DNs naming scheme updated

2024-11-07 01:55:21 +00:00 · 2019-02-06 23:42:25 +01:00 · 2019-02-06 23:42:25 +01:00 · cdc2456191
commit cdc2456191
parent 7e3a8d3f4f
18 changed files with 5 additions and 1062 deletions
--- a/dataneeded/DN_0001_windows_process_creation_4688.yml
+++ b/dataneeded/DN_0001_windows_process_creation_4688.yml
@ -1,63 +0,0 @@
-title: DN_0001_windows_process_creation_4688
-description: >
-  Windows process creation log, not including command line.
-loggingpolicy: 
-  - LP_0001_windows_audit_process_creation
-references:
-  - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - Hostname
-  - Username
-  - UserSid
-  - ProcessPid
-  - ProcessId
-  - ThreadID
-  - ProcessName
-  - NewProcessName      # redundant, inconsistent
-  - Image               # redundant, inconsistent
-  - ParentImage         # redundant, inconsistent
-  - ParentProcessPid
-  - ParentProcessName
-  - MandatoryLabel
-  - TokenElevationType
-  - LogonId
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-      <EventID>4688</EventID> 
-      <Version>2</Version> 
-      <Level>0</Level> 
-      <Task>13312</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8020000000000000</Keywords> 
-      <TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" /> 
-      <EventRecordID>2814</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="4" ThreadID="400" /> 
-      <Channel>Security</Channel> 
-      <Computer>WIN-GG82ULGC9GO.contoso.local</Computer> 
-      <Security /> 
-    </System>
-  - <EventData>
-      <Data Name="SubjectUserSid">S-1-5-18</Data> 
-      <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data> 
-      <Data Name="SubjectDomainName">CONTOSO</Data> 
-      <Data Name="SubjectLogonId">0x3e7</Data> 
-      <Data Name="NewProcessId">0x2bc</Data> 
-      <Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data> 
-      <Data Name="TokenElevationType">%%1938</Data> 
-      <Data Name="ProcessId">0xe74</Data> 
-      <Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data> 
-      <Data Name="TargetUserName">dadmin</Data> 
-      <Data Name="TargetDomainName">CONTOSO</Data> 
-      <Data Name="TargetLogonId">0x4a5af0</Data> 
-      <Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data> 
-      <Data Name="MandatoryLabel">S-1-16-8192</Data> 
-    </EventData>
-  </Event>
--- a/dataneeded/DN_0002_windows_process_creation_with_commandline_4688.yml
+++ b/dataneeded/DN_0002_windows_process_creation_with_commandline_4688.yml
@ -1,67 +0,0 @@
-title: DN_0002_windows_process_creation_with_commandline_4688
-description: >
-  Windows process creation log, including command line.
-loggingpolicy: 
-  - LP_0001_windows_audit_process_creation
-  - LP_0002_windows_audit_process_creation_with_commandline
-references:
-  - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - Hostname
-  - Username
-  - UserSid
-  - ProcessPid
-  - ProcessId
-  - ThreadID
-  - ProcessName
-  - NewProcessName      # redundant, inconsistent
-  - Image               # redundant, inconsistent
-  - CommandLine
-  - ProcessCommandLine  # redundant, inconsistent
-  - ProcesssCommandLine # redundant, inconsistent
-  - ParentProcessPid
-  - ParentImage         # redundant, inconsistent
-  - ParentProcessName
-  - MandatoryLabel
-  - TokenElevationType
-  - LogonId
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-      <EventID>4688</EventID> 
-      <Version>2</Version> 
-      <Level>0</Level> 
-      <Task>13312</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8020000000000000</Keywords> 
-      <TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" /> 
-      <EventRecordID>2814</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="4" ThreadID="400" /> 
-      <Channel>Security</Channel> 
-      <Computer>WIN-GG82ULGC9GO.contoso.local</Computer> 
-      <Security /> 
-    </System>
-  - <EventData>
-      <Data Name="SubjectUserSid">S-1-5-18</Data> 
-      <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data> 
-      <Data Name="SubjectDomainName">CONTOSO</Data> 
-      <Data Name="SubjectLogonId">0x3e7</Data> 
-      <Data Name="NewProcessId">0x2bc</Data> 
-      <Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data> 
-      <Data Name="TokenElevationType">%%1938</Data> 
-      <Data Name="ProcessId">0xe74</Data> 
-      <Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data> 
-      <Data Name="TargetUserName">dadmin</Data> 
-      <Data Name="TargetDomainName">CONTOSO</Data> 
-      <Data Name="TargetLogonId">0x4a5af0</Data> 
-      <Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data> 
-      <Data Name="MandatoryLabel">S-1-16-8192</Data> 
-    </EventData>
-  </Event>
--- a/dataneeded/DN_0003_windows_sysmon_process_creation_1.yml
+++ b/dataneeded/DN_0003_windows_sysmon_process_creation_1.yml
@ -1,73 +0,0 @@
-title: DN_0003_windows_sysmon_process_creation_1
-description: >
-  Windows process creation log, including command line.
