Recopila datos Sysmon de Microsoft Windows

Se admite en los siguientes países:

En este documento, se incluye lo siguiente:

  • describe la arquitectura de implementación y los pasos de instalación, y cualquier configuración necesaria que produzca registros compatibles con Google Security Operations Analizador para eventos Sysmon de Microsoft Windows. Para obtener una descripción general de los datos de Google Security Operations consulta Transferencia de datos a Google Security Operations.
  • incluye información sobre cómo el analizador asigna campos en el registro original a los campos del Modelo de datos unificados de Google Security Operations.

La información de este documento se aplica al analizador con la etiqueta de transferencia WINDOWS_SYSMON. La etiqueta de transferencia identifica qué analizador normaliza los datos de registro sin procesar al formato estructurado del UDM.

Antes de comenzar

Este diagrama representa los componentes principales recomendados en una arquitectura de implementación para recopilar y enviar datos de Sysmon de Microsoft Windows a Google Security Operations. Compara esta información con tu entorno para asegurarte de que los componentes esté instalado. Cada implementación del cliente diferirá de esta representación y puede ser más compleja. Se requiere lo siguiente:

  • Los sistemas en la arquitectura de implementación se configuran con la UTC zona horaria.
  • Sysmon se instala en servidores, endpoints y controladores de dominio.
  • El servidor de Microsoft Windows del recopilador recibe registros de servidores, extremos y controladores de dominio.
  • Los sistemas Microsoft Windows en la arquitectura de implementación usan lo siguiente:

    • Fuente de suscripciones iniciadas para recopilar eventos en varios dispositivos.
    • Servicio WinRM para la administración de sistemas remotos.
  • NXLog está instalado en el servidor de Windows del colector para reenviar los registros a Servidor de reenvío de Google Security Operations.

  • El servidor de reenvío de Google Security Operations se instala en un servidor central de Microsoft Windows o en un servidor Linux.

    Arquitectura de implementación

Revisa los dispositivos y las versiones compatibles

El analizador de Google Security Operations admite registros generados por los siguientes servicios de Microsoft Windows: varias versiones del servidor. Microsoft Windows Server se lanza con las siguientes ediciones: Foundation, Essentials, Standard y Datacenter. El esquema de eventos de los registros generadas por cada edición no difiere.

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012

El analizador de Google Security Operations admite registros generados por lo siguiente:

  • Sistemas cliente de Microsoft Windows 7 y versiones posteriores
  • Sysmon versión 13.24.

El analizador de Google Security Operations admite registros recopilados por NXLog Community o Enterprise Edition.

Revisa los tipos de registros admitidos

El analizador de Google Security Operations admite los siguientes tipos de registros generados por Microsoft Windows. Sysmon Para obtener más información sobre estos tipos de registros, consulta la Documentación de Microsoft Windows Sysmon. Admite registros generados con texto en inglés y no es compatible con registros generados en idiomas distintos al inglés.

Tipo de registro Descripción
Registros Sysmon El canal Sysmon contiene 27 IDs de eventos. (ID de evento: 1 a 26 y 255).
Para obtener una descripción de este tipo de registro, consulta la documentación de eventos de Sysmon de Microsoft Windows.

Configura servidores, extremos y controladores de dominio de Microsoft Windows

  1. Instala y configura los servidores, los extremos y los controladores de dominio. Para obtener más información, consulta Documentación de Microsoft Windows Sysmon Configuration.
  2. Configura un servidor de Microsoft Windows de recopilación para analizar los registros recopilados de varios sistemas.
  3. Configura el servidor central de Microsoft Windows o Linux
  4. Configura todos los sistemas con la zona horaria UTC.
  5. Configura los dispositivos para que reenvíen registros al servidor de Microsoft Windows del recopilador.

Configura el agente de BindPlane

Recopila los registros de Sysmon de Windows con el agente de BindPlane. Después de la instalación, el servicio del agente de BindPlane aparece como el servicio observerIQ en la lista de servicios de Windows.

  1. Instalar el agente de BindPlane en el colector que se ejecuta en un servidor de Windows Para obtener más información sobre cómo instalar el agente de BindPlane, consulta las instrucciones de instalación del agente de BindPlane.
  2. Crea un archivo de configuración para el agente de BindPlane con el siguiente contenido.

