Microsoft Windows Sysmon-Daten erfassen

In diesem Dokument wird Folgendes beschrieben:

beschreibt die Bereitstellungsarchitektur und Installationsschritte sowie alle erforderlichen Konfigurationen, die Logs generieren, die vom Chronicle Parser für Microsoft Windows Sysmon-Ereignisse unterstützt werden. Eine Übersicht über die Datenaufnahme in Chronicle finden Sie unter Datenaufnahme in Chronicle.
enthält Informationen dazu, wie der Parser Felder im ursprünglichen Log den Chronicle Unified Data Model-Feldern zuordnet.

Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel WINDOWS_SYSMON. Das Aufnahmelabel gibt an, welcher Parser Log-Rohdaten in das strukturierte UDM-Format normalisiert.

Hinweise

Empfohlene Bereitstellungsarchitektur überprüfen

Dieses Diagramm zeigt die empfohlenen Kernkomponenten in einer Bereitstellungsarchitektur zum Erfassen und Senden von Microsoft Windows Sysmon-Daten an Chronicle. Vergleichen Sie diese Informationen mit Ihrer Umgebung, damit die Komponenten installiert sind. Jede Kundenbereitstellung unterscheidet sich von dieser Darstellung und kann komplexer sein. Folgendes ist erforderlich:

Systeme in der Bereitstellungsarchitektur werden mit der UTC-Zeitzone konfiguriert.
Sysmon wird auf Servern, Endpunkten und Domaincontrollern installiert.
Der Microsoft Windows-Collector-Server empfängt Protokolle von Servern, Endpunkten und Domaincontrollern.
Microsoft Windows-Systeme in der Bereitstellungsarchitektur verwenden Folgendes:
- Von der Quelle initiierte Abos, um Ereignisse auf mehreren Geräten zu erfassen.
- WinRM-Dienst für die Remote-Systemverwaltung
NXLog wird auf dem Collector-Fensterserver installiert, um Logs an den Chronicle-Forwarder weiterzuleiten.
Der Chronicle-Forwarder wird auf einem zentralen Microsoft Windows- oder Linux-Server installiert.

Hinweis: Wenn Sie den Chronicle Linux-Forwarder bereitstellen, sind der zentrale Linux-Server und der Collector Microsoft Windows-Server unterschiedliche Systeme. Wenn Sie den Chronicle-Forwarder für Microsoft Windows bereitstellen, können der zentrale Microsoft Windows-Server und der Collector Microsoft Windows Server dasselbe System sein.

Unterstützte Geräte und Versionen ansehen

Der Chronicle-Parser unterstützt Logs, die von den folgenden Microsoft Windows-Serverversionen generiert wurden. Microsoft Windows Server wird in den folgenden Versionen veröffentlicht: Foundation, Essentials, Standard und Datacenter. Das Ereignisschema von Logs, die von den einzelnen Versionen generiert werden, unterscheidet sich nicht.

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

Der Chronicle-Parser unterstützt Logs, die generiert werden von:

Clientsysteme mit Microsoft Windows 7 und höher
Sysmon Version 13.24.

Der Chronicle-Parser unterstützt Logs, die von der NXLog Community oder Enterprise Edition erfasst wurden.

Unterstützte Logtypen prüfen

Der Chronicle-Parser unterstützt die folgenden Logtypen, die von Microsoft Windows Sysmon generiert werden. Weitere Informationen zu diesen Logtypen finden Sie in der Microsoft Windows Sysmon-Dokumentation. Es unterstützt Logs, die mit englischsprachigem Text generiert wurden. Logs, die in einer anderen Sprache als Englisch generiert wurden, werden nicht unterstützt.

Protokolltyp	Beschreibung
Sysmon-Protokolle	Der Sysmon-Kanal enthält 27 Ereignis-IDs. (Ereignis-ID: 1 bis 26 und 255). Eine Beschreibung dieses Logtyps finden Sie in der Dokumentation zu Microsoft Windows Sysmon-Ereignissen.

Microsoft Windows-Server, -Endpunkte und -Domaincontroller konfigurieren

Server, Endpunkte und Domaincontroller installieren und konfigurieren Weitere Informationen finden Sie in der Dokumentation zur Microsoft Windows Sysmon-Konfiguration.
Richten Sie einen Collector Microsoft Windows Server ein, um die erfassten Logs aus mehreren Systemen zu parsen.
Zentralen Microsoft Windows- oder Linux-Server einrichten
Konfigurieren Sie alle Systeme mit der UTC-Zeitzone.
Konfigurieren Sie die Geräte so, dass Protokolle an den Collector Microsoft Windows-Server weitergeleitet werden.
- Über die Quelle initiierte Abos auf Microsoft Windows-Systemen konfigurieren. Weitere Informationen finden Sie unter Von der Quelle initiierte Abos einrichten.
- WinRM auf Microsoft Windows-Servern und -Clients aktivieren Weitere Informationen finden Sie unter Installation und Konfiguration der Microsoft Windows-Remoteverwaltung.