-loggingpolicy: 
-  - LP_0003_windows_sysmon_process_creation
-references:
-  - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001
-platform: Windows
-type: Windows Log
-channel: Microsoft-Windows-Sysmon/Operational
-provider: Microsoft-Windows-Sysmon
-fields:
-  - EventID
-  - Hostname
-  - Username
-  - ProcessGuid
-  - ProcessId
-  - ThreadID
-  - ProcessName
-  - CommandLine
-  - LogonGuid
-  - LogonId
-  - TerminalSessionid
-  - IntegrityLevel
-  - Imphash
-  - Sha256hash
-  - Sha1hash
-  - Md5hash
-  - Image
-  - ParentImage
-  - ParentProcessGuid
-  - ParentProcessId
-  - ParentProcessName
-  - ParentCommandLine
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
-      <EventID>1</EventID>
-      <Version>5</Version>
-      <Level>4</Level>
-      <Task>1</Task>
-      <Opcode>0</Opcode>
-      <Keywords>0x8000000000000000</Keywords>
-      <TimeCreated SystemTime="2017-04-28T22:08:22.025812200Z" />
-      <EventRecordID>9947</EventRecordID>
-      <Correlation />
-      <Execution ProcessID="3216" ThreadID="3964" />
-      <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
-      <Computer>test.lab.local</Computer>
-      <Security UserID="S-1-5-18" />
-    </System>
-  - <EventData>
-      <Data Name="UtcTime">2017-04-28 22:08:22.025</Data>
-      <Data Name="ProcessGuid">{A23EAE89-BD56-5903-0000-0010E9D95E00}</Data>
-      <Data Name="ProcessId">6228</Data>
-      <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
-      <Data Name="CommandLine">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8</Data>
-      <Data Name="CurrentDirectory">C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\</Data>
-      <Data Name="User">LAB\rsmith</Data>
-      <Data Name="LogonGuid">{A23EAE89-B357-5903-0000-002005EB0700}</Data>
-      <Data Name="LogonId">0x7eb05</Data>
-      <Data Name="TerminalSessionId">1</Data>
-      <Data Name="IntegrityLevel">Medium</Data>
-      <Data Name="Hashes">SHA1=AAE83ECC4ABEE2E7567E2FF76B2B046C65336731,MD5=283BDCD7B83EEE614897619332E5B938,SHA256=17DD017B7E7D1DC835CDF5E57156A0FF508EBBC7F4A48E65D77E026C33FCB58E,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F</Data>
-      <Data Name="ParentProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data>
-      <Data Name="ParentProcessId">13220</Data>
-      <Data Name="ParentImage">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
-      <Data Name="ParentCommandLine">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" </Data>
-    </EventData>
-  </Event>
-
-
--- a/dataneeded/DN_0004_windows_account_logon_4624.yml
+++ b/dataneeded/DN_0004_windows_account_logon_4624.yml
@ -1,93 +0,0 @@
-title: DN_0004_windows_account_logon_4624
-description: >
-  An account was successfully logged on.
-loggingpolicy:
-  - LP_0004_windows_audit_logon
-references:
-  - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - AccountName         # redundant, inconsistent
-  - Hostname
-  - Computer            # redundant, inconsistent
-  - SubjectUserSid
-  - SubjectUserName
-  - SubjectDomainName
-  - SubjectLogonId
-  - TargetUserSid
-  - TargetUserName
-  - TargetDomainName
-  - TargetLogonId
-  - LogonType
-  - LogonProcessName
-  - AuthenticationPackageName
-  - WorkstationName
-  - LogonGuid
-  - TransmittedServices
-  - LmPackageName
-  - KeyLength
-  - ProcessId
-  - ThreadID
-  - ProcessName
-  - IpAddress
-  - IpPort
-  - ImpersonationLevel
-  - RestrictedAdminMode
-  - TargetOutboundUserName
-  - TargetOutboundDomainName
-  - VirtualAccount
-  - TargetLinkedLogonId
-  - ElevatedToken
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    - <System>
-      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-      <EventID>4624</EventID> 
-      <Version>2</Version> 
-      <Level>0</Level> 
-      <Task>12544</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8020000000000000</Keywords> 
-      <TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z" /> 
-      <EventRecordID>211</EventRecordID> 
-      <Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}" /> 
-      <Execution ProcessID="716" ThreadID="760" /> 
-      <Channel>Security</Channel> 
-      <Computer>WIN-GG82ULGC9GO</Computer> 
-      <Security /> 
-      </System>
-    - <EventData>
-      <Data Name="SubjectUserSid">S-1-5-18</Data> 
-      <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data> 
-      <Data Name="SubjectDomainName">WORKGROUP</Data> 
-      <Data Name="SubjectLogonId">0x3e7</Data> 
-      <Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data> 
-      <Data Name="TargetUserName">Administrator</Data> 
-      <Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data> 
-      <Data Name="TargetLogonId">0x8dcdc</Data> 
-      <Data Name="LogonType">2</Data> 
-      <Data Name="LogonProcessName">User32</Data> 
-      <Data Name="AuthenticationPackageName">Negotiate</Data> 
-      <Data Name="WorkstationName">WIN-GG82ULGC9GO</Data> 
-      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
-      <Data Name="TransmittedServices">-</Data> 
-      <Data Name="LmPackageName">-</Data> 
-      <Data Name="KeyLength">0</Data> 
-      <Data Name="ProcessId">0x44c</Data> 
-      <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data> 
-      <Data Name="IpAddress">127.0.0.1</Data> 
-      <Data Name="IpPort">0</Data> 
-      <Data Name="ImpersonationLevel">%%1833</Data> 
-      <Data Name="RestrictedAdminMode">-</Data> 
-      <Data Name="TargetOutboundUserName">-</Data> 
-      <Data Name="TargetOutboundDomainName">-</Data> 
-      <Data Name="VirtualAccount">%%1843</Data> 
-      <Data Name="TargetLinkedLogonId">0x0</Data> 
-      <Data Name="ElevatedToken">%%1842</Data> 
-      </EventData>
-   </Event>
-  
--- a/dataneeded/DN_0005_windows_service_insatalled_7045.yml
+++ b/dataneeded/DN_0005_windows_service_insatalled_7045.yml
@ -1,47 +0,0 @@
-title: DN_0005_windows_service_insatalled_7045
-description: >
-  A service was installed in the system.