    receivers:
      windowseventlog/sysmon:
        channel: Microsoft-Windows-Sysmon/Operational
        raw: true
    processors:
      batch:
    
    exporters:
      chronicle/winsysmon:
        endpoint: https://malachiteingestion-pa.googleapis.com
        creds: '{
        "type": "service_account",
        "project_id": "malachite-projectname",
        "private_key_id": `PRIVATE_KEY_ID`,
        "private_key": `PRIVATE_KEY`,
        "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
        "client_id": `CLIENT_ID`,
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
        "universe_domain": "googleapis.com"
        }'
      log_type: 'WINDOWS_SYSMON'
      override_log_type: false
      raw_log_field: body
      customer_id: `CUSTOMER_ID`
    
    service:
      pipelines:
        logs/winsysmon:
          receivers:
            - windowseventlog/sysmon
          processors: [batch]
          exporters: [chronicle/winsysmon]
    
  3. Reemplaza PRIVATE_KEY_ID, PRIVATE_KEY, SERVICSERVICE_ACCOUNT_NAME, PROJECT_ID, CLIENT_ID y CUSTOMER_ID por los valores correspondientes del archivo JSON de la cuenta de servicio que puedes descargar desde Google Cloud Platform. Para obtener más información sobre las claves de cuentas de servicio, consulta la documentación sobre cómo crear y borrar claves de cuentas de servicio.

  4. Para iniciar el servicio del agente de observadorIQ, selecciona Servicios > Extendido > Servicio de observadorIQ > iniciar.

Configura el reenviador de NXLog y Google Security Operations

  1. Instala NXLog en el colector que se ejecuta en un servidor de Windows. Sigue el Documentación de NXLog, que incluye información sobre configuración de NXLog para recopilar registros de Sysmon.
  2. Crea un archivo de configuración para NXLog. Usa el im_msvistalog. Este es un ejemplo de configuración de NXLog. Reemplaza los valores <hostname> y <port> con información sobre el el servidor central de destino de Microsoft Windows o Linux. Para obtener más información, consulta la documentación de NXLog sobre los Módulo om_tcp.

    define ROOT     C:\Program Files (x86)\nxlog
    define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
    define SYSMON_OUTPUT_DESTINATION_PORT <port>
    define CERTDIR  %ROOT%\cert
    define CONFDIR  %ROOT%\conf
    define LOGDIR   %ROOT%\data
    define LOGFILE  %LOGDIR%\nxlog.log
    LogFile %LOGFILE%
    
    Moduledir %ROOT%\modules
    CacheDir  %ROOT%\data
    Pidfile   %ROOT%\data\nxlog.pid
    SpoolDir  %ROOT%\data
    
    <Extension _json>
        Module      xm_json
    </Extension>
    
    <Input windows_sysmon_eventlog>
        Module  im_msvistalog
        <QueryXML>
            <QueryList>
                <Query Id="0">
                    <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
                </Query>
            </QueryList>
        </QueryXML>
        ReadFromLast  False
        SavePos  False
    </Input>
    
    <Output out_chronicle_sysmon>
        Module      om_tcp
        Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
        Port        %SYSMON_OUTPUT_DESTINATION_PORT%
        Exec        $EventTime = integer($EventTime) / 1000;
        Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
        Exec        to_json();
    </Output>
    
    <Route r2>
        Path    windows_sysmon_eventlog => out_chronicle_sysmon
    </Route>
    
  3. Instala el servidor de reenvío de Google Security Operations en el servidor central de Microsoft Windows o Linux. Consulta Cómo instalar y configurar el objeto Forwarder en Linux. o Instalación y configuración del servidor de reenvío en Microsoft Windows para obtener información sobre cómo instalar y configurar el servidor de reenvío.

  4. Configura el reenviador de Google Security Operations para enviar registros a Google Security Operations. Este es un ejemplo de configuración de reenvío.

      - syslog:
          common:
            enabled: true
            data_type: WINDOWS_SYSMON
            Data_hint:
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    
  5. Inicia el servicio de NXLog.

Referencia de la asignación de campos: campos de eventos del dispositivo a campos UDM

En esta sección, se describe cómo el analizador asigna los campos de registro del dispositivo original a Campos del modelo de datos unificados (UDM) La asignación de campos puede diferir según el ID de evento.

