Skip to content

Commit

Permalink
Branch was auto-updated.
Browse files Browse the repository at this point in the history
  • Loading branch information
patel-bhavin authored Oct 24, 2024
2 parents 817f0fe + b13b314 commit a452d54
Show file tree
Hide file tree
Showing 18 changed files with 57 additions and 57 deletions.
78 changes: 39 additions & 39 deletions data_sources/sysmon_eventid_1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down Expand Up @@ -111,45 +111,45 @@ fields:
- user_id
- vendor_product
field_mappings:
- data_model: cim
data_set: Endpoint.Processes
mapping:
ProcessGuid: Processes.process_guid
ProcessId: Processes.process_id
Image: Processes.process_path
Image|endswith: Processes.process_name
CommandLine: Processes.process
CurrentDirectory: Processes.process_current_directory
User: Processes.user
IntegrityLevel: Processes.process_integrity_level
Hashes: Processes.process_hash
ParentProcessGuid: Processes.parent_process_guid
ParentProcessId: Processes.parent_process_id
ParentImage: Processes.parent_process_name
ParentCommandLine: Processes.parent_process
Computer: Processes.dest
OriginalFileName: Processes.original_file_name
- data_model: cim
data_set: Endpoint.Processes
mapping:
ProcessGuid: Processes.process_guid
ProcessId: Processes.process_id
Image: Processes.process_path
Image|endswith: Processes.process_name
CommandLine: Processes.process
CurrentDirectory: Processes.process_current_directory
User: Processes.user
IntegrityLevel: Processes.process_integrity_level
Hashes: Processes.process_hash
ParentProcessGuid: Processes.parent_process_guid
ParentProcessId: Processes.parent_process_id
ParentImage: Processes.parent_process_name
ParentCommandLine: Processes.parent_process
Computer: Processes.dest
OriginalFileName: Processes.original_file_name
convert_to_log_source:
- data_source: Windows Event Log Security 4688
mapping:
ProcessId: NewProcessId
Image: NewProcessName
Image|endswith: NewProcessName|endswith
CommandLine: Process_Command_Line
User: SubjectUserSid
ParentProcessId: ProcessId
ParentImage: ParentProcessName
ParentImage|endswith: ParentProcessName|endswith
Computer: Computer
OriginalFileName: NewProcessName|endswith
- data_source: Crowdstrike Process
mapping:
ProcessId: RawProcessId
Image: ImageFileName
CommandLine: CommandLine
User: UserSid
ParentProcessId: ParentProcessId
ParentImage: ParentBaseFileName
- data_source: Windows Event Log Security 4688
mapping:
ProcessId: NewProcessId
Image: NewProcessName
Image|endswith: NewProcessName|endswith
CommandLine: Process_Command_Line
User: SubjectUserSid
ParentProcessId: ProcessId
ParentImage: ParentProcessName
ParentImage|endswith: ParentProcessName|endswith
Computer: Computer
OriginalFileName: NewProcessName|endswith
- data_source: Crowdstrike Process
mapping:
ProcessId: RawProcessId
Image: ImageFileName
CommandLine: CommandLine
User: UserSid
ParentProcessId: ParentProcessId
ParentImage: ParentBaseFileName
example_log: "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider\
\ Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated\
\ SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution\
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_10.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- CallTrace
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_11.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_12.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
4 changes: 2 additions & 2 deletions data_sources/sysmon_eventid_13.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down Expand Up @@ -102,7 +102,7 @@ field_mappings:
ProcessGuid: Registry.process_guid
ProcessId: Registry.process_id
TargetObject: Registry.registry_path
Details: Registry.registry_value_data
Details: Registry.registry_value_data
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
SystemTime='2021-07-12T08:11:04.548083500Z'/><EventRecordID>810987</EventRecordID><Correlation/><Execution
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_15.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_17.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_18.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_20.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_21.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_22.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_23.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Archived
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_5.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_6.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_7.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_8.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/sysmon_eventid_9.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
supported_TA:
- name: Splunk Add-on for Sysmon
url: https://splunkbase.splunk.com/app/5709
version: 4.0.1
version: 4.0.2
fields:
- _time
- Channel
Expand Down

0 comments on commit a452d54

Please sign in to comment.