-loggingpolicy: None
-references: None
-platform: Windows
-type: Windows Log
-channel: System
-provider: Service Control Manager
-fields:
-  - EventID
-  - ProcessID
-  - ThreadID
-  - ServiceName
-  - ImagePath
-  - ServiceFileName     # redundant, inconsistent
-  - ServiceType
-  - StartType
-  - AccountName
-  - UserSid
-  - Computer
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    - <System>
-      <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> 
-      <EventID Qualifiers="16384">7045</EventID> 
-      <Version>0</Version> 
-      <Level>4</Level> 
-      <Task>0</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8080000000000000</Keywords> 
-      <TimeCreated SystemTime="2017-07-02T15:48:56.256752900Z" /> 
-      <EventRecordID>762</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="568" ThreadID="1792" /> 
-      <Channel>System</Channel> 
-      <Computer>DESKTOP</Computer> 
-      <Security UserID="S-1-5-21-2073602604-586167410-2329295167-1001" /> 
-      </System>
-    - <EventData>
-      <Data Name="ServiceName">sshd</Data> 
-      <Data Name="ImagePath">C:\Program Files\OpenSSH\sshd.exe</Data> 
-      <Data Name="ServiceType">user mode service</Data> 
-      <Data Name="StartType">demand start</Data> 
-      <Data Name="AccountName">LocalSystem</Data> 
-    </EventData>
-  </Event>
--- a/dataneeded/DN_0006_windows_sysmon_process_changed_a_file_creation_time_2.yml
+++ b/dataneeded/DN_0006_windows_sysmon_process_changed_a_file_creation_time_2.yml
@ -1,52 +0,0 @@
-title: DN_0006_process_changed_a_file_creation_time_2
-description: >
-  Explicit modification of file creation timestamp by a process
-loggingpolicy: 
-  - None
-references:
-  - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002
-  - https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md
-platform: Windows
-type: Windows Log
-channel: Microsoft-Windows-Sysmon/Operational
-provider: Microsoft-Windows-Sysmon
-fields:
-  - EventID
-  - Computer
-  - UtcTime
-  - ProcessGuid
-  - ProcessId
-  - Image
-  - TargetFilename
-  - CreationUtcTime
-  - PreviousCreationUtcTime
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
-      <EventID>2</EventID>
-      <Version>4</Version>
-      <Level>4</Level>
-      <Task>2</Task>
-      <Opcode>0</Opcode>
-      <Keywords>0x8000000000000000</Keywords>
-      <TimeCreated SystemTime="2017-07-30T23:26:47.322369100Z" />
-      <EventRecordID>5256170</EventRecordID>
-      <Correlation />
-      <Execution ProcessID="4740" ThreadID="5948" />
-      <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
-      <Computer>rfsH.lab.local</Computer>
-      <Security UserID="S-1-5-18" />
-  </System>
-  - <EventData>
-      <Data Name="UtcTime">2017-07-30 23:26:47.321</Data>
-      <Data Name="ProcessGuid">{A23EAE89-EF48-5978-0000-00104832B112}</Data>
-      <Data Name="ProcessId">25968</Data>
-      <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
-      <Data Name="TargetFilename">C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp</Data>
-      <Data Name="CreationUtcTime">2016-11-25 18:21:47.692</Data>
-      <Data Name="PreviousCreationUtcTime">2017-07-30 23:26:47.317</Data>
-    </EventData>
-  </Event>
-
-
--- a/dataneeded/DN_0007_windows_sysmon_network_connection_3.yml
+++ b/dataneeded/DN_0007_windows_sysmon_network_connection_3.yml
@ -1,74 +0,0 @@
-title: DN_0007_windows_sysmon_network_connection_3
-description: >
-  TCP/UDP connections made by a process
-loggingpolicy: 
-  - LP_0005_windows_sysmon_network_connection
-references:
-  - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003
-  - https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md
-platform: Windows
-type: Windows Log
-channel: Microsoft-Windows-Sysmon/Operational
-provider: Microsoft-Windows-Sysmon
-fields:
-  - EventID
-  - Computer
-  - UtcTime
-  - ProcessGuid
-  - ProcessId
-  - Image
-  - User
-  - Protocol
-  - Initiated
-  - SourceIsIpv6
-  - SourceIp
-  - SourceHostname
-  - SourcePort
-  - SourcePortName
-  - DestinationIsIpv6
-  - DestinationIp
-  - DestinationHostname
-  - DestinationPort
-  - DestinationPortName
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
-      <EventID>3</EventID>
-      <Version>5</Version>
-      <Level>4</Level>
-      <Task>3</Task>
-      <Opcode>0</Opcode>
-      <Keywords>0x8000000000000000</Keywords>
-      <TimeCreated SystemTime="2017-04-28T22:12:23.657698300Z" />
-      <EventRecordID>10953</EventRecordID>