NXLog- und Chronicle-Forwarder konfigurieren

Installieren Sie NXLog auf dem Collector Microsoft Windows-Server. Folgen Sie der NXLog-Dokumentation, einschließlich Informationen zum Konfigurieren von NXLog zum Erfassen von Logs von Sysmon.

Erstellen Sie eine Konfigurationsdatei für NXLog. Verwenden Sie das Eingabemodul im_msvistalog. Hier ist ein Beispiel für eine NXLog-Konfiguration. Ersetzen Sie die Werte <hostname> und <port> durch Informationen zum zentralen Microsoft Windows- oder Linux-Zielserver. Weitere Informationen finden Sie in der NXLog-Dokumentation zum Modul om_tcp.

define ROOT     C:\Program Files (x86)\nxlog
define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
define SYSMON_OUTPUT_DESTINATION_PORT <port>
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module      xm_json
</Extension>

<Input windows_sysmon_eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    ReadFromLast  False
    SavePos  False
</Input>

<Output out_chronicle_sysmon>
    Module      om_tcp
    Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
    Port        %SYSMON_OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
</Output>

<Route r2>
    Path    windows_sysmon_eventlog => out_chronicle_sysmon
</Route>

Installieren Sie den Chronicle-Forwarder auf dem zentralen Microsoft Windows- oder Linux-Server. Informationen zum Installieren und Konfigurieren des Forwarders unter Linuxfinden Sie unter Linux installieren und konfigurieren oder unter Installation und Konfiguration des Forwarders unter Microsoft Windows.

Konfigurieren Sie den Chronicle-Forwarder so, dass Logs an Chronicle gesendet werden. Hier ist ein Beispiel für eine Forwarder-Konfiguration.

  - syslog:
      common:
        enabled: true
        data_type: WINDOWS_SYSMON
        Data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Starten Sie den NXLog-Dienst.

Referenz zur Feldzuordnung: Geräteereignisfelder zu UDM-Feldern zuordnen

In diesem Abschnitt wird beschrieben, wie der Parser ursprüngliche Gerätelogfelder den Feldern des Unified Data Model (UDM) zuordnet. Die Feldzuordnung kann sich je nach Ereignis-ID unterscheiden.

Allgemeine Felder

NXLog-Feld	UDM-Feld
UtcTime	metadata.event_timestamp
Kategorie	`security_result.summary` und `metadata.product_event_type`
AccountName	principal.user.userid
Domain	principal.administrative_domain
RecordNumber	metadata.product_log_id
HostName	principal.hostname
UserID	principal.user.windows_sid
SeverityValue	security_result.severity
ProcessID	observer.process.pid
ProviderGuid	observer.asset_id
LogonId	principal.network.session_id
ThreadID	`additional.fields.key` auf `thread_id` gesetzt und in `additional.fields.value.string_value` gespeicherter Wert
Version	`additional.fields.key` auf `channel` gesetzt und in `additional.fields.value.string_value` gespeicherter Wert
EventID	`security_result.rule_name` auf `EventID: <EventID>` gesetzt `metadata.product_event_type` auf `<Category> [<EventID>]` festgelegt

Ereignis-ID: 1

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path
Description	metadata.description
CommandLine	target.process.command_line
CurrentDirectory	`additional.fields.key` set to `current_directory` and value stored in `additional.fields.value.string_value`
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Hashes	Based on Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
ParentProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ParentProcessGuid>`
ParentProcessId	principal.process.pid
ParentImage	principal.process.file.full_path
ParentCommandLine	principal.process.command_line

Ereignis-ID: 2

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
PreviousCreationUtcTime	`target.resource.attribute.labels.key` set to `PreviousCreationUtcTime` and value stored in `target.resource.attribute.labels.value`

Ereignis-ID: 3

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `NETWORK_CONNECTION` `security_result.action` set to `ALLOW` `network.direction` set to `OUTBOUND`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Protocol	network.ip_protocol
SourceIp	principal.ip
SourcePort	principal.port
DestinationIp	target.ip
DestinationHostname	target.hostname
DestinationPort	target.port

Ereignis-ID: 4

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `SETTING_MODIFICATION` `target.resource.resource_type` set to `SETTING` `target.resource.resource_subtype` set to `State`
UtcTime	metadata.event_timestamp
State	target.resource.name
Version	metadata.product_version

Ereignis-ID: 5

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_TERMINATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

Ereignis-ID: 6

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ImageLoaded	principal.process.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value set to `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` and value stored in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