Referencia de asignación de campos: identificador de eventos a tipo de evento

En la siguiente tabla, se enumeran los tipos de registro de WINDOWS_SYSMON y sus correspondientes tipos de eventos de la AUA.
Event Identifier Event Type Security Category
1 PROCESS_LAUNCH
2 FILE_MODIFICATION
3 NETWORK_CONNECTION
4 SETTING_MODIFICATION
5 PROCESS_TERMINATION
6 PROCESS_MODULE_LOAD
7 PROCESS_MODULE_LOAD
8 PROCESS_MODULE_LOAD
9 FILE_READ
10 PROCESS_OPEN
11 FILE_CREATION
12 If the Message log field value matches the regular expression pattern CreateKey|CreateValue then, the metadata.event_type UDM field is set to REGISTRY_CREATION.
Else if the Message log field value matches the regular expression pattern DeleteKey|DeleteValue then, the target.resource.name UDM field is set to REGISTRY_DELETION.
Else, the target.resource.name UDM field is set to REGISTRY_MODIFICATION.
13 REGISTRY_MODIFICATION
14 REGISTRY_MODIFICATION
15 FILE_CREATION
16 SETTING_MODIFICATION
17 PROCESS_UNCATEGORIZED
18 PROCESS_UNCATEGORIZED
19 USER_RESOURCE_ACCESS
20 USER_RESOURCE_ACCESS
21 USER_RESOURCE_ACCESS
22 NETWORK_DNS
23 FILE_DELETION
24 RESOURCE_READ
25 PROCESS_LAUNCH
26 FILE_DELETION
255 SERVICE_UNSPECIFIED

Referencia de asignación de campos: WINDOWS_SYSMON

En la siguiente tabla, se enumeran los campos de registro del tipo de registro WINDOWS_SYSMON y sus campos UDM correspondientes.

