Collecter les données Microsoft Windows Sysmon
Ce document:
- décrit l'architecture de déploiement et les étapes d'installation, ainsi que toute configuration requise qui génère des journaux compatibles avec l'analyseur Google Security Operations pour les événements Sysmon Microsoft Windows. Pour en savoir plus sur l'ingestion de données Google Security Operations, consultez Ingestion de données dans Google Security Operations.
- inclut des informations sur la manière dont l'analyseur mappe les champs du journal d'origine avec les champs du modèle de données unifié Google Security Operations.
Les informations de ce document s'appliquent à l'analyseur doté de l'étiquette d'ingestion WINDOWS_SYSMON. L'étiquette d'ingestion identifie l'analyseur qui normalise les données des journaux brutes au format UDM structuré.
Avant de commencer
Examiner l'architecture de déploiement recommandée
Ce schéma représente les composants principaux recommandés dans une architecture de déploiement pour collecter et envoyer des données Microsoft Windows Sysmon à Google Security Operations. Comparez ces informations avec celles de votre environnement pour vous assurer que ces composants sont installés. Chaque déploiement client diffère de cette représentation et peut être plus complexe. Les éléments suivants sont obligatoires:
- Les systèmes de l'architecture de déploiement sont configurés avec le fuseau horaire UTC.
- Sysmon est installé sur les serveurs, les points de terminaison et les contrôleurs de domaine.
- Le serveur Microsoft Windows du collecteur reçoit les journaux des serveurs, des points de terminaison et des contrôleurs de domaine.
Les systèmes Microsoft Windows de l'architecture de déploiement utilisent:
- Source des abonnements initiés pour collecter des événements sur plusieurs appareils.
- Service WinRM pour la gestion de système à distance
NXLog est installé sur le serveur Window du collecteur pour transférer les journaux vers le redirecteur Google Security Operations.
Le redirecteur Google Security Operations est installé sur un serveur central Microsoft Windows ou Linux.
Examiner les appareils et les versions compatibles
L'analyseur Google Security Operations accepte les journaux générés par les versions suivantes de Microsoft Windows Server. Publication de Microsoft Windows Server avec les éditions suivantes : Foundation, Essentials, Standard et Datacenter Le schéma d'événement des journaux générés par chaque édition ne diffère pas.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
L'analyseur Google Security Operations accepte les journaux générés par:
- Systèmes clients Microsoft Windows 7 ou version ultérieure
- Sysmon version 13.24.
L'analyseur Google Security Operations accepte les journaux collectés par NXLog Community ou Enterprise Edition.
Examiner les types de journaux compatibles
L'analyseur Google Security Operations accepte les types de journaux suivants, générés par Microsoft Windows Sysmon. Pour en savoir plus sur ces types de journaux, consultez la documentation de Microsoft Windows sur Sysmon. Il est compatible avec les journaux générés avec du texte en anglais et n'est pas compatible avec les journaux générés dans des langues autres que l'anglais.
Type de journal | Description |
---|---|
Journaux sysmon | Le canal Sysmon contient 27 ID d'événements. (ID d'événement: 1 à 26, et 255). Pour obtenir une description de ce type de journal, consultez la documentation relative aux événements Sysmon de Microsoft Windows |
Configurer les serveurs, points de terminaison et contrôleurs de domaine Microsoft Windows
- Installer et configurer les serveurs, les points de terminaison et les contrôleurs de domaine Pour en savoir plus, consultez la documentation sur la configuration du système Sysmon Microsoft Windows.
- Configurez un serveur Microsoft Windows de collecteur pour analyser les journaux collectés à partir de plusieurs systèmes.
- Configurer le serveur central Microsoft Windows ou Linux
- Configurez tous les systèmes avec le fuseau horaire UTC.
- Configurez les appareils pour qu'ils transfèrent les journaux au collecteur Microsoft Windows.
- Configurer les abonnements initiés par la source sur les systèmes Microsoft Windows. Pour en savoir plus, consultez la page Configurer un abonnement initié par la source.
- Activez WinRM sur les serveurs et les clients Microsoft Windows. Pour plus d'informations, consultez la page Installation et configuration de Microsoft Windows Remote Management.
Configurer l'agent BindPlane
Collectez les journaux Sysmon Windows à l'aide de l'agent BindPlane.
Après l'installation, le service de l'agent BindPlane apparaît en tant que service observerIQ
dans la liste des services Windows.
- Installez l'agent BindPlane sur le collecteur qui s'exécute sur un serveur Windows. Pour en savoir plus sur l'installation de l'agent BindPlane, consultez les instructions d'installation de l'agent BindPlane.
