Se usó la API de Cloud Translation para traducir esta página.

Recopila datos Sysmon de Microsoft Windows

Se admite en los siguientes países:

Google SecOps SIEM

En este documento, se incluye lo siguiente:

describe la arquitectura de implementación y los pasos de instalación, y cualquier configuración necesaria que produzca registros compatibles con Google Security Operations Analizador para eventos Sysmon de Microsoft Windows. Para obtener una descripción general de los datos de Google Security Operations consulta Transferencia de datos a Google Security Operations.
incluye información sobre cómo el analizador asigna campos en el registro original a los campos del Modelo de datos unificados de Google Security Operations.

La información de este documento se aplica al analizador con la etiqueta de transferencia WINDOWS_SYSMON. La etiqueta de transferencia identifica qué analizador normaliza los datos de registro sin procesar al formato estructurado del UDM.

Antes de comenzar

Revisa la arquitectura de implementación recomendada

Este diagrama representa los componentes principales recomendados en una arquitectura de implementación para recopilar y enviar datos de Sysmon de Microsoft Windows a Google Security Operations. Compara esta información con tu entorno para asegurarte de que los componentes esté instalado. Cada implementación del cliente diferirá de esta representación y puede ser más compleja. Se requiere lo siguiente:

Los sistemas en la arquitectura de implementación se configuran con la UTC zona horaria.
Sysmon se instala en servidores, endpoints y controladores de dominio.
El servidor de Microsoft Windows del recopilador recibe registros de servidores, extremos y controladores de dominio.
Los sistemas Microsoft Windows en la arquitectura de implementación usan lo siguiente:
- Fuente de suscripciones iniciadas para recopilar eventos en varios dispositivos.
- Servicio WinRM para la administración de sistemas remotos.
NXLog está instalado en el servidor de Windows del colector para reenviar los registros a Servidor de reenvío de Google Security Operations.
El servidor de reenvío de Google Security Operations se instala en un servidor central de Microsoft Windows o en un servidor Linux.

Nota: Si decides implementar el reenviador de Linux de Google Security Operations, el servidor central de Linux y el servidor de Microsoft Windows del recopilador serán sistemas diferentes. Si eliges implementar el reenviador de Google Security Operations para Microsoft Windows, el servidor central de Microsoft Windows y el servidor de Microsoft Windows del recopilador pueden ser el mismo sistema.

Revisa los dispositivos y las versiones compatibles

El analizador de Google Security Operations admite registros generados por los siguientes servicios de Microsoft Windows: varias versiones del servidor. Microsoft Windows Server se lanza con las siguientes ediciones: Foundation, Essentials, Standard y Datacenter. El esquema de eventos de los registros generadas por cada edición no difiere.

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

El analizador de Google Security Operations admite registros generados por lo siguiente:

Sistemas cliente de Microsoft Windows 7 y versiones posteriores
Sysmon versión 13.24.

El analizador de Google Security Operations admite registros recopilados por NXLog Community o Enterprise Edition.

Revisa los tipos de registros admitidos

El analizador de Google Security Operations admite los siguientes tipos de registros generados por Microsoft Windows. Sysmon Para obtener más información sobre estos tipos de registros, consulta la Documentación de Microsoft Windows Sysmon. Admite registros generados con texto en inglés y no es compatible con registros generados en idiomas distintos al inglés.

Tipo de registro	Descripción
Registros Sysmon	El canal Sysmon contiene 27 IDs de eventos. (ID de evento: 1 a 26 y 255). Para obtener una descripción de este tipo de registro, consulta la documentación de eventos de Sysmon de Microsoft Windows.

Configura servidores, extremos y controladores de dominio de Microsoft Windows

Instala y configura los servidores, los extremos y los controladores de dominio. Para obtener más información, consulta Documentación de Microsoft Windows Sysmon Configuration.
Configura un servidor de Microsoft Windows de recopilación para analizar los registros recopilados de varios sistemas.
Configura el servidor central de Microsoft Windows o Linux
Configura todos los sistemas con la zona horaria UTC.
Configura los dispositivos para que reenvíen registros al servidor de Microsoft Windows del recopilador.
- Configura las suscripciones iniciadas desde la fuente en sistemas Microsoft Windows. Para obtener más información, consulta Cómo configurar una suscripción iniciada por la fuente.
- Habilita WinRM en los servidores y clientes de Microsoft Windows. Para obtener información, consulta Instalación y configuración de la administración remota de Microsoft Windows.

Configura el agente de BindPlane

Recopila los registros de Sysmon de Windows con el agente de BindPlane. Después de la instalación, el servicio del agente de BindPlane aparece como el servicio observerIQ en la lista de servicios de Windows.

Instalar el agente de BindPlane en el colector que se ejecuta en un servidor de Windows Para obtener más información sobre cómo instalar el agente de BindPlane, consulta las instrucciones de instalación del agente de BindPlane.

