Diese Seite wurde von der Cloud Translation API übersetzt.

Microsoft Windows Sysmon-Daten erfassen

Unterstützt in:

Google SecOps SIEM

In diesem Dokument wird Folgendes beschrieben:

beschreibt die Bereitstellungsarchitektur und die Installationsschritte sowie alle erforderlichen Konfigurationen, die von Google Security Operations unterstützte Logs generieren Parser für Microsoft Windows Sysmon-Ereignisse. Überblick über Google Security Operations-Daten Datenaufnahme in Google Security Operations
enthält Informationen dazu, wie der Parser Felder im ursprünglichen Log den Feldern des einheitlichen Datenmodells von Google Security Operations zuordnet.

Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel WINDOWS_SYSMON. Das Aufnahmelabel gibt an, welcher Parser die Logrohdaten in das strukturierte UDM-Format normalisiert.

Hinweise

Empfohlene Bereitstellungsarchitektur ansehen

Dieses Diagramm stellt die empfohlenen Kernkomponenten in einer Bereitstellung dar. Architektur zum Erfassen und Senden von Microsoft Windows Sysmon-Daten an Google Security Operations Vergleichen Sie diese Informationen mit Ihrer Umgebung, um sicherzustellen, dass diese Komponenten installiert haben. Jede Kundenbereitstellung unterscheidet sich von dieser Darstellung und kann komplexer sind. Folgendes ist erforderlich:

Die Systeme in der Bereitstellungsarchitektur sind mit der Zeitzone UTC konfiguriert.
Sysmon ist auf Servern, Endpunkten und Domaincontrollern installiert.
Der Collector Microsoft Windows Server empfängt Protokolle von Servern, Endpunkten, und Domaincontrollern.
Microsoft Windows-Systeme in der Bereitstellungsarchitektur verwenden Folgendes:
- Von Quelle initiierte Abos, um Ereignisse in auf mehreren Geräten.
- WinRM-Dienst für die Remote-Systemverwaltung.
NXLog ist auf dem Collector-Window-Server installiert, um Protokolle an Google Security Operations-Weiterleitung
Der Google Security Operations-Forwarder ist auf einem zentralen Microsoft Windows-Server oder Linux-Server installiert.

Hinweis: Wenn Sie den Linux-Forwarder von Google Security Operations bereitstellen, ist der zentrale Linux-Server und Collector-Microsoft Windows-Server sind unterschiedliche Systeme. Wenn Sie den Google Security Operations-Weiterleiter für Microsoft Windows bereitstellen, können der zentrale Microsoft Windows-Server und der Microsoft Windows-Server des Collectors dasselbe System sein.

Unterstützte Geräte und Versionen ansehen

Der Google Security Operations-Parser unterstützt Protokolle, die von den folgenden Microsoft Windows-Serverversionen generiert wurden. Microsoft Windows Server wird mit den folgenden Versionen veröffentlicht: „Foundation“, „Essentials“, „Standard“ und „Datacenter“. Das Ereignisschema von Logs die von den einzelnen Versionen erstellt wurden.

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

Der Google Security Operations-Parser unterstützt Logs, die generiert wurden durch:

Clientsysteme von Microsoft Windows 7 und höher
Sysmon-Version 13.24.

Der Google Security Operations-Parser unterstützt Logs, die von der NXLog Community oder Enterprise erfasst wurden Version.

Unterstützte Logtypen prüfen

Der Google Security Operations-Parser unterstützt die folgenden Protokolltypen, die von Microsoft Windows Sysmon generiert werden. Weitere Informationen zu diesen Logtypen finden Sie in der Microsoft Windows Sysmon-Dokumentation Sie unterstützt Protokolle, die mit englischsprachigem Text generiert wurden, und wird nicht unterstützt mit nicht englischsprachige Protokolle erstellt wurden.