Log field UDM mapping Logic
SourceName
metadata.vendor_name The metadata.vendor_name UDM field is set to Microsoft.
metadata.product_name The metadata.product_name UDM field is set to Microsoft-Windows-Sysmon.
UtcTime metadata.event_timestamp
EventID metadata.product_event_type
If the EventID log field value is equal to 255 then, the metadata.product_event_type UDM field is set to Error - [255].
Else EventID log field is mapped to the metadata.product_event_type UDM field.
RecordNumber metadata.product_log_id
EventRecordID metadata.product_log_id
Version metadata.product_version
If the EventID log field value is equal to 4 then, Version log field is mapped to the metadata.product_version UDM field.
QueryResults network.dns.answers.data The type_value and data_value fields are extracted from QueryResults log field using the Grok pattern.
If the EventID log field value is equal to 22 then, the data_value log field is mapped to the network.dns.answers.data UDM field.
QueryResults network.dns.answers.type The type_value and data_value fields are extracted from QueryResults log field using the Grok pattern.
If the EventID log field value is equal to 22 then, the type_value log field is mapped to the network.dns.answers.type UDM field.
QueryName network.dns.questions.name
If the EventID log field value is equal to 22 then, QueryName log field is mapped to the network.dns.questions.name UDM field.
Protocol network.ip_protocol
If the EventID log field value is equal to 3 then, Protocol log field is mapped to the network.ip_protocol UDM field.
ParentCommandLine principal.process.command_line
If the EventID log field value is equal to 1 then, ParentCommandLine log field is mapped to the principal.process.command_line UDM field.
User principal.administrative_domain The principal_user_userid and principal_administrative_domain fields are extracted from User log field using the Grok pattern.
If the principal_administrative_domain log field value is not empty and the User log field value is not empty then, principal_administrative_domain extracted field is mapped to the principal.administrative_domain UDM field.
Else Domain log field is mapped to the principal.administrative_domain UDM field.
Domain principal.administrative_domain The principal_user_userid and principal_administrative_domain fields are extracted from User log field using the Grok pattern.
If the principal_administrative_domain log field value is not empty and the User log field value is not empty then, principal_administrative_domain extracted field is mapped to the principal.administrative_domain UDM field.
Else Domain log field is mapped to the principal.administrative_domain UDM field.
HostName principal.hostname
If the Hostname log field value is empty then, Computer log field is mapped to the principal.hostname UDM field.
Else HostName log field is mapped to the principal.hostname UDM field and Hostname log field is mapped to the principal.hostname UDM field.
Computer principal.hostname
If the Hostname log field value is empty then, Computer log field is mapped to the principal.hostname UDM field.
Else HostName log field is mapped to the principal.hostname UDM field and Hostname log field is mapped to the principal.hostname UDM field.
HostName principal.asset.hostname
If the Hostname log field value is empty then, Computer log field is mapped to the principal.asset.hostname UDM field.
Else HostName log field is mapped to the principal.asset.hostname UDM field and Hostname log field is mapped to the principal.asset.hostname UDM field.
Computer principal.asset.hostname
If the Hostname log field value is empty then, Computer log field is mapped to the principal.asset.hostname UDM field.
Else HostName log field is mapped to the principal.asset.hostname UDM field and Hostname log field is mapped to the principal.asset.hostname UDM field.
SourceIp principal.ip
If the EventID log field value is equal to 3 then, SourceIp log field is mapped to the principal.ip UDM field.
SourcePort principal.port
If the EventID log field value is equal to 3 then, SourcePort log field is mapped to the principal.port UDM field.
ImageLoaded principal.process.file.full_path
If the EventID log field value is equal to 6 then, ImageLoaded log field is mapped to the principal.process.file.full_path UDM field.
Image principal.process.file.full_path
If the EventID log field value contain one of the following values:
  • 2
  • 3
  • 7
  • 9
  • 11
  • 12
  • 13
  • 14
  • 15
  • 22
  • 23
  • 26
then, Image log field is mapped to the principal.process.file.full_path UDM field.
SourceImage principal.process.file.full_path
If the EventID log field value contain one of the following values:
  • 8
  • 10
then, SourceImage log field is mapped to the principal.process.file.full_path UDM field.
ParentImage principal.process.file.full_path
If the EventID log field value is equal to 1 then, ParentImage log field is mapped to the principal.process.file.full_path UDM field.
ProcessId principal.process.pid
If the EventID log field value contain one of the following values:
  • 2
  • 3
  • 7
  • 9
  • 11
  • 12
  • 13
  • 14
  • 15
  • 22
  • 23
  • 24
  • 25
  • 26
and if the ExecutionProcessID log field value is not empty then, ExecutionProcessID log field is mapped to the principal.process.pid UDM field.
Else ProcessId log field is mapped to the principal.process.pid UDM field.
SourceProcessId principal.process.pid If the EventID log field value is equal to 8 then, SourceProcessId log field is mapped to the principal.process.pid UDM field.
ParentProcessId principal.process.pid If the EventID log field value is equal to 1 then, ParentProcessId log field is mapped to the principal.process.pid UDM field.
ProcessID observer.process.pid
ProcessGuid principal.process.product_specific_process_id
If the EventID log field value contain one of the following values:
  • 2
  • 3
  • 5
  • 7
  • 9
  • 11
  • 12
  • 13
  • 14
  • 15
  • 22
  • 23
  • 26
then, principal.process.product_specific_process_id UDM field is set to SYSMON:%{ProcessGuid}.
ParentProcessGuid principal.process.product_specific_process_id