-      <Correlation />
-      <Execution ProcessID="3216" ThreadID="3976" />
-      <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
-      <Computer>rfsH.lab.local</Computer>
-      <Security UserID="S-1-5-18" />
-    </System>
-  - <EventData>
-      <Data Name="UtcTime">2017-04-28 22:12:22.557</Data>
-      <Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data>
-      <Data Name="ProcessId">13220</Data>
-      <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
-      <Data Name="User">LAB\rsmith</Data>
-      <Data Name="Protocol">tcp</Data>
-      <Data Name="Initiated">true</Data>
-      <Data Name="SourceIsIpv6">false</Data>
-      <Data Name="SourceIp">192.168.1.250</Data>
-      <Data Name="SourceHostname">rfsH.lab.local</Data>
-      <Data Name="SourcePort">3328</Data>
-      <Data Name="SourcePortName">
-      </Data>
-      <Data Name="DestinationIsIpv6">false</Data>
-      <Data Name="DestinationIp">104.130.229.150</Data>
-      <Data Name="DestinationHostname">
-      </Data>
-      <Data Name="DestinationPort">443</Data>
-      <Data Name="DestinationPortName">https</Data>
-    </EventData>
-    </Event>
-
-
--- a/dataneeded/DN_0008_windows_sysmon_sysmon_service_state_changed_4.yml
+++ b/dataneeded/DN_0008_windows_sysmon_sysmon_service_state_changed_4.yml
@ -1,44 +0,0 @@
-title: DN_0007_windows_sysmon_sysmon_service_state_changed_4
-description: >
-  Sysmon service changed status
-loggingpolicy: 
-  - None
-references:
-  - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004
-  - https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md
-platform: Windows
-type: Windows Log
-channel: Microsoft-Windows-Sysmon/Operational
-provider: Microsoft-Windows-Sysmon
-fields:
-  - EventID
-  - Computer
-  - UtcTime
-  - State
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
-        <EventID>4</EventID>
-        <Version>3</Version>
-        <Level>4</Level>
-        <Task>4</Task>
-        <Opcode>0</Opcode>
-        <Keywords>0x8000000000000000</Keywords>
-        <TimeCreated SystemTime="2017-04-28T22:52:20.883759300Z" />
-        <EventRecordID>16761</EventRecordID>
-        <Correlation />
-        <Execution ProcessID="3216" ThreadID="3220" />
-        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
-        <Computer>rfsH.lab.local</Computer>
-        <Security UserID="S-1-5-18" />
-    </System>
-  - <EventData>
-        <Data Name="UtcTime">2017-04-28 22:52:20.883</Data>
-        <Data Name="State">Stopped</Data>
-        <Data Name="Version">6.01</Data>
-        <Data Name="SchemaVersion">3.30</Data>
-    </EventData>
-    </Event>
-
-
--- a/dataneeded/DN_0009_windows_sysmon_process_terminated_5.yml
+++ b/dataneeded/DN_0009_windows_sysmon_process_terminated_5.yml
@ -1,47 +0,0 @@
-title: DN_0009_windows_sysmon_process_terminated_5
-description: >
-  Process has been terminated
-loggingpolicy: 
-  - None
-references:
-  - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005
-platform: Windows
-type: Windows Log
-channel: Microsoft-Windows-Sysmon/Operational
-provider: Microsoft-Windows-Sysmon
-fields:
-  - EventID
-  - Computer
-  - UtcTime
-  - ProcessGuid
-  - ProcessId
-  - Image
-sample: |
-  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    <System>
-        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
-        <EventID>5</EventID>
-        <Version>3</Version>
-        <Level>4</Level>
-        <Task>5</Task>
-        <Opcode>0</Opcode>
-        <Keywords>0x8000000000000000</Keywords>
-        <TimeCreated SystemTime="2017-04-28T22:13:20.896253900Z" />
-        <EventRecordID>11235</EventRecordID>
-        <Correlation />
-        <Execution ProcessID="3216" ThreadID="3964" />
-        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
-        <Computer>rfsH.lab.local</Computer>
-        <Security UserID="S-1-5-18" />
-    </System>
-    <EventData>
-        <Data Name="UtcTime">2017-04-28 22:13:20.895</Data>
-        <Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-001009665D00}</Data>
-        <Data Name="ProcessId">12684</Data>
-        <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
-    </EventData>
-</Event>
-
-
-
-
--- a/dataneeded/DN_0026_windows_directory_service_object_was_modified_5136.yml
+++ b/dataneeded/DN_0026_windows_directory_service_object_was_modified_5136.yml
@ -1,65 +0,0 @@
-title: DN_0026_windows_directory_service_object_was_modified_5136
-description: >
-  A directory service object was modified.