Crea un archivo de configuración para el agente de BindPlane con el siguiente contenido.

receivers:
  windowseventlog/sysmon:
    channel: Microsoft-Windows-Sysmon/Operational
    raw: true
processors:
  batch:

exporters:
  chronicle/winsysmon:
    endpoint: https://malachiteingestion-pa.googleapis.com
    creds: '{
    "type": "service_account",
    "project_id": "malachite-projectname",
    "private_key_id": `PRIVATE_KEY_ID`,
    "private_key": `PRIVATE_KEY`,
    "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "client_id": `CLIENT_ID`,
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "universe_domain": "googleapis.com"
    }'
  log_type: 'WINDOWS_SYSMON'
  override_log_type: false
  raw_log_field: body
  customer_id: `CUSTOMER_ID`

service:
  pipelines:
    logs/winsysmon:
      receivers:
        - windowseventlog/sysmon
      processors: [batch]
      exporters: [chronicle/winsysmon]

Reemplaza PRIVATE_KEY_ID, PRIVATE_KEY, SERVICSERVICE_ACCOUNT_NAME, PROJECT_ID, CLIENT_ID y CUSTOMER_ID por los valores correspondientes del archivo JSON de la cuenta de servicio que puedes descargar desde Google Cloud Platform. Para obtener más información sobre las claves de cuentas de servicio, consulta la documentación sobre cómo crear y borrar claves de cuentas de servicio.
Para iniciar el servicio del agente de observadorIQ, selecciona Servicios > Extendido > Servicio de observadorIQ > iniciar.

Configura el reenviador de NXLog y Google Security Operations

Instala NXLog en el colector que se ejecuta en un servidor de Windows. Sigue el Documentación de NXLog, que incluye información sobre configuración de NXLog para recopilar registros de Sysmon.

Crea un archivo de configuración para NXLog. Usa el im_msvistalog. Este es un ejemplo de configuración de NXLog. Reemplaza los valores <hostname> y <port> con información sobre el el servidor central de destino de Microsoft Windows o Linux. Para obtener más información, consulta la documentación de NXLog sobre los Módulo om_tcp.

define ROOT     C:\Program Files (x86)\nxlog
define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
define SYSMON_OUTPUT_DESTINATION_PORT <port>
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module      xm_json
</Extension>

<Input windows_sysmon_eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    ReadFromLast  False
    SavePos  False
</Input>

<Output out_chronicle_sysmon>
    Module      om_tcp
    Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
    Port        %SYSMON_OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
</Output>

<Route r2>
    Path    windows_sysmon_eventlog => out_chronicle_sysmon
</Route>

Instala el servidor de reenvío de Google Security Operations en el servidor central de Microsoft Windows o Linux. Consulta Cómo instalar y configurar el objeto Forwarder en Linux. o Instalación y configuración del servidor de reenvío en Microsoft Windows para obtener información sobre cómo instalar y configurar el servidor de reenvío.

Configura el reenviador de Google Security Operations para enviar registros a Google Security Operations. Este es un ejemplo de configuración de reenvío.

  - syslog:
      common:
        enabled: true
        data_type: WINDOWS_SYSMON
        Data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Inicia el servicio de NXLog.

Referencia de la asignación de campos: campos de eventos del dispositivo a campos UDM

En esta sección, se describe cómo el analizador asigna los campos de registro del dispositivo original a Campos del modelo de datos unificados (UDM) La asignación de campos puede diferir según el ID de evento.

Referencia de asignación de campos: identificador de eventos a tipo de evento

En la siguiente tabla, se enumeran los tipos de registro de WINDOWS_SYSMON y sus correspondientes tipos de eventos de la AUA.

Event Identifier	Event Type	Security Category
`1`	`PROCESS_LAUNCH`
`2`	`FILE_MODIFICATION`
`3`	`NETWORK_CONNECTION`
`4`	`SETTING_MODIFICATION`
`5`	`PROCESS_TERMINATION`
`6`	`PROCESS_MODULE_LOAD`
`7`	`PROCESS_MODULE_LOAD`
`8`	`PROCESS_MODULE_LOAD`
`9`	`FILE_READ`
`10`	`PROCESS_OPEN`
`11`	`FILE_CREATION`
`12`	If the `Message` log field value matches the regular expression pattern `CreateKey\|CreateValue` then, the `metadata.event_type` UDM field is set to `REGISTRY_CREATION`. Else if the `Message` log field value matches the regular expression pattern `DeleteKey\|DeleteValue` then, the `target.resource.name` UDM field is set to `REGISTRY_DELETION`. Else, the `target.resource.name` UDM field is set to `REGISTRY_MODIFICATION`.
`13`	`REGISTRY_MODIFICATION`
`14`	`REGISTRY_MODIFICATION`
`15`	`FILE_CREATION`
`16`	`SETTING_MODIFICATION`
`17`	`PROCESS_UNCATEGORIZED`
`18`	`PROCESS_UNCATEGORIZED`
`19`	`USER_RESOURCE_ACCESS`
`20`	`USER_RESOURCE_ACCESS`
`21`	`USER_RESOURCE_ACCESS`
`22`	`NETWORK_DNS`
`23`	`FILE_DELETION`
`24`	`RESOURCE_READ`
`25`	`PROCESS_LAUNCH`
`26`	`FILE_DELETION`
`255`	`SERVICE_UNSPECIFIED`

Referencia de asignación de campos: WINDOWS_SYSMON

En la siguiente tabla, se enumeran los campos de registro del tipo de registro WINDOWS_SYSMON y sus campos UDM correspondientes.