If the EventID log field value is equal to 1 then, principal.process.product_specific_process_id UDM field is set to SYSMON:%{ParentProcessGuid}.
SourceProcessGuid principal.process.product_specific_process_id
If the EventID log field value is equal to 8 then, principal.process.product_specific_process_id UDM field is set to SYSMON:%{SourceProcessGuid}.
SourceProcessGUID principal.process.product_specific_process_id
If the EventID log field value is equal to 10 then, principal.process.product_specific_process_id UDM field is set to SYSMON:%{SourceProcessGUID}.
User principal.user.userid The principal_user_userid and principal_administrative_domain fields are extracted from User log field using the Grok pattern.
If the EventID log field value is not equal to 24 and if the principal_user_userid log field value is not empty and the User log field value is not empty then, principal_user_userid extracted field is mapped to the principal.user.userid UDM field.
ClientInfo principal.user.userid The host and user_id fields are extracted from ClientInfo log field using the Grok pattern.
If the EventID log field value is equal to 24 and if the user_id log field value is not empty and the ClientInfo log field value is not empty then, user_id extracted field is mapped to the principal.user.userid UDM field.
Else ClientInfo log field is mapped to the principal.user.userid UDM field.
AccountName principal.user.userid The principal_user_userid and principal_administrative_domain fields are extracted from User log field using the Grok pattern.
If the EventID log field value is not equal to 24 and if the principal_user_userid log field value is not empty and the User log field value is not empty then, principal_user_userid extracted field is mapped to the principal.user.userid UDM field.
Else AccountName log field is mapped to the principal.user.userid UDM field.
SourceUser principal.user.userid
UserID principal.user.windows_sid
Description security_result.description
If the EventID log field value is equal to 255 and if the Description log field value is not equal to - then, Description log field is mapped to the security_result.description UDM field.
RuleName security_result.rule_name
EventID security_result.rule_name The security_result.rule_name UDM field is set to EventID: %{EventID}.
security_result.severity
If the Level log field value contain one of the following values:
  • 0
  • 3
  • 4
or the Level log field value is equal to Information then, the security_result.severity UDM field is set to INFORMATIONAL.
Else, If Level log field value is equal to 2 or the Level log field value is equal to Error then, the security_result.severity UDM field is set to ERROR.
If the SeverityValue log field value does not contain one of the following values:
  • Empty
  • -
and if the SeverityValue log field value contain one of the following values:
  • 1
  • 2
  • 3
then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if SeverityValue log field value is equal to 4 then, the security_result.severity UDM field is set to ERROR. Else, if SeverityValue log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL.
Category about.labels[Category ID] The category_id and category_tag fields are extracted from Category log field using the Grok pattern. category_id extracted field is mapped to the about.labels.Category ID UDM field.
QueryStatus security_result.summary If the EventID log field value is equal to 22 then, the security_result.summary UDM field is set to QueryStatus: %{QueryStatus}.
ID security_result.summary If the EventID log field value is equal to 255 then, ID log field is mapped to the security_result.summary UDM field.
Category security_result.summary The category_id and category_tag fields are extracted from Category log field using the Grok pattern.
If the category_id log field value is not empty then, category_tag extracted field is mapped to the security_result.summary UDM field.
Else Category log field is mapped to the security_result.summary UDM field.
CurrentDirectory additional.fields[current_directory]
If the EventID log field value is equal to 1 then, CurrentDirectory log field is mapped to the additional.fields.current_directory UDM field.
OriginalFileName src.file.full_path
If the EventID log field value is equal to 1 then, OriginalFileName log field is mapped to the src.file.full_path UDM field.
TargetObject src.registry.registry_key
If the EventID log field value is equal to 14 then, TargetObject log field is mapped to the src.registry.registry_key UDM field.
Name target.application
If the EventID log field value is equal to 19 then, Name log field is mapped to the target.application UDM field.
If the EventID log field value is equal to 255 then, the target.application UDM field is set to Microsoft Sysmon.
Description target.asset.software.description
If the EventID log field value contain one of the following values:
  • 1
  • 7
and if the Description log field value is not equal to - then, Description log field is mapped to the target.asset.software.description UDM field.
Product target.asset.software.name
If the EventID log field value contain one of the following values:
  • 1
  • 7
and if the Product log field value is not equal to - then, Product log field is mapped to the target.asset.software.name UDM field.
Company target.asset.software.vendor_name
If the EventID log field value contain one of the following values:
  • 1
  • 7
and if the Company log field value is not equal to - then, Company log field is mapped to the target.asset.software.vendor_name UDM field.
FileVersion target.asset.software.version
If the EventID log field value contain one of the following values:
  • 1
  • 7
and if the FileVersion log field value is not equal to - then, FileVersion log field is mapped to the target.asset.software.version UDM field.
EventNamespace target.file.full_path
If the EventID log field value is equal to 19 then, EventNamespace log field is mapped to the target.file.full_path UDM field.
Device target.file.full_path
If the EventID log field value is equal to 9 then, Device log field is mapped to the target.file.full_path UDM field.
