Microsoft Windows Sysmon-Daten erfassen
In diesem Dokument wird Folgendes beschrieben:
- beschreibt die Bereitstellungsarchitektur und Installationsschritte sowie alle erforderlichen Konfigurationen, die Logs generieren, die vom Chronicle Parser für Microsoft Windows Sysmon-Ereignisse unterstützt werden. Eine Übersicht über die Datenaufnahme in Chronicle finden Sie unter Datenaufnahme in Chronicle.
- enthält Informationen dazu, wie der Parser Felder im ursprünglichen Log den Chronicle Unified Data Model-Feldern zuordnet.
Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel WINDOWS_SYSMON. Das Aufnahmelabel gibt an, welcher Parser Log-Rohdaten in das strukturierte UDM-Format normalisiert.
Hinweise
Empfohlene Bereitstellungsarchitektur überprüfen
Dieses Diagramm zeigt die empfohlenen Kernkomponenten in einer Bereitstellungsarchitektur zum Erfassen und Senden von Microsoft Windows Sysmon-Daten an Chronicle. Vergleichen Sie diese Informationen mit Ihrer Umgebung, damit die Komponenten installiert sind. Jede Kundenbereitstellung unterscheidet sich von dieser Darstellung und kann komplexer sein. Folgendes ist erforderlich:
- Systeme in der Bereitstellungsarchitektur werden mit der UTC-Zeitzone konfiguriert.
- Sysmon wird auf Servern, Endpunkten und Domaincontrollern installiert.
- Der Microsoft Windows-Collector-Server empfängt Protokolle von Servern, Endpunkten und Domaincontrollern.
Microsoft Windows-Systeme in der Bereitstellungsarchitektur verwenden Folgendes:
- Von der Quelle initiierte Abos, um Ereignisse auf mehreren Geräten zu erfassen.
- WinRM-Dienst für die Remote-Systemverwaltung
NXLog wird auf dem Collector-Fensterserver installiert, um Logs an den Chronicle-Forwarder weiterzuleiten.
Der Chronicle-Forwarder wird auf einem zentralen Microsoft Windows- oder Linux-Server installiert.
Unterstützte Geräte und Versionen ansehen
Der Chronicle-Parser unterstützt Logs, die von den folgenden Microsoft Windows-Serverversionen generiert wurden. Microsoft Windows Server wird in den folgenden Versionen veröffentlicht: Foundation, Essentials, Standard und Datacenter. Das Ereignisschema von Logs, die von den einzelnen Versionen generiert werden, unterscheidet sich nicht.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Der Chronicle-Parser unterstützt Logs, die generiert werden von:
- Clientsysteme mit Microsoft Windows 7 und höher
- Sysmon Version 13.24.
Der Chronicle-Parser unterstützt Logs, die von der NXLog Community oder Enterprise Edition erfasst wurden.
Unterstützte Logtypen prüfen
Der Chronicle-Parser unterstützt die folgenden Logtypen, die von Microsoft Windows Sysmon generiert werden. Weitere Informationen zu diesen Logtypen finden Sie in der Microsoft Windows Sysmon-Dokumentation. Es unterstützt Logs, die mit englischsprachigem Text generiert wurden. Logs, die in einer anderen Sprache als Englisch generiert wurden, werden nicht unterstützt.
Protokolltyp | Beschreibung |
---|---|
Sysmon-Protokolle | Der Sysmon-Kanal enthält 27 Ereignis-IDs. (Ereignis-ID: 1 bis 26 und 255). Eine Beschreibung dieses Logtyps finden Sie in der Dokumentation zu Microsoft Windows Sysmon-Ereignissen. |
Microsoft Windows-Server, -Endpunkte und -Domaincontroller konfigurieren
- Server, Endpunkte und Domaincontroller installieren und konfigurieren Weitere Informationen finden Sie in der Dokumentation zur Microsoft Windows Sysmon-Konfiguration.
- Richten Sie einen Collector Microsoft Windows Server ein, um die erfassten Logs aus mehreren Systemen zu parsen.
- Zentralen Microsoft Windows- oder Linux-Server einrichten
- Konfigurieren Sie alle Systeme mit der UTC-Zeitzone.
- Konfigurieren Sie die Geräte so, dass Protokolle an den Collector Microsoft Windows-Server weitergeleitet werden.
- Über die Quelle initiierte Abos auf Microsoft Windows-Systemen konfigurieren. Weitere Informationen finden Sie unter Von der Quelle initiierte Abos einrichten.
- WinRM auf Microsoft Windows-Servern und -Clients aktivieren Weitere Informationen finden Sie unter Installation und Konfiguration der Microsoft Windows-Remoteverwaltung.