Créez un fichier de configuration pour l'agent BindPlane avec le contenu suivant.
receivers: windowseventlog/sysmon: channel: Microsoft-Windows-Sysmon/Operational raw: true processors: batch: exporters: chronicle/winsysmon: endpoint: https://malachiteingestion-pa.googleapis.com creds: '{ "type": "service_account", "project_id": "malachite-projectname", "private_key_id": `PRIVATE_KEY_ID`, "private_key": `PRIVATE_KEY`, "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com", "client_id": `CLIENT_ID`, "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com", "universe_domain": "googleapis.com" }' log_type: 'WINDOWS_SYSMON' override_log_type: false raw_log_field: body customer_id: `CUSTOMER_ID` service: pipelines: logs/winsysmon: receivers: - windowseventlog/sysmon processors: [batch] exporters: [chronicle/winsysmon]
Remplacez
PRIVATE_KEY_ID
,PRIVATE_KEY
SERVICSERVICE_ACCOUNT_NAME
,PROJECT_ID
,CLIENT_ID
etCUSTOMER_ID
par les valeurs respectives du fichier JSON du compte de service que vous pouvez télécharger depuis Google Cloud Platform. Pour en savoir plus sur les clés de compte de service, consultez la documentation Créer et supprimer des clés de compte de service.Pour démarrer le service de l'agent observerIQ, sélectionnez Services > Étendu > Service observerIQ > Démarrer.
Configurer NXLog et le redirecteur Google Security Operations
- Installez NXLog sur le collecteur qui s'exécute sur un serveur Windows. Suivez la documentation NXLog, y compris les informations sur la configuration de NXLog pour collecter les journaux de Sysmon.
Créez un fichier de configuration pour NXLog. Utilisez le module d'entrée im_msvistalog. Voici un exemple de configuration NXLog. Remplacez les valeurs
<hostname>
et<port>
par des informations sur le serveur central de destination Microsoft Windows ou Linux. Pour en savoir plus, consultez la documentation NXLog sur le module om_tcp.define ROOT C:\Program Files (x86)\nxlog define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname> define SYSMON_OUTPUT_DESTINATION_PORT <port> define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_sysmon_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input> <Output out_chronicle_sysmon> Module om_tcp Host %SYSMON_OUTPUT_DESTINATION_ADDRESS% Port %SYSMON_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_sysmon_eventlog => out_chronicle_sysmon </Route>
Installez le redirecteur Google Security Operations sur le serveur central Microsoft Windows ou Linux. Pour en savoir plus sur l'installation et la configuration du redirecteur, consultez les pages Installer et configurer le redirecteur sous Linux ou Installer et configurer le redirecteur sous Microsoft Windows.
Configurez le redirecteur Google Security Operations pour qu'il envoie les journaux à Google Security Operations. Voici un exemple de configuration du redirecteur.
- syslog: common: enabled: true data_type: WINDOWS_SYSMON Data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Démarrez le service NXLog.
Documentation de référence sur le mappage de champs: champs d'événement d'appareil et champs UDM
Cette section explique comment l'analyseur mappe les champs de journal d'origine de l'appareil avec les champs de modèle de données unifié (UDM, Unified Data Model). Le mappage de champs peut différer selon l'ID d'événement.
Champs communs
Champ NXLog | Champ de l'UDM |
---|---|
UtcTime | metadata.event_timestamp |
Catégorie | security_result.summary et metadata.product_event_type |
AccountName | principal.user.userid |
Domaine | principal.administrative_domain |
RecordNumber | metadata.product_log_id |
HostName | principal.hostname |
UserID | principal.user.windows_sid |
SeverityValue | security_result.severity |
ProcessID | observer.process.pid |
ProviderGuid | observer.asset_id |
LogonId | principal.network.session_id |
ThreadID | additional.fields.key définie sur thread_id et la valeur stockée dans additional.fields.value.string_value |
Canal | additional.fields.key définie sur channel et la valeur stockée dans additional.fields.value.string_value |
EventID | security_result.rule_name définie sur EventID: <EventID> metadata.product_event_type définie sur <Category> [<EventID>] |
ID de l'événement: 1
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
FileVersion | target.asset.software.version |
Description | target.asset.software.description |
Product | target.asset.software.name |
Company | target.asset.software.vendor_name |
CommandLine | target.process.command_line |
CurrentDirectory | additional.fields.key set to current_directory and
value stored in additional.fields.value.string_value |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid |
Hashes | Based on Hash algorithm.