Log field	UDM mapping	Logic
`SourceName`
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Microsoft`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Microsoft-Windows-Sysmon`.
`UtcTime`	`metadata.event_timestamp`
`EventID`	`metadata.product_event_type`	If the `EventID` log field value is equal to `255` then, the `metadata.product_event_type` UDM field is set to `Error - [255]`. Else `EventID` log field is mapped to the `metadata.product_event_type` UDM field.
`RecordNumber`	`metadata.product_log_id`
`EventRecordID`	`metadata.product_log_id`
`Version`	`metadata.product_version`	If the `EventID` log field value is equal to `4` then, `Version` log field is mapped to the `metadata.product_version` UDM field.
`QueryResults`	`network.dns.answers.data`	The `type_value` and `data_value` fields are extracted from `QueryResults` log field using the Grok pattern. If the `EventID` log field value is equal to `22` then, the `data_value` log field is mapped to the `network.dns.answers.data` UDM field.
`QueryResults`	`network.dns.answers.type`	The `type_value` and `data_value` fields are extracted from `QueryResults` log field using the Grok pattern. If the `EventID` log field value is equal to `22` then, the `type_value` log field is mapped to the `network.dns.answers.type` UDM field.
`QueryName`	`network.dns.questions.name`	If the `EventID` log field value is equal to `22` then, `QueryName` log field is mapped to the `network.dns.questions.name` UDM field.
`Protocol`	`network.ip_protocol`	If the `EventID` log field value is equal to `3` then, `Protocol` log field is mapped to the `network.ip_protocol` UDM field.
`ParentCommandLine`	`principal.process.command_line`	If the `EventID` log field value is equal to `1` then, `ParentCommandLine` log field is mapped to the `principal.process.command_line` UDM field.
`User`	`principal.administrative_domain`	The `principal_user_userid` and `principal_administrative_domain` fields are extracted from `User` log field using the Grok pattern. If the `principal_administrative_domain` log field value is not empty and the `User` log field value is not empty then, `principal_administrative_domain` extracted field is mapped to the `principal.administrative_domain` UDM field. Else `Domain` log field is mapped to the `principal.administrative_domain` UDM field.
`Domain`	`principal.administrative_domain`	The `principal_user_userid` and `principal_administrative_domain` fields are extracted from `User` log field using the Grok pattern. If the `principal_administrative_domain` log field value is not empty and the `User` log field value is not empty then, `principal_administrative_domain` extracted field is mapped to the `principal.administrative_domain` UDM field. Else `Domain` log field is mapped to the `principal.administrative_domain` UDM field.
`HostName`	`principal.hostname`	If the `Hostname` log field value is empty then, `Computer` log field is mapped to the `principal.hostname` UDM field. Else `HostName` log field is mapped to the `principal.hostname` UDM field and `Hostname` log field is mapped to the `principal.hostname` UDM field.
`Computer`	`principal.hostname`	If the `Hostname` log field value is empty then, `Computer` log field is mapped to the `principal.hostname` UDM field. Else `HostName` log field is mapped to the `principal.hostname` UDM field and `Hostname` log field is mapped to the `principal.hostname` UDM field.
`HostName`	`principal.asset.hostname`	If the `Hostname` log field value is empty then, `Computer` log field is mapped to the `principal.asset.hostname` UDM field. Else `HostName` log field is mapped to the `principal.asset.hostname` UDM field and `Hostname` log field is mapped to the `principal.asset.hostname` UDM field.
`Computer`	`principal.asset.hostname`	If the `Hostname` log field value is empty then, `Computer` log field is mapped to the `principal.asset.hostname` UDM field. Else `HostName` log field is mapped to the `principal.asset.hostname` UDM field and `Hostname` log field is mapped to the `principal.asset.hostname` UDM field.
`SourceIp`	`principal.ip`	If the `EventID` log field value is equal to `3` then, `SourceIp` log field is mapped to the `principal.ip` UDM field.
`SourcePort`	`principal.port`	If the `EventID` log field value is equal to `3` then, `SourcePort` log field is mapped to the `principal.port` UDM field.
`ImageLoaded`	`principal.process.file.full_path`	If the `EventID` log field value is equal to `6` then, `ImageLoaded` log field is mapped to the `principal.process.file.full_path` UDM field.
`Image`	`principal.process.file.full_path`	If the `EventID` log field value contain one of the following values: `2` `3` `7` `9` `11` `12` `13` `14` `15` `22` `23` `26` then, `Image` log field is mapped to the `principal.process.file.full_path` UDM field.
`SourceImage`	`principal.process.file.full_path`	If the `EventID` log field value contain one of the following values: `8` `10` then, `SourceImage` log field is mapped to the `principal.process.file.full_path` UDM field.
`ParentImage`	`principal.process.file.full_path`	If the `EventID` log field value is equal to `1` then, `ParentImage` log field is mapped to the `principal.process.file.full_path` UDM field.