Logtyp	Beschreibung
Sysmon-Protokolle	Der Sysmon-Kanal enthält 27 Ereignis-IDs. (Ereignis-ID: 1 bis 26 und 255). Eine Beschreibung dieses Protokolltyps finden Sie in der Microsoft Windows Sysmon Events-Dokumentation

Microsoft Windows-Server, ‑Endpunkte und ‑Domaincontroller konfigurieren

Server, Endpunkte und Domaincontroller installieren und konfigurieren Weitere Informationen finden Sie unter Microsoft Windows Sysmon Configuration-Dokumentation
Collector für Microsoft Windows Server einrichten, um die gesammelten Logs von mehrere Systeme.
Zentralen Microsoft Windows- oder Linux-Server einrichten
Konfigurieren Sie alle Systeme mit der koordinierten Weltzeit UTC.
Konfigurieren Sie die Geräte so, dass Logs an den Microsoft Windows-Server des Collectors weitergeleitet werden.
- Von Quelle initiierte Abos auf Microsoft Windows-Systemen konfigurieren. Für finden Sie unter Von der Quelle initiiertes Abo einrichten
- WinRM auf Microsoft Windows-Servern und -Clients aktivieren Weitere Informationen finden Sie unter Installation und Konfiguration für die Microsoft Windows-Remoteverwaltung

BindPlane-Agent konfigurieren

Erfassen Sie die Windows-Sysmon-Protokolle mit dem BindPlane-Agent. Nach der Installation wird der BindPlane Agent-Dienst als observerIQ-Dienst in der Liste der Windows-Dienste angezeigt.

Installieren Sie den BindPlane-Agent auf dem Collector, der auf einem Windows-Server ausgeführt wird. Weitere Informationen zum Installieren des BindPlane-Agents Weitere Informationen finden Sie in der Installationsanleitung für den BindPlane-Agent.

Erstellen Sie eine Konfigurationsdatei für den BindPlane-Agenten mit folgendem Inhalt:

receivers:
  windowseventlog/sysmon:
    channel: Microsoft-Windows-Sysmon/Operational
    raw: true
processors:
  batch:

exporters:
  chronicle/winsysmon:
    endpoint: https://malachiteingestion-pa.googleapis.com
    creds: '{
    "type": "service_account",
    "project_id": "malachite-projectname",
    "private_key_id": `PRIVATE_KEY_ID`,
    "private_key": `PRIVATE_KEY`,
    "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "client_id": `CLIENT_ID`,
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "universe_domain": "googleapis.com"
    }'
  log_type: 'WINDOWS_SYSMON'
  override_log_type: false
  raw_log_field: body
  customer_id: `CUSTOMER_ID`

service:
  pipelines:
    logs/winsysmon:
      receivers:
        - windowseventlog/sysmon
      processors: [batch]
      exporters: [chronicle/winsysmon]

Ersetzen Sie PRIVATE_KEY_ID, PRIVATE_KEY SERVICSERVICE_ACCOUNT_NAME, PROJECT_ID, CLIENT_ID und CUSTOMER_ID durch die entsprechenden Werte aus der JSON-Datei des Dienstkontos, die Sie von der Google Cloud Platform herunterladen können. Weitere Informationen zu Dienstkontoschlüsseln finden Sie in der Dokumentation zum Erstellen und Löschen von Dienstkontoschlüsseln.
Wählen Sie zum Starten des observerIQ-Agent-Dienstes Dienste > Erweitert > den observerIQ-Dienst > aus. start (Starten).

NXLog und Google Security Operations-Forwarder konfigurieren

Installieren Sie NXLog auf dem Collector, der auf einem Windows-Server ausgeführt wird. Folgen Sie der NXLog-Dokumentation, einschließlich Informationen zum Konfigurieren von NXLog zum Erfassen von Logs von Sysmon.

Erstellen Sie eine Konfigurationsdatei für NXLog. Verwenden Sie die Methode im_msvistalog-Eingabemodul. Hier ist ein Beispiel für eine NXLog-Konfiguration. Ersetzen Sie die Werte <hostname> und <port> durch Informationen zum als Zielserver für Microsoft Windows oder Linux. Weitere Informationen finden Sie in der NXLog-Dokumentation om_tcp-Modul.

define ROOT     C:\Program Files (x86)\nxlog
define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
define SYSMON_OUTPUT_DESTINATION_PORT <port>
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module      xm_json
</Extension>

<Input windows_sysmon_eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    ReadFromLast  False
    SavePos  False
</Input>

<Output out_chronicle_sysmon>
    Module      om_tcp
    Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
    Port        %SYSMON_OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
</Output>

<Route r2>
    Path    windows_sysmon_eventlog => out_chronicle_sysmon
</Route>

Installieren Sie die Google Security Operations-Weiterleitung auf dem zentralen Microsoft Windows- oder Linux-Server. Informationen zum Installieren und Konfigurieren des Brokers finden Sie unter Weiterleitungsserver unter Linux installieren und konfigurieren oder Weiterleitungsserver unter Microsoft Windows installieren und konfigurieren.