NXLog- und Chronicle-Forwarder konfigurieren
- Installieren Sie NXLog auf dem Collector Microsoft Windows-Server. Folgen Sie der NXLog-Dokumentation, einschließlich Informationen zum Konfigurieren von NXLog zum Erfassen von Logs von Sysmon.
Erstellen Sie eine Konfigurationsdatei für NXLog. Verwenden Sie das Eingabemodul im_msvistalog. Hier ist ein Beispiel für eine NXLog-Konfiguration. Ersetzen Sie die Werte
<hostname>
und<port>
durch Informationen zum zentralen Microsoft Windows- oder Linux-Zielserver. Weitere Informationen finden Sie in der NXLog-Dokumentation zum Modul om_tcp.define ROOT C:\Program Files (x86)\nxlog define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname> define SYSMON_OUTPUT_DESTINATION_PORT <port> define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_sysmon_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input> <Output out_chronicle_sysmon> Module om_tcp Host %SYSMON_OUTPUT_DESTINATION_ADDRESS% Port %SYSMON_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_sysmon_eventlog => out_chronicle_sysmon </Route>
Installieren Sie den Chronicle-Forwarder auf dem zentralen Microsoft Windows- oder Linux-Server. Informationen zum Installieren und Konfigurieren des Forwarders unter Linuxfinden Sie unter Linux installieren und konfigurieren oder unter Installation und Konfiguration des Forwarders unter Microsoft Windows.
Konfigurieren Sie den Chronicle-Forwarder so, dass Logs an Chronicle gesendet werden. Hier ist ein Beispiel für eine Forwarder-Konfiguration.
- syslog: common: enabled: true data_type: WINDOWS_SYSMON Data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Starten Sie den NXLog-Dienst.
Referenz zur Feldzuordnung: Geräteereignisfelder zu UDM-Feldern zuordnen
In diesem Abschnitt wird beschrieben, wie der Parser ursprüngliche Gerätelogfelder den Feldern des Unified Data Model (UDM) zuordnet. Die Feldzuordnung kann sich je nach Ereignis-ID unterscheiden.
Allgemeine Felder
NXLog-Feld | UDM-Feld |
---|---|
UtcTime | metadata.event_timestamp |
Kategorie | security_result.summary und metadata.product_event_type |
AccountName | principal.user.userid |
Domain | principal.administrative_domain |
RecordNumber | metadata.product_log_id |
HostName | principal.hostname |
UserID | principal.user.windows_sid |
SeverityValue | security_result.severity |
ProcessID | observer.process.pid |
ProviderGuid | observer.asset_id |
LogonId | principal.network.session_id |
ThreadID | additional.fields.key auf thread_id gesetzt und in additional.fields.value.string_value gespeicherter Wert |
Version | additional.fields.key auf channel gesetzt und in additional.fields.value.string_value gespeicherter Wert |
EventID | security_result.rule_name auf EventID: <EventID> gesetztmetadata.product_event_type auf <Category> [<EventID>] festgelegt |
Ereignis-ID: 1
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
Description | metadata.description |
CommandLine | target.process.command_line |
CurrentDirectory | additional.fields.key set to current_directory and
value stored in additional.fields.value.string_value |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid |
Hashes | Based on Hash algorithm.
|
ParentProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ParentProcessGuid> |
ParentProcessId | principal.process.pid |
ParentImage | principal.process.file.full_path |
ParentCommandLine | principal.process.command_line |
Ereignis-ID: 2
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to FILE_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
PreviousCreationUtcTime | target.resource.attribute.labels.key set to PreviousCreationUtcTime and
value stored in target.resource.attribute.labels.value |
Ereignis-ID: 3
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to NETWORK_CONNECTION security_result.action set to ALLOW network.direction set to OUTBOUND |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid |
Protocol | network.ip_protocol |
SourceIp | principal.ip |
SourcePort | principal.port |
DestinationIp | target.ip |
DestinationHostname | target.hostname |
DestinationPort | target.port |
Ereignis-ID: 4
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to SETTING_MODIFICATION target.resource.resource_type set to SETTING target.resource.resource_subtype set to State |
|
UtcTime | metadata.event_timestamp |
State | target.resource.name |
Version | metadata.product_version |
Ereignis-ID: 5
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to PROCESS_TERMINATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
Ereignis-ID: 6
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ImageLoaded | principal.process.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to Signed and value set to
target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to Signature and value stored in
target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
Ereignis-ID: 7
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
ImageLoaded | target.process.file.full_path |
Description | metadata.description |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to Signed and value stored in
target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to Signature Signature value in target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
Ereignis-ID: 8
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGuid> |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGuid | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGuid> |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
Ereignis-ID: 9
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to FILE_READ
If the |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
Device | target.file.full_path |
Ereignis-ID: 10
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to PROCESS_OPEN target.resource.resource_subtype set to GrantedAccess |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGUID | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGUID> |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGUID | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGUID> |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
GrantedAccess | target.resource.name |
Ereignis-ID: 11
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to FILE_CREATION target.resource.resource_subtype set to CreationUtcTime |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.name |
Ereignis-ID: 12
NXLog-Feld | UDM-Feld |
---|---|
If the Message the field contains CreateKey|CreateValue , then
metadata.event_type set to REGISTRY_CREATION If the Message field contains DeleteKey|DeleteValue , thenmetadata.event_type set to REGISTRY_DELETION Otherwise, metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
Ereignis-ID: 13
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
Details | target.registry.registry_value_data |
Ereignis-ID: 14
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | src.registry.registry_key |
NewName | target.registry.registry_key |
Ereignis-ID: 15
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to FILE_CREATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
Hash | The field populated is determined by the Hash algorithm.