`ProcessId`	`principal.process.pid`	If the `EventID` log field value contain one of the following values: `2` `3` `7` `9` `11` `12` `13` `14` `15` `22` `23` `24` `25` `26` and if the `ExecutionProcessID` log field value is not empty then, `ExecutionProcessID` log field is mapped to the `principal.process.pid` UDM field. Else `ProcessId` log field is mapped to the `principal.process.pid` UDM field.
`SourceProcessId`	`principal.process.pid`	If the `EventID` log field value is equal to `8` then, `SourceProcessId` log field is mapped to the `principal.process.pid` UDM field.
`ParentProcessId`	`principal.process.pid`	If the `EventID` log field value is equal to `1` then, `ParentProcessId` log field is mapped to the `principal.process.pid` UDM field.
`ProcessID`	`observer.process.pid`
`ProcessGuid`	`principal.process.product_specific_process_id`	If the `EventID` log field value contain one of the following values: `2` `3` `5` `7` `9` `11` `12` `13` `14` `15` `22` `23` `26` then, `principal.process.product_specific_process_id` UDM field is set to `SYSMON:%{ProcessGuid}`.
`ParentProcessGuid`	`principal.process.product_specific_process_id`	If the `EventID` log field value is equal to `1` then, `principal.process.product_specific_process_id` UDM field is set to `SYSMON:%{ParentProcessGuid}`.
`SourceProcessGuid`	`principal.process.product_specific_process_id`	If the `EventID` log field value is equal to `8` then, `principal.process.product_specific_process_id` UDM field is set to `SYSMON:%{SourceProcessGuid}`.
`SourceProcessGUID`	`principal.process.product_specific_process_id`	If the `EventID` log field value is equal to `10` then, `principal.process.product_specific_process_id` UDM field is set to `SYSMON:%{SourceProcessGUID}`.
`User`	`principal.user.userid`	The `principal_user_userid` and `principal_administrative_domain` fields are extracted from `User` log field using the Grok pattern. If the `EventID` log field value is not equal to `24` and if the `principal_user_userid` log field value is not empty and the `User` log field value is not empty then, `principal_user_userid` extracted field is mapped to the `principal.user.userid` UDM field.
`ClientInfo`	`principal.user.userid`	The `host` and `user_id` fields are extracted from `ClientInfo` log field using the Grok pattern. If the `EventID` log field value is equal to `24` and if the `user_id` log field value is not empty and the `ClientInfo` log field value is not empty then, `user_id` extracted field is mapped to the `principal.user.userid` UDM field. Else `ClientInfo` log field is mapped to the `principal.user.userid` UDM field.
`AccountName`	`principal.user.userid`	The `principal_user_userid` and `principal_administrative_domain` fields are extracted from `User` log field using the Grok pattern. If the `EventID` log field value is not equal to `24` and if the `principal_user_userid` log field value is not empty and the `User` log field value is not empty then, `principal_user_userid` extracted field is mapped to the `principal.user.userid` UDM field. Else `AccountName` log field is mapped to the `principal.user.userid` UDM field.
`SourceUser`	`principal.user.userid`
`UserID`	`principal.user.windows_sid`
`Description`	`security_result.description`	If the `EventID` log field value is equal to `255` and if the `Description` log field value is not equal to `-` then, `Description` log field is mapped to the `security_result.description` UDM field.
`RuleName`	`security_result.rule_name`
`EventID`	`security_result.rule_name`	The `security_result.rule_name` UDM field is set to `EventID: %{EventID}`.
	`security_result.severity`	If the `Level` log field value contain one of the following values: `0` `3` `4` or the `Level` log field value is equal to `Information` then, the `security_result.severity` UDM field is set to `INFORMATIONAL`. Else, If `Level` log field value is equal to `2` or the `Level` log field value is equal to `Error` then, the `security_result.severity` UDM field is set to `ERROR`. If the `SeverityValue` log field value does not contain one of the following values: `Empty` `-` and if the `SeverityValue` log field value contain one of the following values: `1` `2` `3` then, the `security_result.severity` UDM field is set to `INFORMATIONAL`. Else, if `SeverityValue` log field value is equal to `4` then, the `security_result.severity` UDM field is set to `ERROR`. Else, if `SeverityValue` log field value is equal to `5` then, the `security_result.severity` UDM field is set to `CRITICAL`.
`Category`	`about.labels[Category ID]`	The `category_id` and `category_tag` fields are extracted from `Category` log field using the Grok pattern. `category_id` extracted field is mapped to the `about.labels.Category ID` UDM field.
`QueryStatus`	`security_result.summary`	If the `EventID` log field value is equal to `22` then, the `security_result.summary` UDM field is set to `QueryStatus: %{QueryStatus}`.
`ID`	`security_result.summary`	If the `EventID` log field value is equal to `255` then, `ID` log field is mapped to the `security_result.summary` UDM field.
`Category`	`security_result.summary`	The `category_id` and `category_tag` fields are extracted from `Category` log field using the Grok pattern. If the `category_id` log field value is not empty then, `category_tag` extracted field is mapped to the `security_result.summary` UDM field. Else `Category` log field is mapped to the `security_result.summary` UDM field.