Konfigurieren Sie den Google Security Operations-Forwarder so, dass Protokolle an Google Security Operations gesendet werden. Hier ist ein Beispiel für eine Forwarder-Konfiguration.

  - syslog:
      common:
        enabled: true
        data_type: WINDOWS_SYSMON
        Data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Starten Sie den NXLog-Dienst.

Referenz für die Feldzuordnung: Felder für Geräteereignisse zu UDM-Feldern

In diesem Abschnitt wird beschrieben, wie der Parser die ursprünglichen Geräteprotokollfelder den Felder des einheitlichen Datenmodells (UDM) Die Feldzuordnung kann je nach Ereignis-ID variieren.

Allgemeine Felder

NXLog-Feld	UDM-Feld
UtcTime	metadata.event_timestamp
Kategorie	`security_result.summary` und `metadata.product_event_type`
AccountName	principal.user.userid
Domain	principal.administrative_domain
RecordNumber	metadata.product_log_id
HostName	principal.hostname
UserID	principal.user.windows_sid
SeverityValue	security_result.severity
ProcessID	observer.process.pid
ProviderGuid	observer.asset_id
LogonId	principal.network.session_id
ThreadID	`additional.fields.key` auf `thread_id` und Wert in `additional.fields.value.string_value` gespeichert
Kanal	`additional.fields.key` auf `channel` und Wert in `additional.fields.value.string_value` gespeichert
EventID	`security_result.rule_name` auf `EventID: <EventID>` gesetzt `metadata.product_event_type` auf `<Category> [<EventID>]` gesetzt

Ereignis-ID: 1

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path
FileVersion	target.asset.software.version
Description	target.asset.software.description
Product	target.asset.software.name
Company	target.asset.software.vendor_name
CommandLine	target.process.command_line
CurrentDirectory	`additional.fields.key` set to `current_directory` and value stored in `additional.fields.value.string_value`
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Hashes	Based on Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
ParentProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ParentProcessGuid>`
ParentProcessId	principal.process.pid
ParentImage	principal.process.file.full_path
ParentCommandLine	principal.process.command_line

Ereignis-ID: 2

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
PreviousCreationUtcTime	`target.resource.attribute.labels.key` set to `PreviousCreationUtcTime` and value stored in `target.resource.attribute.labels.value`

Ereignis-ID: 3

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `NETWORK_CONNECTION` `security_result.action` set to `ALLOW` `network.direction` set to `OUTBOUND`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Protocol	network.ip_protocol
SourceIp	principal.ip
SourcePort	principal.port
DestinationIp	target.ip
DestinationHostname	target.hostname
DestinationPort	target.port

Ereignis-ID: 4

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `SETTING_MODIFICATION` `target.resource.resource_type` set to `SETTING` `target.resource.resource_subtype` set to `State`
UtcTime	metadata.event_timestamp
State	target.resource.name
Version	metadata.product_version

Ereignis-ID: 5

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_TERMINATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

Ereignis-ID: 6

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ImageLoaded	principal.process.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value set to `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` and value stored in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

Ereignis-ID: 7

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
ImageLoaded	target.process.file.full_path
FileVersion	target.asset.software.version
Description	target.asset.software.description
Product	target.asset.software.name
Company	target.asset.software.vendor_name
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value stored in `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` Signature value in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

Ereignis-ID: 8

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGuid>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGuid>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path

Ereignis-ID: 9

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_READ` If the `Device` log field, which is required to validate the `FILE_READ` UDM event type, is not available, then `metadata.event_type` is set to `GENERIC_EVENT`.
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
Device	target.file.full_path

Ereignis-ID: 10

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_OPEN` `target.resource.resource_subtype` set to `GrantedAccess`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGUID	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGUID>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGUID	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGUID>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path
GrantedAccess	target.resource.name