TargetFilename target.file.full_path
If the EventID log field value contain one of the following values:
  • 2
  • 11
  • 15
  • 23
  • 26
then, TargetFilename log field is mapped to the target.file.full_path UDM field.
DestinationHostname target.asset.hostname If the EventID log field value is equal to 3 then, DestinationHostname log field is mapped to the target.asset.hostname UDM field.
ClientInfo target.asset.hostname The host and user_id fields are extracted from ClientInfo log field using the Grok pattern. The target_ip and host fields are extracted from ClientInfo log field using the Grok pattern.
If the EventID log field value is equal to 24 then, host extracted field is mapped to the target.asset.hostname UDM field.
DestinationHostname target.hostname If the EventID log field value is equal to 3 then, DestinationHostname log field is mapped to the target.hostname UDM field.
ClientInfo target.hostname The host and user_id fields are extracted from ClientInfo log field using the Grok pattern. The target_ip and host fields are extracted from ClientInfo log field using the Grok pattern.
If the EventID log field value is equal to 24 then, host extracted field is mapped to the target.hostname UDM field.
ClientInfo target.ip The target_ip and host fields are extracted from ClientInfo log field using the Grok pattern.
If the EventID log field value is equal to 24 then, target_ip extracted field is mapped to the target.ip UDM field.
DestinationIp target.ip If the EventID log field value is equal to 3 then, DestinationIp log field is mapped to the target.ip UDM field.
DestinationPort target.port
If the EventID log field value is equal to 3 then, DestinationPort log field is mapped to the target.port UDM field.
CommandLine target.process.command_line
If the EventID log field value is equal to 1 then, CommandLine log field is mapped to the target.process.command_line UDM field.
Configuration target.process.command_line
If the EventID log field value is equal to 16 and if the ConfigurationFileHash log field value contain one of the following values:
  • Empty
  • -
then, Configuration log field is mapped to the target.process.command_line UDM field.
ImageLoaded target.process.file.full_path If the EventID log field value is equal to 7 then, ImageLoaded log field is mapped to the target.process.file.full_path UDM field.
TargetImage target.process.file.full_path If the EventID log field value contain one of the following values:
  • 8
  • 10
then, TargetImage log field is mapped to the target.process.file.full_path UDM field.
Image target.process.file.full_path If the EventID log field value contain one of the following values:
  • 1
  • 5
  • 17
  • 18
  • 24
  • 25
then, Image log field is mapped to the target.process.file.full_path UDM field.
Configuration target.process.file.full_path If the EventID log field value is equal to 16 and if the ConfigurationFileHash log field value does not contain one of the following values:
  • Empty
  • -
then, Configuration log field is mapped to the target.process.file.full_path UDM field.
Hashes target.process.file.md5 The KV filter is used to extract the MD5 from the Hashes log field.
If the EventID log field value contain one of the following values:
  • 1
  • 6
  • 7
  • 15
  • 16
  • 23
  • 24
  • 26
then, MD5 extracted field is mapped to the target.process.file.md5 UDM field.
Hash target.process.file.md5 The KV filter is used to extract the MD5 from the Hashe log field.
If the EventID log field value contain one of the following values:
  • 1
  • 6
  • 7
  • 15
  • 16
  • 23
  • 24
  • 26
then, MD5 extracted field is mapped to the target.process.file.md5 UDM field.
ConfigurationFileHash target.process.file.md5 The KV filter is used to extract the MD5 from the ConfigurationFileHash log field.
If the EventID log field value contain one of the following values:
  • 1
  • 6
  • 7
  • 15
  • 16
  • 23
  • 24
  • 26
then, MD5 extracted field is mapped to the target.process.file.md5 UDM field.
Hashes target.process.file.sha1 The KV filter is used to extract the SHA1 from the Hashes log field.
If the EventID log field value contain one of the following values:
  • 1
  • 6
  • 7
  • 15
  • 16
  • 23
  • 24
  • 26
then, SHA1 extracted field is mapped to the target.process.file.sha1 UDM field.
Hash target.process.file.sha1 The KV filter is used to extract the SHA1 from the Hash log field.
If the EventID log field value contain one of the following values:
  • 1
  • 6
  • 7
  • 15
  • 16
  • 23
  • 24
  • 26
then, SHA1 extracted field is mapped to the target.process.file.sha1 UDM field.
ConfigurationFileHash target.process.file.sha1 The KV filter is used to extract the SHA1 from the ConfigurationFileHash log field.
If the EventID log field value contain one of the following values:
  • 1
  • 6
  • 7
  • 15
  • 16
  • 23
  • 24
  • 26
then, SHA1 extracted field is mapped to the target.process.file.sha1 UDM field.
Hashes target.process.file.sha256 The KV filter is used to extract the SHA256 from the Hashes log field.
If the EventID log field value contain one of the following values:
  • 1
  • 6
  • 7
  • 15
  • 16
  • 23
  • 24
  • 26
then, SHA256 extracted field is mapped to the target.process.file.sha256 UDM field.
Hash target.process.file.sha256 The KV filter is used to extract the SHA256 from the Hash log field.
If the EventID log field value contain one of the following values:
  • 1
  • 6
  • 7
  • 15
  • 16
  • 23
  • 24
  • 26
then, SHA256 extracted field is mapped to the target.process.file.sha256 UDM field.
ConfigurationFileHash target.process.file.sha256 The KV filter is used to extract the SHA256 from the ConfigurationFileHash log field.
If the EventID log field value contain one of the following values:
  • 1
  • 6
  • 7
  • 15
  • 16
  • 23
  • 24
  • 26
then, SHA256 extracted field is mapped to the target.process.file.sha256 UDM field.
Hashes target.process.file.file_metadata.pe.import_hash The KV filter is used to extract the IMPHASH from the Hashes log field.