`CurrentDirectory`	`additional.fields[current_directory]`	If the `EventID` log field value is equal to `1` then, `CurrentDirectory` log field is mapped to the `additional.fields.current_directory` UDM field.
`OriginalFileName`	`src.file.full_path`	If the `EventID` log field value is equal to `1` then, `OriginalFileName` log field is mapped to the `src.file.full_path` UDM field.
`TargetObject`	`src.registry.registry_key`	If the `EventID` log field value is equal to `14` then, `TargetObject` log field is mapped to the `src.registry.registry_key` UDM field.
`Name`	`target.application`	If the `EventID` log field value is equal to `19` then, `Name` log field is mapped to the `target.application` UDM field. If the `EventID` log field value is equal to `255` then, the `target.application` UDM field is set to `Microsoft Sysmon`.
`Description`	`target.asset.software.description`	If the `EventID` log field value contain one of the following values: `1` `7` and if the `Description` log field value is not equal to `-` then, `Description` log field is mapped to the `target.asset.software.description` UDM field.
`Product`	`target.asset.software.name`	If the `EventID` log field value contain one of the following values: `1` `7` and if the `Product` log field value is not equal to `-` then, `Product` log field is mapped to the `target.asset.software.name` UDM field.
`Company`	`target.asset.software.vendor_name`	If the `EventID` log field value contain one of the following values: `1` `7` and if the `Company` log field value is not equal to `-` then, `Company` log field is mapped to the `target.asset.software.vendor_name` UDM field.
`FileVersion`	`target.asset.software.version`	If the `EventID` log field value contain one of the following values: `1` `7` and if the `FileVersion` log field value is not equal to `-` then, `FileVersion` log field is mapped to the `target.asset.software.version` UDM field.
`EventNamespace`	`target.file.full_path`	If the `EventID` log field value is equal to `19` then, `EventNamespace` log field is mapped to the `target.file.full_path` UDM field.
`Device`	`target.file.full_path`	If the `EventID` log field value is equal to `9` then, `Device` log field is mapped to the `target.file.full_path` UDM field.
`TargetFilename`	`target.file.full_path`	If the `EventID` log field value contain one of the following values: `2` `11` `15` `23` `26` then, `TargetFilename` log field is mapped to the `target.file.full_path` UDM field.
`DestinationHostname`	`target.asset.hostname`	If the `EventID` log field value is equal to `3` then, `DestinationHostname` log field is mapped to the `target.asset.hostname` UDM field.
`ClientInfo`	`target.asset.hostname`	The `host` and `user_id` fields are extracted from `ClientInfo` log field using the Grok pattern. The `target_ip` and `host` fields are extracted from `ClientInfo` log field using the Grok pattern. If the `EventID` log field value is equal to `24` then, `host` extracted field is mapped to the `target.asset.hostname` UDM field.
`DestinationHostname`	`target.hostname`	If the `EventID` log field value is equal to `3` then, `DestinationHostname` log field is mapped to the `target.hostname` UDM field.
`ClientInfo`	`target.hostname`	The `host` and `user_id` fields are extracted from `ClientInfo` log field using the Grok pattern. The `target_ip` and `host` fields are extracted from `ClientInfo` log field using the Grok pattern. If the `EventID` log field value is equal to `24` then, `host` extracted field is mapped to the `target.hostname` UDM field.
`ClientInfo`	`target.ip`	The `target_ip` and `host` fields are extracted from `ClientInfo` log field using the Grok pattern. If the `EventID` log field value is equal to `24` then, `target_ip` extracted field is mapped to the `target.ip` UDM field.
`DestinationIp`	`target.ip`	If the `EventID` log field value is equal to `3` then, `DestinationIp` log field is mapped to the `target.ip` UDM field.
`DestinationPort`	`target.port`	If the `EventID` log field value is equal to `3` then, `DestinationPort` log field is mapped to the `target.port` UDM field.
`CommandLine`	`target.process.command_line`	If the `EventID` log field value is equal to `1` then, `CommandLine` log field is mapped to the `target.process.command_line` UDM field.
`Configuration`	`target.process.command_line`	If the `EventID` log field value is equal to `16` and if the `ConfigurationFileHash` log field value contain one of the following values: `Empty` `-` then, `Configuration` log field is mapped to the `target.process.command_line` UDM field.
`ImageLoaded`	`target.process.file.full_path`	If the `EventID` log field value is equal to `7` then, `ImageLoaded` log field is mapped to the `target.process.file.full_path` UDM field.
`TargetImage`	`target.process.file.full_path`	If the `EventID` log field value contain one of the following values: `8` `10` then, `TargetImage` log field is mapped to the `target.process.file.full_path` UDM field.
`Image`	`target.process.file.full_path`	If the `EventID` log field value contain one of the following values: `1` `5` `17` `18` `24` `25` then, `Image` log field is mapped to the `target.process.file.full_path` UDM field.