Ereignis-ID: 11

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_CREATION` `target.resource.resource_subtype` set to `CreationUtcTime`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	target.resource.name

Ereignis-ID: 12

NXLog-Feld	UDM-Feld
	If the Message the field contains `CreateKey\|CreateValue`, then `metadata.event_type` set to `REGISTRY_CREATION` If the Message field contains `DeleteKey\|DeleteValue`, then `metadata.event_type` set to `REGISTRY_DELETION` Otherwise, `metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key

Ereignis-ID: 13

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key
Details	target.registry.registry_value_data

Ereignis-ID: 14

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	src.registry.registry_key
NewName	target.registry.registry_key

Ereignis-ID: 15

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
Hash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

Ereignis-ID: 16

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `SETTING_MODIFICATION`
UtcTime	metadata.event_timestamp
ProcessID	target.process.pid
Configuration	The value is stored in `target.process.command_line` when this field value contains any command line or process The value is stored in `target.process.file.full_path` when this field value contains the configuration file path.
ConfigurationFileHash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

Ereignis-ID: 17

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

Ereignis-ID: 18

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

Ereignis-ID: 19

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation
User	The Domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
EventNamespace	target.file.full_path
Name	target.application
Query	target.resource.name

Ereignis-ID: 20

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
Name	`target.resource.attribute.labels.key` set to `Name` Name value in `target.resource.attribute.labels.value`
Type	`target.resource.attribute.labels.key` set to `Type` and the value is stored in `target.resource.attribute.labels.value`
Destination	target.resource.name

Ereignis-ID: 21

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The username is stored in `principal.user.userid`
Consumer	`target.resource.attribute.labels.key` set to `Consumer` and the value is stored in `target.resource.attribute.labels.value`
Filter	target.resource.name

Ereignis-ID: 22

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `NETWORK_DNS` `network.application_protocol` set to `DNS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
QueryName	network.dns.questions
QueryStatus	Stored in `security_result.summary` as `Query Status: <QueryStatus>`
QueryResults	Type is saved to `network.dns.answers.type` with values separated by a semicolon (;) Data is saved to `network.dns.answers.data` Values that do not have type are mapped to `network.dns.answers.data`.
Image	principal.process.file.full_path

Ereignis-ID: 23

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain stored into `principal.administrative_domain` Username stored in `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	Field `target.resource.attribute.labels.key` set to `IsExecutable` and the value is stored in `target.resource.attribute.labels.value`
Archived	`target.resource.attribute.labels.key` set to `Archived` and the value is stored in `target.resource.attribute.labels.value`

Ereignis-ID: 24

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `RESOURCE_READ`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path target.resource.name
ClientInfo	ip stored in `target.ip` hostname stored in `target.hostname` user stored in `principal.user.userid`
Hashes	The field populated is determined by the Hash algorithm. If MD5, value stored in `target.process.file.md5` If SHA256, value stored in `target.process.file.sha256` If SHA1, value stored in `target.process.file.sha1`
Archived	`target.resource.attribute.labels.key` set to `Archived` and value stored in `target.resource.attribute.labels.value`

Ereignis-ID: 25

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` stored as `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

Ereignis-ID: 26

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<%{ProcessGuid}>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain set to `principal.administrative_domain` Username set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	`target.resource.attribute.labels.key` set to `IsExecutable` & value in `target.resource.attribute.labels.value`

Ereignis-ID: 29

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` is set to `SYSMON:<PROCESS_GUID>` `PROCESS_GUID` is the `ProcessGuid`. The `ProcessGuid` field is a unique value for this process across a domain to make event correlation easier.
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain is set to `principal.administrative_domain` Username is set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on the hash algorithm, the following values are set: MD5 is set to `target.process.file.md5` SHA256 is set to `target.process.file.sha256` SHA1 is set to `target.process.file.sha1`

Ereignis-ID: 255

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `SERVICE_UNSPECIFIED` `metadata.product_event_type` set to `Error - [255]` `target.application` set to `Microsoft Sysmon`
UtcTime	metadata.event_timestamp
ID	security_result.summary
Description	security_result.description