IMPHASH extracted field is mapped to the target.process.file.file_metadata.pe.import_hash UDM field.
Hash target.process.file.file_metadata.pe.import_hash The KV filter is used to extract the IMPHASH from the Hash log field.
IMPHASH extracted field is mapped to the target.process.file.file_metadata.pe.import_hash UDM field.
ConfigurationFileHash target.process.file.file_metadata.pe.import_hash The KV filter is used to extract the IMPHASH from the ConfigurationFileHash log field.
IMPHASH extracted field is mapped to the target.process.file.file_metadata.pe.import_hash UDM field.
TargetProcessId target.process.pid If the EventID log field value contain one of the following values:
  • 8
  • 10
then, TargetProcessId log field is mapped to the target.process.pid UDM field.
ProcessId target.process.pid If the EventID log field value contain one of the following values:
  • 1
  • 5
  • 16
  • 17
  • 18
and if the ExecutionProcessID log field value is not empty then, ExecutionProcessID log field is mapped to the target.process.pid UDM field.
Else ProcessId log field is mapped to the target.process.pid UDM field.
ProcessID target.process.pid If the EventID log field value contain one of the following values:
  • 1
  • 5
  • 16
  • 17
  • 18
and if the ExecutionProcessID log field value is not empty then, ExecutionProcessID log field is mapped to the target.process.pid UDM field.
Else ProcessID log field is mapped to the target.process.pid UDM field.
TargetProcessGuid target.process.product_specific_process_id If the EventID log field value is equal to 8 then, the target.process.product_specific_process_id UDM field is set to SYSMON:%{TargetProcessGuid}.
TargetProcessGUID target.process.product_specific_process_id If the EventID log field value is equal to 10 then, the target.process.product_specific_process_id UDM field is set to SYSMON:%{TargetProcessGUID}.
ProcessGuid target.process.product_specific_process_id
If the EventID log field value contain one of the following values:
  • 1
  • 17
  • 18
  • 24
  • 25
then, the target.process.product_specific_process_id UDM field is set to SYSMON:%{ProcessGuid}.
NewName target.registry.registry_key
If the EventID log field value is equal to 14 then, NewName log field is mapped to the target.registry.registry_key UDM field.
TargetObject target.registry.registry_key
If the EventID log field value contain one of the following values:
  • 12
  • 13
then, TargetObject log field is mapped to the target.registry.registry_key UDM field.
Details target.registry.registry_value_data
If the EventID log field value is equal to 13 then, Details log field is mapped to the target.registry.registry_value_data UDM field.
PreviousCreationUtcTime target.resource.attribute.labels.key[PreviousCreationUtcTime]
If the EventID log field value is equal to 2 then, PreviousCreationUtcTime log field is mapped to the target.resource.attribute.labels UDM field.
Archived target.resource.attribute.labels[Archived]
If the EventID log field value contain one of the following values:
  • 23
  • 24
then, Archived log field is mapped to the target.resource.attribute.labels UDM field.
Consumer target.resource.attribute.labels[Consumer]
If the EventID log field value is equal to 21 then, Consumer log field is mapped to the target.resource.attribute.labels UDM field.
CreationUtcTime target.resource.attribute.labels[CreationUtcTime]
If the EventID log field value contain one of the following values:
  • 2
  • 15
then, CreationUtcTime log field is mapped to the target.resource.attribute.labels UDM field.
IsExecutable target.resource.attribute.labels[IsExecutable]
If the EventID log field value contain one of the following values:
  • 23
  • 26
then, IsExecutable log field is mapped to the target.resource.attribute.labels UDM field.
Name target.resource.attribute.labels[Name]
If the EventID log field value is equal to 20 then, Name log field is mapped to the target.resource.attribute.labels UDM field.
Operation target.resource.attribute.labels[Operation]
If the EventID log field value contain one of the following values:
  • 19
  • 20
  • 21
then, Operation log field is mapped to the target.resource.attribute.labels UDM field.
Signature target.resource.attribute.labels[Signature]
If the EventID log field value contain one of the following values:
  • 6
  • 7
then, Signature log field is mapped to the target.resource.attribute.labels UDM field.
SignatureStatus target.resource.attribute.labels[SignatureStatus]
If the EventID log field value contain one of the following values:
  • 6
  • 7
then, SignatureStatus log field is mapped to the target.resource.attribute.labels UDM field.
Signed target.resource.attribute.labels[Signed]
If the EventID log field value contain one of the following values:
  • 6
  • 7
then, Signed log field is mapped to the target.resource.attribute.labels UDM field.
Type target.resource.attribute.labels[Type]
If the EventID log field value is equal to 20 then, Type log field is mapped to the target.resource.attribute.labels UDM field.
Type additional.fields[Type]
If the EventID log field value is equal to 25 then, Type log field is mapped to the additional.fields UDM field.
State target.resource.name
If the EventID log field value is equal to 4 then, State log field is mapped to the target.resource.name UDM field.
CreationUtcTime target.resource.name
If the EventID log field value is equal to 11 then, CreationUtcTime log field is mapped to the target.resource.name UDM field.
PipeName target.resource.name
If the EventID log field value contain one of the following values:
  • 17
  • 18
then, PipeName log field is mapped to the target.resource.name UDM field.
Filter target.resource.name
If the EventID log field value is equal to 21 then, Filter log field is mapped to the target.resource.name UDM field.
Destination target.resource.name
If the EventID log field value is equal to 20 then, Destination log field is mapped to the target.resource.name UDM field.
Query target.resource.name
If the EventID log field value is equal to 19 then, Query log field is mapped to the target.resource.name UDM field.
GrantedAccess target.resource.name