-loggingpolicy: LP_0025_windows_audit_directory_service_changes
-references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - ProcessID
-  - ThreadID
-  - Computer
-  - OpCorrelationID
-  - AppCorrelationID
-  - SubjectUserSid
-  - SubjectUserName
-  - SubjectDomainName
-  - SubjectLogonId
-  - DSName
-  - DSType
-  - ObjectDN
-  - ObjectGUID
-  - ObjectClass
-  - AttributeLDAPDisplayName
-  - AttributeSyntaxOID
-  - AttributeValue
-  - OperationType
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    - <System>
-       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-       <EventID>5136</EventID> 
-       <Version>0</Version> 
-       <Level>0</Level> 
-       <Task>14081</Task> 
-       <Opcode>0</Opcode> 
-       <Keywords>0x8020000000000000</Keywords> 
-       <TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" /> 
-       <EventRecordID>410204</EventRecordID> 
-       <Correlation /> 
-       <Execution ProcessID="516" ThreadID="4020" /> 
-       <Channel>Security</Channel> 
-       <Computer>DC01.contoso.local</Computer> 
-       <Security /> 
-     </System>
-    - <EventData>
-       <Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data> 
-       <Data Name="AppCorrelationID">-</Data> 
-       <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-       <Data Name="SubjectUserName">dadmin</Data> 
-       <Data Name="SubjectDomainName">CONTOSO</Data> 
-       <Data Name="SubjectLogonId">0x32004</Data> 
-       <Data Name="DSName">contoso.local</Data> 
-       <Data Name="DSType">%%14676</Data> 
-       <Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data> 
-       <Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data> 
-       <Data Name="ObjectClass">user</Data> 
-       <Data Name="AttributeLDAPDisplayName">userAccountControl</Data> 
-       <Data Name="AttributeSyntaxOID">2.5.5.9</Data> 
-       <Data Name="AttributeValue">512</Data> 
-       <Data Name="OperationType">%%14675</Data> 
-     </EventData>
-   </Event>
--- a/dataneeded/DN_0027_user_account_was_changed_4738.yml
+++ b/dataneeded/DN_0027_user_account_was_changed_4738.yml
@ -1,88 +0,0 @@
-title: DN_0027_user_account_was_changed_4738
-description: >
-  User object is changed.
-loggingpolicy: LP_0026_windows_audit_user_account_management
-references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - ProcessID
-  - ThreadID
-  - Computer
-  - TargetUserName
-  - TargetDomainName
-  - TargetSid
-  - SubjectUserSid
-  - SubjectUserName
-  - SubjectDomainName
-  - SubjectLogonId
-  - PrivilegeList
-  - SamAccountName
-  - DisplayName
-  - UserPrincipalName
-  - HomeDirectory
-  - HomePath
-  - ScriptPath
-  - ProfilePath
-  - UserWorkstations
-  - PasswordLastSet
-  - AccountExpires
-  - PrimaryGroupId
-  - AllowedToDelegateTo
-  - OldUacValue
-  - NewUacValue
-  - UserAccountControl
-  - UserParameters
-  - SidHistory
-  - LogonHours
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    - <System>
-       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-       <EventID>4738</EventID> 
-       <Version>0</Version> 
-       <Level>0</Level> 
-       <Task>13824</Task> 
-       <Opcode>0</Opcode> 
-       <Keywords>0x8020000000000000</Keywords> 
-       <TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" /> 
-       <EventRecordID>175413</EventRecordID> 
-       <Correlation /> 
-       <Execution ProcessID="520" ThreadID="1508" /> 
-       <Channel>Security</Channel> 
-       <Computer>DC01.contoso.local</Computer> 
-     <Security /> 
-     </System>
-    - <EventData>
-       <Data Name="TargetUserName">ksmith</Data> 
-       <Data Name="TargetDomainName">CONTOSO</Data> 
-       <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data> 
-       <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-       <Data Name="SubjectUserName">dadmin</Data> 
-       <Data Name="SubjectDomainName">CONTOSO</Data> 
-       <Data Name="SubjectLogonId">0x30dc2</Data> 
-       <Data Name="PrivilegeList">-</Data> 
-       <Data Name="SamAccountName">-</Data> 
-       <Data Name="DisplayName">-</Data> 
-       <Data Name="UserPrincipalName">-</Data> 
-       <Data Name="HomeDirectory">-</Data> 
-       <Data Name="HomePath">-</Data> 
-       <Data Name="ScriptPath">-</Data> 
-       <Data Name="ProfilePath">-</Data> 
-       <Data Name="UserWorkstations">-</Data> 
-       <Data Name="PasswordLastSet">-</Data> 
-       <Data Name="AccountExpires">-</Data> 
-       <Data Name="PrimaryGroupId">-</Data> 
-       <Data Name="AllowedToDelegateTo">-</Data> 
-       <Data Name="OldUacValue">0x15</Data> 