Ereignis-ID: 7

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
ImageLoaded	target.process.file.full_path
Description	metadata.description
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value stored in `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` Signature value in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

Ereignis-ID: 8

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGuid>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGuid>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path

Ereignis-ID: 9

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_READ` If the `Device` log field, which is required to validate the `FILE_READ` UDM event type, is not available, then `metadata.event_type` is set to `GENERIC_EVENT`.
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
Device	target.file.full_path

Ereignis-ID: 10

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_OPEN` `target.resource.resource_subtype` set to `GrantedAccess`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGUID	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGUID>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGUID	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGUID>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path
GrantedAccess	target.resource.name

Ereignis-ID: 11

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_CREATION` `target.resource.resource_subtype` set to `CreationUtcTime`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	target.resource.name

Ereignis-ID: 12

NXLog-Feld	UDM-Feld
	If the Message the field contains `CreateKey\|CreateValue`, then `metadata.event_type` set to `REGISTRY_CREATION` If the Message field contains `DeleteKey\|DeleteValue`, then `metadata.event_type` set to `REGISTRY_DELETION` Otherwise, `metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key

Ereignis-ID: 13

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key
Details	target.registry.registry_value_data

Ereignis-ID: 14

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	src.registry.registry_key
NewName	target.registry.registry_key

Ereignis-ID: 15

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
Hash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

Ereignis-ID: 16

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `SETTING_MODIFICATION`
UtcTime	metadata.event_timestamp
ProcessID	target.process.pid
Configuration	The value is stored in `target.process.command_line` when this field value contains any command line or process The value is stored in `target.process.file.full_path` when this field value contains the configuration file path.
ConfigurationFileHash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

Ereignis-ID: 17

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

Ereignis-ID: 18

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

Ereignis-ID: 19

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation
User	The Domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
EventNamespace	target.file.full_path
Name	target.application
Query	target.resource.name

Ereignis-ID: 20

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
Name	`target.resource.attribute.labels.key` set to `Name` Name value in `target.resource.attribute.labels.value`
Type	`target.resource.attribute.labels.key` set to `Type` and the value is stored in `target.resource.attribute.labels.value`
Destination	target.resource.name

Ereignis-ID: 21

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The username is stored in `principal.user.userid`
Consumer	`target.resource.attribute.labels.key` set to `Consumer` and the value is stored in `target.resource.attribute.labels.value`
Filter	target.resource.name

Ereignis-ID: 22

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `NETWORK_DNS` `network.application_protocol` set to `DNS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
QueryName	network.dns.questions
QueryStatus	Stored in `security_result.summary` as `Query Status: <QueryStatus>`
QueryResults	Type is saved to `network.dns.answers.type` with values separated by a semicolon (;) Data is saved to `network.dns.answers.data` Values that do not have type are mapped to `network.dns.answers.data`.
Image	principal.process.file.full_path

Ereignis-ID: 23

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain stored into `principal.administrative_domain` Username stored in `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	Field `target.resource.attribute.labels.key` set to `IsExecutable` and the value is stored in `target.resource.attribute.labels.value`
Archived	`target.resource.attribute.labels.key` set to `Archived` and the value is stored in `target.resource.attribute.labels.value`

Ereignis-ID: 24

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `RESOURCE_READ`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path target.resource.name
ClientInfo	ip stored in `target.ip` hostname stored in `target.hostname` user stored in `principal.user.userid`
Hashes	The field populated is determined by the Hash algorithm. If MD5, value stored in `target.process.file.md5` If SHA256, value stored in `target.process.file.sha256` If SHA1, value stored in `target.process.file.sha1`
Archived	`target.resource.attribute.labels.key` set to `Archived` and value stored in `target.resource.attribute.labels.value`

Ereignis-ID: 25

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` stored as `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

Ereignis-ID: 26

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<%{ProcessGuid}>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain set to `principal.administrative_domain` Username set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	`target.resource.attribute.labels.key` set to `IsExecutable` & value in `target.resource.attribute.labels.value`

Ereignis-ID: 29

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` is set to `SYSMON:<PROCESS_GUID>` `PROCESS_GUID` is the `ProcessGuid`. The `ProcessGuid` field is a unique value for this process across a domain to make event correlation easier.
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain is set to `principal.administrative_domain` Username is set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on the hash algorithm, the following values are set: MD5 is set to `target.process.file.md5` SHA256 is set to `target.process.file.sha256` SHA1 is set to `target.process.file.sha1`

Ereignis-ID: 255

NXLog-Feld	UDM-Feld
	`metadata.event_type` set to `SERVICE_UNSPECIFIED` `metadata.product_event_type` set to `Error - [255]` `target.application` set to `Microsoft Sysmon`
UtcTime	metadata.event_timestamp
ID	security_result.summary
Description	security_result.description