|
Ereignis-ID: 16
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to SETTING_MODIFICATION |
|
UtcTime | metadata.event_timestamp |
ProcessID | target.process.pid |
Configuration | The value is stored in target.process.command_line when this field value
contains any command line or processThe value is stored in target.process.file.full_path when this field value
contains the configuration file path. |
ConfigurationFileHash | The field populated is determined by the Hash algorithm.
|
Ereignis-ID: 17
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to PROCESS_UNCATEGORIZED target.resource.resource_type set to PIPE |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
PipeName | target.resource.name |
Image | target.process.file.full_path |
Ereignis-ID: 18
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to PROCESS_UNCATEGORIZED target.resource.resource_type set to PIPE |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
PipeName | target.resource.name |
Image | target.process.file.full_path |
Ereignis-ID: 19
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | |
User | The Domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
EventNamespace | target.file.full_path |
Name | target.application |
Query | target.resource.name |
Ereignis-ID: 20
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
Name | target.resource.attribute.labels.key set to Name Name value in target.resource.attribute.labels.value |
Type | target.resource.attribute.labels.key set to Type and the value is stored
in target.resource.attribute.labels.value |
Destination | target.resource.name |
Ereignis-ID: 21
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The username is stored in principal.user.userid |
Consumer | target.resource.attribute.labels.key set to Consumer and the value is
stored in target.resource.attribute.labels.value |
Filter | target.resource.name |
Ereignis-ID: 22
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to NETWORK_DNS network.application_protocol set to DNS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
QueryName | network.dns.questions |
QueryStatus | Stored in security_result.summary as Query Status: <QueryStatus> |
QueryResults | Type is saved to network.dns.answers.type with values separated by a
semicolon (;)Data is saved to network.dns.answers.data Values that do not have type are mapped to network.dns.answers.data . |
Image | principal.process.file.full_path |
Ereignis-ID: 23
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to FILE_DELETION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain stored into principal.administrative_domain Username stored in principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
IsExecutable | Field target.resource.attribute.labels.key set to IsExecutable and the
value is stored in target.resource.attribute.labels.value |
Archived | target.resource.attribute.labels.key set to Archived and the value is
stored in target.resource.attribute.labels.value |
Ereignis-ID: 24
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to RESOURCE_READ |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path target.resource.name |
ClientInfo | ip stored in target.ip hostname stored in target.hostname user stored in principal.user.userid |
Hashes | The field populated is determined by the Hash algorithm.
|
Archived | target.resource.attribute.labels.key set to Archived and value stored in
target.resource.attribute.labels.value |
Ereignis-ID: 25
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id stored as
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
Ereignis-ID: 26
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to FILE_DELETION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<%{ProcessGuid}> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain set to principal.administrative_domain Username set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1 |
IsExecutable | target.resource.attribute.labels.key set to IsExecutable & value in
target.resource.attribute.labels.value |
Ereignis-ID: 29
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to FILE_CREATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id is set to
SYSMON:<PROCESS_GUID>
PROCESS_GUID is the ProcessGuid . The ProcessGuid field is a unique value for this process across a domain to make event correlation easier.
|
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain is set to principal.administrative_domain Username is set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on the hash algorithm, the following values are set:
|
Ereignis-ID: 255
NXLog-Feld | UDM-Feld |
---|---|
metadata.event_type set to SERVICE_UNSPECIFIED metadata.product_event_type set to Error - [255] target.application set to Microsoft Sysmon |
|
UtcTime | metadata.event_timestamp |
ID | security_result.summary |
Description | security_result.description |