-       <Data Name="NewUacValue">0x211</Data> 
-       <Data Name="UserAccountControl">%%2050 %%2089</Data> 
-       <Data Name="UserParameters">-</Data> 
-       <Data Name="SidHistory">-</Data> 
-       <Data Name="LogonHours">-</Data> 
-     </EventData>
-   </Event>
-
--- a/dataneeded/DN_0028_directory_services_restore_mode_admin_password_set_4794.yml
+++ b/dataneeded/DN_0028_directory_services_restore_mode_admin_password_set_4794.yml
@ -1,48 +0,0 @@
-title: DN_0028_directory_services_restore_mode_admin_password_set_4794
-description: >
-  Directory Services Restore Mode (DSRM) administrator password is changed.
-loggingpolicy: LP_0026_windows_audit_user_account_management
-references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - ProcessID
-  - ThreadID
-  - Computer
-  - SubjectUserSid
-  - SubjectUserName
-  - SubjectDomainName
-  - SubjectLogonId
-  - Workstation
-  - Status
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    - <System>
-       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-       <EventID>4794</EventID> 
-       <Version>0</Version> 
-       <Level>0</Level> 
-       <Task>13824</Task> 
-       <Opcode>0</Opcode> 
-       <Keywords>0x8020000000000000</Keywords> 
-       <TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" /> 
-       <EventRecordID>172348</EventRecordID> 
-       <Correlation /> 
-       <Execution ProcessID="520" ThreadID="2964" /> 
-       <Channel>Security</Channel> 
-       <Computer>DC01.contoso.local</Computer> 
-       <Security /> 
-     </System>
-    - <EventData>
-       <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-       <Data Name="SubjectUserName">dadmin</Data> 
-       <Data Name="SubjectDomainName">CONTOSO</Data> 
-       <Data Name="SubjectLogonId">0x36f67</Data> 
-       <Data Name="Workstation">DC01</Data> 
-       <Data Name="Status">0x0</Data> 
-     </EventData>
-   </Event>
-
--- a/dataneeded/DN_0029_handle_to_an_object_was_requested_4661.yml
+++ b/dataneeded/DN_0029_handle_to_an_object_was_requested_4661.yml
@ -1,71 +0,0 @@
-title: DN_0029_handle_to_an_object_was_requested_4661
-description: >
-  A handle was requested for either an Active Directory object 
-  or a Security Account Manager (SAM) object.
-loggingpolicy: 
-  - LP_0027_windows_audit_directory_service_access
-  - LP_0028_windows_audit_sam
-references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - ProcessID
-  - ThreadID
-  - Computer
-  - SubjectUserSid
-  - SubjectUserName
-  - SubjectDomainName
-  - SubjectLogonId
-  - ObjectServer
-  - ObjectType
-  - ObjectName
-  - HandleId
-  - TransactionId
-  - AccessList
-  - AccessMask
-  - PrivilegeList
-  - Properties
-  - RestrictedSidCount
-  - ProcessId
-  - ProcessName
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    - <System>
-       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-       <EventID>4661</EventID> 
-       <Version>0</Version> 
-       <Level>0</Level> 
-       <Task>14080</Task> 
-       <Opcode>0</Opcode> 
-       <Keywords>0x8020000000000000</Keywords> 
-       <TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" /> 
-       <EventRecordID>1048009</EventRecordID> 
-       <Correlation /> 
-       <Execution ProcessID="520" ThreadID="528" /> 
-       <Channel>Security</Channel> 
-       <Computer>DC01.contoso.local</Computer> 
-     <Security /> 
-     </System>
-    - <EventData>
-       <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-       <Data Name="SubjectUserName">dadmin</Data> 
-       <Data Name="SubjectDomainName">CONTOSO</Data> 
-       <Data Name="SubjectLogonId">0x4280e</Data> 
-       <Data Name="ObjectServer">Security Account Manager</Data> 
-       <Data Name="ObjectType">SAM\_DOMAIN</Data> 
-       <Data Name="ObjectName">DC=contoso,DC=local</Data> 
-       <Data Name="HandleId">0xdd64d36870</Data> 
-       <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
-       <Data Name="AccessList">%%5400</Data> 
-       <Data Name="AccessMask">0x2d</Data> 
-       <Data Name="PrivilegeList">Ā</Data> 
-       <Data Name="Properties">-</Data> 
-       <Data Name="RestrictedSidCount">2949165</Data> 
-       <Data Name="ProcessId">0x9000a000d002d</Data> 
-       <Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}</Data> 
-     </EventData>
-   </Event>
-
--- a/dataneeded/DN_0030_operation_was_performed_on_an_object_4662.yml
+++ b/dataneeded/DN_0030_operation_was_performed_on_an_object_4662.yml
@ -1,64 +0,0 @@
-title: DN_0030_operation_was_performed_on_an_object_4662
-description: >
-  An operation was performed on an Active Directory object.