|
ParentProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ParentProcessGuid> |
ParentProcessId | principal.process.pid |
ParentImage | principal.process.file.full_path |
ParentCommandLine | principal.process.command_line |
ID d'événement: 2
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to FILE_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
PreviousCreationUtcTime | target.resource.attribute.labels.key set to PreviousCreationUtcTime and
value stored in target.resource.attribute.labels.value |
ID d'événement: 3
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to NETWORK_CONNECTION security_result.action set to ALLOW network.direction set to OUTBOUND |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid |
Protocol | network.ip_protocol |
SourceIp | principal.ip |
SourcePort | principal.port |
DestinationIp | target.ip |
DestinationHostname | target.hostname |
DestinationPort | target.port |
ID d'événement: 4
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to SETTING_MODIFICATION target.resource.resource_type set to SETTING target.resource.resource_subtype set to State |
|
UtcTime | metadata.event_timestamp |
State | target.resource.name |
Version | metadata.product_version |
ID de l'événement: 5
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to PROCESS_TERMINATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
ID de l'événement: 6
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ImageLoaded | principal.process.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to Signed and value set to
target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to Signature and value stored in
target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
ID de l'événement: 7
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
ImageLoaded | target.process.file.full_path |
FileVersion | target.asset.software.version |
Description | target.asset.software.description |
Product | target.asset.software.name |
Company | target.asset.software.vendor_name |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to Signed and value stored in
target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to Signature Signature value in target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
ID de l'événement: 8
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGuid> |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGuid | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGuid> |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
ID de l'événement: 9
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to FILE_READ
If the |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
Device | target.file.full_path |
ID de l'événement: 10
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to PROCESS_OPEN target.resource.resource_subtype set to GrantedAccess |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGUID | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGUID> |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGUID | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGUID> |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
GrantedAccess | target.resource.name |
ID de l'événement: 11
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to FILE_CREATION target.resource.resource_subtype set to CreationUtcTime |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.name |
ID d'événement: 12
Champ NXLog | Champ de l'UDM |
---|---|
If the Message the field contains CreateKey|CreateValue , then
metadata.event_type set to REGISTRY_CREATION If the Message field contains DeleteKey|DeleteValue , thenmetadata.event_type set to REGISTRY_DELETION Otherwise, metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
ID de l'événement: 13
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
Details | target.registry.registry_value_data |
ID de l'événement: 14
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | src.registry.registry_key |
NewName | target.registry.registry_key |
ID de l'événement: 15
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to FILE_CREATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
Hash | The field populated is determined by the Hash algorithm.
|
ID de l'événement: 16
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to SETTING_MODIFICATION |
|
UtcTime | metadata.event_timestamp |
ProcessID | target.process.pid |
Configuration | The value is stored in target.process.command_line when this field value
contains any command line or processThe value is stored in target.process.file.full_path when this field value
contains the configuration file path. |
ConfigurationFileHash | The field populated is determined by the Hash algorithm.
|
ID de l'événement: 17
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to PROCESS_UNCATEGORIZED target.resource.resource_type set to PIPE |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
PipeName | target.resource.name |
Image | target.process.file.full_path |
ID de l'événement: 18
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to PROCESS_UNCATEGORIZED target.resource.resource_type set to PIPE |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
PipeName | target.resource.name |
Image | target.process.file.full_path |
ID de l'événement: 19
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | |
User | The Domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
EventNamespace | target.file.full_path |
Name | target.application |
Query | target.resource.name |
ID d'événement: 20
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
Name | target.resource.attribute.labels.key set to Name Name value in target.resource.attribute.labels.value |
Type | target.resource.attribute.labels.key set to Type and the value is stored
in target.resource.attribute.labels.value |
Destination | target.resource.name |
ID d'événement: 21
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The username is stored in principal.user.userid |
Consumer | target.resource.attribute.labels.key set to Consumer and the value is
stored in target.resource.attribute.labels.value |
Filter | target.resource.name |
ID d'événement: 22
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to NETWORK_DNS network.application_protocol set to DNS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
QueryName | network.dns.questions |
QueryStatus | Stored in security_result.summary as Query Status: <QueryStatus> |
QueryResults | Type is saved to network.dns.answers.type with values separated by a
semicolon (;)Data is saved to network.dns.answers.data Values that do not have type are mapped to network.dns.answers.data . |
Image | principal.process.file.full_path |
ID d'événement: 23
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to FILE_DELETION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain stored into principal.administrative_domain Username stored in principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
IsExecutable | Field target.resource.attribute.labels.key set to IsExecutable and the
value is stored in target.resource.attribute.labels.value |
Archived | target.resource.attribute.labels.key set to Archived and the value is
stored in target.resource.attribute.labels.value |
ID d'événement: 24
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to RESOURCE_READ |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path target.resource.name |
ClientInfo | ip stored in target.ip hostname stored in target.hostname user stored in principal.user.userid |
Hashes | The field populated is determined by the Hash algorithm.
|
Archived | target.resource.attribute.labels.key set to Archived and value stored in
target.resource.attribute.labels.value |
ID d'événement: 25
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id stored as
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
ID d'événement: 26
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to FILE_DELETION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<%{ProcessGuid}> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain set to principal.administrative_domain Username set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1 |
IsExecutable | target.resource.attribute.labels.key set to IsExecutable & value in
target.resource.attribute.labels.value |
ID d'événement: 29
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to FILE_CREATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id is set to
SYSMON:<PROCESS_GUID>
PROCESS_GUID is the ProcessGuid . The ProcessGuid field is a unique value for this process across a domain to make event correlation easier.
|
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain is set to principal.administrative_domain Username is set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on the hash algorithm, the following values are set:
|
ID de l'événement: 255
Champ NXLog | Champ de l'UDM |
---|---|
metadata.event_type set to SERVICE_UNSPECIFIED metadata.product_event_type set to Error - [255] target.application set to Microsoft Sysmon |
|
UtcTime | metadata.event_timestamp |
ID | security_result.summary |
Description | security_result.description |