If the EventID log field value is equal to 10 and if the GrantedAccess log field value matches the regular expression pattern ^0x0080$ then, the target.resource.name UDM field is set to PROCESS_CREATE_PROCESS.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0002$ then, the target.resource.name UDM field is set to PROCESS_CREATE_THREAD.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0040$ then, the target.resource.name UDM field is set to PROCESS_DUP_HANDLE.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0400$ then, the target.resource.name UDM field is set to PROCESS_QUERY_INFORMATION.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x1000$ then, the target.resource.name UDM field is set to PROCESS_QUERY_LIMITED_INFORMATION.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0200$ then, the target.resource.name UDM field is set to PROCESS_SET_INFORMATION.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0100$ then, the target.resource.name UDM field is set to PROCESS_SET_QUOTA.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0800$ and if the GrantedAccess log field value matches the regular expression pattern ^0x0001$ then, the target.resource.name UDM field is set to PROCESS_TERMINATE.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0008$ then, the target.resource.name UDM field is set to PROCESS_VM_OPERATION.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0010$ then, the target.resource.name UDM field is set to PROCESS_VM_READ.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0020$ then, the target.resource.name UDM field is set to PROCESS_VM_WRITE.
Else, If the GrantedAccess log field value matches the regular expression pattern ^0x00100000L$ then, the target.resource.name UDM field is set to SYNCHRONIZE.
target.resource.resource_type
If the EventID log field value contain one of the following values:
  • 4
  • 16
then, the target.resource.resource_type UDM field is set to SETTING.
Else, If EventID log field value contain one of the following values:
  • 17
  • 18
then, the target.resource.resource_type UDM field is set to PIPE.
target.resource.resource_subtype
If the EventID log field value is equal to 11 then, the target.resource.resource_subtype UDM field is set to CreationUtcTime.
Else, If EventID log field value is equal to 10 then, the target.resource.resource_subtype UDM field is set to GrantedAccess.
Else, If EventID log field value is equal to 4 then, the target.resource.resource_subtype UDM field is set to State.
TargetUser target.user.userid
network.direction
If the EventID log field value is equal to 3 then, the network.direction UDM field is set to OUTBOUND.
security_result.action
If the EventID log field value is equal to 3 then, the security_result.action UDM field is set to ALLOW.
ProviderGuid observer.asset_id ProviderGuid log field is mapped to the observer.asset_id UDM field.
Keywords additional.fields[Keywords]
ThreadID additional.fields[thread_id]
ThreadID additional.fields[ThreadID]
Channel additional.fields[channel]
Opcode additional.fields[Opcode]
LogonId principal.network.session_id
LogonGuid additional.fields[LogonGuid]
TerminalSessionId additional.fields[TerminalSessionId]
SourcePortName additional.fields[SourcePortName]
SourceIsIpv6 additional.fields[SourceIsIpv6]
DestinationPortName additional.fields[DestinationPortName]
DestinationIsIpv6 additional.fields[DestinationIsIpv6]
Initiated additional.fields[Initiated]
SchemaVersion additional.fields[SchemaVersion]
CallTrace additional.fields[CallTrace]
network.application_protocol
If the EventID log field value is equal to 22 then, the network.application_protocol UDM field is set to DNS.
NewThreadId additional.fields[NewThreadId]
StartAddress additional.fields[StartAddress]
StartFunction additional.fields[StartFunction]
StartModule additional.fields[StartModule]
ParentUser additional.fields[ParentUser]
IntegrityLevel target.process.integrity_level_rid
If the EventID log field value contain one of the following values:
  • 18
  • 17
  • 16
  • 5
  • 4
  • 1
and if the IntegrityLevel log field value matches the regular expression pattern (?i)(Untrusted) then, the target.process.integrity_level_rid UDM field is set to 0.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Low) then, the target.process.integrity_level_rid UDM field is set to 4096.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Medium) then, the target.process.integrity_level_rid UDM field is set to 8192.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(High) then, the target.process.integrity_level_rid UDM field is set to 12288.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(System) then, the target.process.integrity_level_rid UDM field is set to 16384.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Protected) then, the target.process.integrity_level_rid UDM field is set to 20480.
IntegrityLevel principal.process.integrity_level_rid
If the EventID log field value does not contain one of the following values:
  • 18
  • 17
  • 16
  • 5
  • 4
  • 1
and if the IntegrityLevel log field value matches the regular expression pattern (?i)(Untrusted) then, the principal.process.integrity_level_rid UDM field is set to 0.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Low) then, the principal.process.integrity_level_rid UDM field is set to 4096.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Medium) then, the principal.process.integrity_level_rid UDM field is set to 8192.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(High) then, the principal.process.integrity_level_rid UDM field is set to 12288.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(System) then, the principal.process.integrity_level_rid UDM field is set to 16384.
Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Protected) then, the principal.process.integrity_level_rid UDM field is set to 20480.
Computer additional.fields[Computer]
If the HostName log field value is not empty or the Hostname log field value is not empty then, Computer log field is mapped to the additional.fields.Computer UDM field.
Task security_result.summary