-loggingpolicy: LP_0027_windows_audit_directory_service_access
-references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - ProcessID
-  - ThreadID
-  - Computer
-  - SubjectUserSid
-  - SubjectUserName
-  - SubjectDomainName
-  - SubjectLogonId
-  - ObjectServer
-  - ObjectType
-  - ObjectName
-  - OperationType
-  - HandleId
-  - AccessList
-  - AccessMask
-  - Properties
-  - AdditionalInfo
-  - AdditionalInfo2
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    - <System>
-       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-       <EventID>4662</EventID> 
-       <Version>0</Version> 
-       <Level>0</Level> 
-       <Task>14080</Task> 
-       <Opcode>0</Opcode> 
-       <Keywords>0x8020000000000000</Keywords> 
-       <TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" /> 
-       <EventRecordID>407230</EventRecordID> 
-       <Correlation /> 
-       <Execution ProcessID="520" ThreadID="600" /> 
-       <Channel>Security</Channel> 
-       <Computer>DC01.contoso.local</Computer> 
-       <Security /> 
-     </System>
-    - <EventData>
-       <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-       <Data Name="SubjectUserName">dadmin</Data> 
-       <Data Name="SubjectDomainName">CONTOSO</Data> 
-       <Data Name="SubjectLogonId">0x35867</Data> 
-       <Data Name="ObjectServer">DS</Data> 
-       <Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data> 
-       <Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data> 
-       <Data Name="OperationType">Object Access</Data> 
-       <Data Name="HandleId">0x0</Data> 
-       <Data Name="AccessList">%%1537</Data> 
-       <Data Name="AccessMask">0x10000</Data> 
-       <Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data> 
-       <Data Name="AdditionalInfo">-</Data> 
-       <Data Name="AdditionalInfo2" /> 
-     </EventData>
-   </Event>
-
--- a/dataneeded/DN_0031_service_started_stopped_7036.yml
+++ b/dataneeded/DN_0031_service_started_stopped_7036.yml
@ -1,41 +0,0 @@
-title: DN_0031_service_started_stopped_7036
-description: >
-  Service entered the running/stopped state.
-loggingpolicy: None
-references: http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm
-platform: Windows
-type: Windows Log
-channel: System
-provider: Service Control Manager
-fields:
-  - EventID
-  - ProcessID
-  - ThreadID
-  - Computer
-  - param1
-  - param2
-  #- Sha256hash it's not a hash of executable, it's just piece of it in hex
-sample: |
-  - <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
-    - <System>
-      <Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/>
-      <EventID Qualifiers='16384'>7036</EventID>
-      <Version>0</Version>
-      <Level>4</Level>
-      <Task>0</Task>
-      <Opcode>0</Opcode>
-      <Keywords>0x8080000000000000</Keywords>
-      <TimeCreated SystemTime='2019-01-12T16:00:11.920020600Z'/>
-      <EventRecordID>41452</EventRecordID>
-      <Correlation/>
-      <Execution ProcessID='692' ThreadID='828'/>
-      <Channel>System</Channel>
-      <Computer>EC2AMAZ-D6OFVS8</Computer>
-      <Security/>
-    </System>
-   - <EventData>
-      <Data Name='param1'>Device Install Service</Data>
-      <Data Name='param2'>running</Data>
-      <Binary>44006500760069006300650049006E007300740061006C006C002F0034000000</Binary>
-    </EventData>
-  </Event>
--- a/dataneeded/DN_0032_network_share_object_was_accessed_detailed_5145.yml
+++ b/dataneeded/DN_0032_network_share_object_was_accessed_detailed_5145.yml
@ -1,62 +0,0 @@
-title: DN_0032_network_share_object_was_accessed_detailed_5145
-description: >
-  Network share object (file or folder) was accessed. Detailed log with AccessReason and RelativeTargetName.