`Configuration`	`target.process.file.full_path`	If the `EventID` log field value is equal to `16` and if the `ConfigurationFileHash` log field value does not contain one of the following values: `Empty` `-` then, `Configuration` log field is mapped to the `target.process.file.full_path` UDM field.
`Hashes`	`target.process.file.md5`	The KV filter is used to extract the `MD5` from the `Hashes` log field. If the `EventID` log field value contain one of the following values: `1` `6` `7` `15` `16` `23` `24` `26` then, `MD5` extracted field is mapped to the `target.process.file.md5` UDM field.
`Hash`	`target.process.file.md5`	The KV filter is used to extract the `MD5` from the `Hashe` log field. If the `EventID` log field value contain one of the following values: `1` `6` `7` `15` `16` `23` `24` `26` then, `MD5` extracted field is mapped to the `target.process.file.md5` UDM field.
`ConfigurationFileHash`	`target.process.file.md5`	The KV filter is used to extract the `MD5` from the `ConfigurationFileHash` log field. If the `EventID` log field value contain one of the following values: `1` `6` `7` `15` `16` `23` `24` `26` then, `MD5` extracted field is mapped to the `target.process.file.md5` UDM field.
`Hashes`	`target.process.file.sha1`	The KV filter is used to extract the `SHA1` from the `Hashes` log field. If the `EventID` log field value contain one of the following values: `1` `6` `7` `15` `16` `23` `24` `26` then, `SHA1` extracted field is mapped to the `target.process.file.sha1` UDM field.
`Hash`	`target.process.file.sha1`	The KV filter is used to extract the `SHA1` from the `Hash` log field. If the `EventID` log field value contain one of the following values: `1` `6` `7` `15` `16` `23` `24` `26` then, `SHA1` extracted field is mapped to the `target.process.file.sha1` UDM field.
`ConfigurationFileHash`	`target.process.file.sha1`	The KV filter is used to extract the `SHA1` from the `ConfigurationFileHash` log field. If the `EventID` log field value contain one of the following values: `1` `6` `7` `15` `16` `23` `24` `26` then, `SHA1` extracted field is mapped to the `target.process.file.sha1` UDM field.
`Hashes`	`target.process.file.sha256`	The KV filter is used to extract the `SHA256` from the `Hashes` log field. If the `EventID` log field value contain one of the following values: `1` `6` `7` `15` `16` `23` `24` `26` then, `SHA256` extracted field is mapped to the `target.process.file.sha256` UDM field.
`Hash`	`target.process.file.sha256`	The KV filter is used to extract the `SHA256` from the `Hash` log field. If the `EventID` log field value contain one of the following values: `1` `6` `7` `15` `16` `23` `24` `26` then, `SHA256` extracted field is mapped to the `target.process.file.sha256` UDM field.
`ConfigurationFileHash`	`target.process.file.sha256`	The KV filter is used to extract the `SHA256` from the `ConfigurationFileHash` log field. If the `EventID` log field value contain one of the following values: `1` `6` `7` `15` `16` `23` `24` `26` then, `SHA256` extracted field is mapped to the `target.process.file.sha256` UDM field.
`Hashes`	`target.process.file.file_metadata.pe.import_hash`	The KV filter is used to extract the `IMPHASH` from the `Hashes` log field. `IMPHASH` extracted field is mapped to the `target.process.file.file_metadata.pe.import_hash` UDM field.
`Hash`	`target.process.file.file_metadata.pe.import_hash`	The KV filter is used to extract the `IMPHASH` from the `Hash` log field. `IMPHASH` extracted field is mapped to the `target.process.file.file_metadata.pe.import_hash` UDM field.
`ConfigurationFileHash`	`target.process.file.file_metadata.pe.import_hash`	The KV filter is used to extract the `IMPHASH` from the `ConfigurationFileHash` log field. `IMPHASH` extracted field is mapped to the `target.process.file.file_metadata.pe.import_hash` UDM field.
`TargetProcessId`	`target.process.pid`	If the `EventID` log field value contain one of the following values: `8` `10` then, `TargetProcessId` log field is mapped to the `target.process.pid` UDM field.
`ProcessId`	`target.process.pid`	If the `EventID` log field value contain one of the following values: `1` `5` `16` `17` `18` and if the `ExecutionProcessID` log field value is not empty then, `ExecutionProcessID` log field is mapped to the `target.process.pid` UDM field. Else `ProcessId` log field is mapped to the `target.process.pid` UDM field.
`ProcessID`	`target.process.pid`	If the `EventID` log field value contain one of the following values: `1` `5` `16` `17` `18` and if the `ExecutionProcessID` log field value is not empty then, `ExecutionProcessID` log field is mapped to the `target.process.pid` UDM field. Else `ProcessID` log field is mapped to the `target.process.pid` UDM field.
`TargetProcessGuid`	`target.process.product_specific_process_id`	If the `EventID` log field value is equal to `8` then, the `target.process.product_specific_process_id` UDM field is set to `SYSMON:%{TargetProcessGuid}`.
`TargetProcessGUID`	`target.process.product_specific_process_id`	If the `EventID` log field value is equal to `10` then, the `target.process.product_specific_process_id` UDM field is set to `SYSMON:%{TargetProcessGUID}`.
`ProcessGuid`	`target.process.product_specific_process_id`	If the `EventID` log field value contain one of the following values: `1` `17` `18` `24` `25` then, the `target.process.product_specific_process_id` UDM field is set to `SYSMON:%{ProcessGuid}`.
