.name
ProcessPath:
- process:image_ref.name
QueryName:
- x-windows:queryname
QueryResults:
- x-windows:queryresults
QueryStatus:
- x-windows:querystatus
RegistryKey:
- windows-registry-key:key
RegistryValueData:
- windows-registry-key:values[*].data
RegistryValueName:
- windows-registry-key:values[*].name
SAMAccountName:
- user-account:account_login
- user-account:display_name
SHA1Hash:
- file:hashes.SHA-1
SHA256Hash:
- file:hashes.SHA-256
ServiceFileName:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
ServiceName:
- process:extensions.'windows-service-ext'.service_name
ShareName:
- x-windows:sharename
SharePath:
- x-windows:sharepath
Signature:
- x-windows:signature
SignatureStatus:
- x-windows:signaturestatus
Signed:
- x-windows:signed
SourceImage:
- x-windows:sourceimage
SourceImageTempPath:
- x-windows:sourceimagetemppath
SourceWorkstation:
- x-windows:sourceworkstation
StartAddress:
- x-windows:startaddress
StartFunction:
- x-windows:startfunction
StartModule:
- x-windows:startmodule
TargetAccountSecurityID:
- x-windows:targetaccountsecurityid
TargetComputerDomain:
- x-windows:targetcomputerdomain
TargetComputerName:
- x-windows:targetcomputername
TargetDetails:
- x-windows:targetdetails
Details:
- windows-registry-key:values[*].data
- x-event:original
TargetFilename:
- file:name
TargetImage:
- x-windows:targetimage
TargetImageName:
- x-windows:targetimagename
TargetObject:
- windows-registry-key:key
TargetProcessGuid:
- x-windows:targetprocessguid
TargetProcessAddress:
- x-windows:startaddress
TargetUserDomain:
- x-windows:targetuserdomain
TargetUserName:
- x-windows:targetusername
TaskName:
- x-windows:taskname
TicketEncryptionType:
- x-windows:ticketencryptiontype
User:
- user-account:user_id
UserDomain:
- user-account:x_domain
event-id:
- x-event:id
eventId:
- x-event:id
event_data.FileName:
- file:name
event_data.Image:
- process:image_ref.name
event_data.ImageLoaded:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
ImageLoaded:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
event_data.ImagePath:
- process:image_ref.name
event_data.ParentCommandLine:
- process:parent_ref.command_line
event_data.ParentImage:
- process:parent_ref.image_ref.name
event_data.ParentProcessName:
- process:parent_ref.image_ref.name
event_data.PipeName:
- x-windows:pipename
event_data.ServiceFileName:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
event_data.ShareName:
- x-windows:sharename
event_data.Signature:
- x-windows:signature
event_data.SourceImage:
- x-windows:sourceimage
event_data.StartModule:
- x-windows:startmodule
event_data.SubjectUserName:
- user-account:user_id
- user-account:account_login
event_data.TargetFilename:
- file:name
event_data.TargetImage:
- x-windows:targetimage
event_data.User:
- user-account:user_id
event_id:
- x-event:id
eventid:
- x-event:id
Reference in New Issue View Git Blame Copy Permalink