-loggingpolicy: LP_0029_windows_audit_detailed_file_share
-references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - ProcessID
-  - ThreadID
-  - Computer
-  - SubjectUserSid
-  - SubjectUserName
-  - SubjectDomainName
-  - SubjectLogonId
-  - ObjectType
-  - IpAddress
-  - IpPort
-  - ShareName
-  - ShareLocalPath
-  - RelativeTargetName
-  - AccessMask
-  - AccessList
-  - AccessReason
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    - <System>
-       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-       <EventID>5145</EventID> 
-       <Version>0</Version> 
-       <Level>0</Level> 
-       <Task>12811</Task> 
-       <Opcode>0</Opcode> 
-       <Keywords>0x8020000000000000</Keywords> 
-       <TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" /> 
-       <EventRecordID>267092</EventRecordID> 
-       <Correlation /> 
-       <Execution ProcessID="516" ThreadID="524" /> 
-       <Channel>Security</Channel> 
-       <Computer>DC01.contoso.local</Computer> 
-       <Security /> 
-     </System>
-    - <EventData>
-       <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-       <Data Name="SubjectUserName">dadmin</Data> 
-       <Data Name="SubjectDomainName">CONTOSO</Data> 
-       <Data Name="SubjectLogonId">0x38d34</Data> 
-       <Data Name="ObjectType">File</Data> 
-       <Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data> 
-       <Data Name="IpPort">56926</Data> 
-       <Data Name="ShareName">\\\\\*\\Documents</Data> 
-       <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data> 
-       <Data Name="RelativeTargetName">Bginfo.exe</Data> 
-       <Data Name="AccessMask">0x100081</Data> 
-       <Data Name="AccessList">%%1541 %%4416 %%4423</Data> 
-       <Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data> 
-     </EventData>
-   </Event>
-
--- a/dataneeded/DN_0033_network_share_object_was_accessed_5140.yml
+++ b/dataneeded/DN_0033_network_share_object_was_accessed_5140.yml
@ -1,58 +0,0 @@
-title: DN_0033_network_share_object_was_accessed_5140
-description: >
-  Network share object (file or folder) was accessed.
-loggingpolicy: LP_0030_windows_audit_file_share
-references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md
-platform: Windows
-type: Windows Log
-channel: Security
-provider: Microsoft-Windows-Security-Auditing
-fields:
-  - EventID
-  - ProcessID
-  - ThreadID
-  - Computer
-  - SubjectUserSid
-  - SubjectUserName
-  - SubjectDomainName
-  - SubjectLogonId
-  - ObjectType
-  - IpAddress
-  - IpPort
-  - ShareName
-  - ShareLocalPath
-  - AccessMask
-  - AccessList
-sample: |
-  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    - <System>
-       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-       <EventID>5140</EventID> 
-       <Version>1</Version> 
-       <Level>0</Level> 
-       <Task>12808</Task> 
-       <Opcode>0</Opcode> 
-       <Keywords>0x8020000000000000</Keywords> 
-       <TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" /> 
-       <EventRecordID>268495</EventRecordID> 
-       <Correlation /> 
-       <Execution ProcessID="4" ThreadID="772" /> 
-       <Channel>Security</Channel> 
-       <Computer>DC01.contoso.local</Computer> 
-       <Security /> 
-     </System>
-    - <EventData>
-       <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-       <Data Name="SubjectUserName">dadmin</Data> 
-       <Data Name="SubjectDomainName">CONTOSO</Data> 
-       <Data Name="SubjectLogonId">0x541f35</Data> 
-       <Data Name="ObjectType">File</Data> 
-       <Data Name="IpAddress">10.0.0.100</Data> 
-       <Data Name="IpPort">49212</Data> 
-       <Data Name="ShareName">\\\\\*\\Documents</Data> 
-       <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data> 
-       <Data Name="AccessMask">0x1</Data> 
-       <Data Name="AccessList">%%4416</Data> 
-     </EventData>
-   </Event>
-
--- a/dataneeded/dataneeded.yml.template
+++ b/dataneeded/dataneeded.yml.template
@ -4,10 +4,11 @@ description: >
 loggingpolicy: LP_0000_some_logging_policy_name_here
 references:
  - http://something.com
-platform: Windows                               # Windows | Linux | Unix | macOS | Network
-type: Windows Log                               # Windows Log | Authentication and Service | access.log
-channel: Security                               # Security | System | Microsoft-Windows-Sysmon/Operational | None
-provider: Microsoft-Windows-Security-Auditing   # Microsoft-Windows-Security-Auditing | Microsoft-Windows-Eventlog | None
+category: OS Logs                               # HTTP Logs | DNS Logs | IDS/IPS/NGFW Alerts | Antivirus Alerts | Network Flows | etc
+platform: Windows                               # Linux | Unix | macOS | Network
+type: Windows Log                               # Authentication and Service | queries log |  None
+channel: Security                               # System | Microsoft-Windows-Sysmon/Operational | queries_log | None
+provider: Microsoft-Windows-Security-Auditing   # Microsoft-Windows-Eventlog | BIND | <exact service/deamon name> | None
 fields:
  - hostname
  - ip_address
@ -15,4 +16,3 @@ fields:
  - etc
 sample: |
  raw log sample here
-