`NewName`	`target.registry.registry_key`	If the `EventID` log field value is equal to `14` then, `NewName` log field is mapped to the `target.registry.registry_key` UDM field.
`TargetObject`	`target.registry.registry_key`	If the `EventID` log field value contain one of the following values: `12` `13` then, `TargetObject` log field is mapped to the `target.registry.registry_key` UDM field.
`Details`	`target.registry.registry_value_data`	If the `EventID` log field value is equal to `13` then, `Details` log field is mapped to the `target.registry.registry_value_data` UDM field.
`PreviousCreationUtcTime`	`target.resource.attribute.labels.key[PreviousCreationUtcTime]`	If the `EventID` log field value is equal to `2` then, `PreviousCreationUtcTime` log field is mapped to the `target.resource.attribute.labels` UDM field.
`Archived`	`target.resource.attribute.labels[Archived]`	If the `EventID` log field value contain one of the following values: `23` `24` then, `Archived` log field is mapped to the `target.resource.attribute.labels` UDM field.
`Consumer`	`target.resource.attribute.labels[Consumer]`	If the `EventID` log field value is equal to `21` then, `Consumer` log field is mapped to the `target.resource.attribute.labels` UDM field.
`CreationUtcTime`	`target.resource.attribute.labels[CreationUtcTime]`	If the `EventID` log field value contain one of the following values: `2` `15` then, `CreationUtcTime` log field is mapped to the `target.resource.attribute.labels` UDM field.
`IsExecutable`	`target.resource.attribute.labels[IsExecutable]`	If the `EventID` log field value contain one of the following values: `23` `26` then, `IsExecutable` log field is mapped to the `target.resource.attribute.labels` UDM field.
`Name`	`target.resource.attribute.labels[Name]`	If the `EventID` log field value is equal to `20` then, `Name` log field is mapped to the `target.resource.attribute.labels` UDM field.
`Operation`	`target.resource.attribute.labels[Operation]`	If the `EventID` log field value contain one of the following values: `19` `20` `21` then, `Operation` log field is mapped to the `target.resource.attribute.labels` UDM field.
`Signature`	`target.resource.attribute.labels[Signature]`	If the `EventID` log field value contain one of the following values: `6` `7` then, `Signature` log field is mapped to the `target.resource.attribute.labels` UDM field.
`SignatureStatus`	`target.resource.attribute.labels[SignatureStatus]`	If the `EventID` log field value contain one of the following values: `6` `7` then, `SignatureStatus` log field is mapped to the `target.resource.attribute.labels` UDM field.
`Signed`	`target.resource.attribute.labels[Signed]`	If the `EventID` log field value contain one of the following values: `6` `7` then, `Signed` log field is mapped to the `target.resource.attribute.labels` UDM field.
`Type`	`target.resource.attribute.labels[Type]`	If the `EventID` log field value is equal to `20` then, `Type` log field is mapped to the `target.resource.attribute.labels` UDM field.
`Type`	`additional.fields[Type]`	If the `EventID` log field value is equal to `25` then, `Type` log field is mapped to the `additional.fields` UDM field.
`State`	`target.resource.name`	If the `EventID` log field value is equal to `4` then, `State` log field is mapped to the `target.resource.name` UDM field.
`CreationUtcTime`	`target.resource.name`	If the `EventID` log field value is equal to `11` then, `CreationUtcTime` log field is mapped to the `target.resource.name` UDM field.
`PipeName`	`target.resource.name`	If the `EventID` log field value contain one of the following values: `17` `18` then, `PipeName` log field is mapped to the `target.resource.name` UDM field.
`Filter`	`target.resource.name`	If the `EventID` log field value is equal to `21` then, `Filter` log field is mapped to the `target.resource.name` UDM field.
`Destination`	`target.resource.name`	If the `EventID` log field value is equal to `20` then, `Destination` log field is mapped to the `target.resource.name` UDM field.
`Query`	`target.resource.name`	If the `EventID` log field value is equal to `19` then, `Query` log field is mapped to the `target.resource.name` UDM field.
`GrantedAccess`	`target.resource.name`	If the `EventID` log field value is equal to `10` and if the `GrantedAccess` log field value matches the regular expression pattern `^0x0080$` then, the `target.resource.name` UDM field is set to `PROCESS_CREATE_PROCESS`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x0002$` then, the `target.resource.name` UDM field is set to `PROCESS_CREATE_THREAD`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x0040$` then, the `target.resource.name` UDM field is set to `PROCESS_DUP_HANDLE`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x0400$` then, the `target.resource.name` UDM field is set to `PROCESS_QUERY_INFORMATION`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x1000$` then, the `target.resource.name` UDM field is set to `PROCESS_QUERY_LIMITED_INFORMATION`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x0200$` then, the `target.resource.name` UDM field is set to `PROCESS_SET_INFORMATION`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x0100$` then, the `target.resource.name` UDM field is set to `PROCESS_SET_QUOTA`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x0800$` and if the `GrantedAccess` log field value matches the regular expression pattern `^0x0001$` then, the `target.resource.name` UDM field is set to `PROCESS_TERMINATE`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x0008$` then, the `target.resource.name` UDM field is set to `PROCESS_VM_OPERATION`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x0010$` then, the `target.resource.name` UDM field is set to `PROCESS_VM_READ`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x0020$` then, the `target.resource.name` UDM field is set to `PROCESS_VM_WRITE`. Else, If the `GrantedAccess` log field value matches the regular expression pattern `^0x00100000L$` then, the `target.resource.name` UDM field is set to `SYNCHRONIZE`.
	`target.resource.resource_type`	If the `EventID` log field value contain one of the following values: `4` `16` then, the `target.resource.resource_type` UDM field is set to `SETTING`. Else, If `EventID` log field value contain one of the following values: `17` `18` then, the `target.resource.resource_type` UDM field is set to `PIPE`.
	`target.resource.resource_subtype`	If the `EventID` log field value is equal to `11` then, the `target.resource.resource_subtype` UDM field is set to `CreationUtcTime`. Else, If `EventID` log field value is equal to `10` then, the `target.resource.resource_subtype` UDM field is set to `GrantedAccess`. Else, If `EventID` log field value is equal to `4` then, the `target.resource.resource_subtype` UDM field is set to `State`.
`TargetUser`	`target.user.userid`
	`network.direction`	If the `EventID` log field value is equal to `3` then, the `network.direction` UDM field is set to `OUTBOUND`.
	`security_result.action`	If the `EventID` log field value is equal to `3` then, the `security_result.action` UDM field is set to `ALLOW`.
`ProviderGuid`	`observer.asset_id`	`ProviderGuid` log field is mapped to the `observer.asset_id` UDM field.
`Keywords`	`additional.fields[Keywords]`
`ThreadID`	`additional.fields[thread_id]`
`ThreadID`	`additional.fields[ThreadID]`
`Channel`	`additional.fields[channel]`
`Opcode`	`additional.fields[Opcode]`
`LogonId`	`principal.network.session_id`
`LogonGuid`	`additional.fields[LogonGuid]`
`TerminalSessionId`	`additional.fields[TerminalSessionId]`
`SourcePortName`	`additional.fields[SourcePortName]`
`SourceIsIpv6`	`additional.fields[SourceIsIpv6]`
`DestinationPortName`	`additional.fields[DestinationPortName]`
`DestinationIsIpv6`	`additional.fields[DestinationIsIpv6]`
`Initiated`	`additional.fields[Initiated]`
`SchemaVersion`	`additional.fields[SchemaVersion]`
`CallTrace`	`additional.fields[CallTrace]`
	`network.application_protocol`	If the `EventID` log field value is equal to `22` then, the `network.application_protocol` UDM field is set to `DNS`.
`NewThreadId`	`additional.fields[NewThreadId]`
`StartAddress`	`additional.fields[StartAddress]`
`StartFunction`	`additional.fields[StartFunction]`
`StartModule`	`additional.fields[StartModule]`
`ParentUser`	`additional.fields[ParentUser]`
`IntegrityLevel`	`target.process.integrity_level_rid`	If the `EventID` log field value contain one of the following values: `18` `17` `16` `5` `4` `1` and if the `IntegrityLevel` log field value matches the regular expression pattern `(?i)(Untrusted)` then, the `target.process.integrity_level_rid` UDM field is set to `0`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(Low)` then, the `target.process.integrity_level_rid` UDM field is set to `4096`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(Medium)` then, the `target.process.integrity_level_rid` UDM field is set to `8192`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(High)` then, the `target.process.integrity_level_rid` UDM field is set to `12288`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(System)` then, the `target.process.integrity_level_rid` UDM field is set to `16384`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(Protected)` then, the `target.process.integrity_level_rid` UDM field is set to `20480`.
`IntegrityLevel`	`principal.process.integrity_level_rid`	If the `EventID` log field value does not contain one of the following values: `18` `17` `16` `5` `4` `1` and if the `IntegrityLevel` log field value matches the regular expression pattern `(?i)(Untrusted)` then, the `principal.process.integrity_level_rid` UDM field is set to `0`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(Low)` then, the `principal.process.integrity_level_rid` UDM field is set to `4096`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(Medium)` then, the `principal.process.integrity_level_rid` UDM field is set to `8192`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(High)` then, the `principal.process.integrity_level_rid` UDM field is set to `12288`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(System)` then, the `principal.process.integrity_level_rid` UDM field is set to `16384`. Else, if `IntegrityLevel` log field value matches the regular expression pattern `(?i)(Protected)` then, the `principal.process.integrity_level_rid` UDM field is set to `20480`.
`Computer`	`additional.fields[Computer]`	If the `HostName` log field value is not empty or the `Hostname` log field value is not empty then, `Computer` log field is mapped to the `additional.fields.Computer` UDM field.
`Task`	`security_result.summary`