Cette page a été traduite par l'API Cloud Translation.

Collecter les données Microsoft Windows Sysmon

Ce document:

décrit l'architecture de déploiement et les étapes d'installation, ainsi que toute configuration requise qui génère des journaux compatibles avec l'analyseur Google Security Operations pour les événements Sysmon Microsoft Windows. Pour en savoir plus sur l'ingestion de données Google Security Operations, consultez Ingestion de données dans Google Security Operations.
inclut des informations sur la manière dont l'analyseur mappe les champs du journal d'origine avec les champs du modèle de données unifié Google Security Operations.

Les informations de ce document s'appliquent à l'analyseur doté de l'étiquette d'ingestion WINDOWS_SYSMON. L'étiquette d'ingestion identifie l'analyseur qui normalise les données des journaux brutes au format UDM structuré.

Avant de commencer

Examiner l'architecture de déploiement recommandée

Ce schéma représente les composants principaux recommandés dans une architecture de déploiement pour collecter et envoyer des données Microsoft Windows Sysmon à Google Security Operations. Comparez ces informations avec celles de votre environnement pour vous assurer que ces composants sont installés. Chaque déploiement client diffère de cette représentation et peut être plus complexe. Les éléments suivants sont obligatoires:

Les systèmes de l'architecture de déploiement sont configurés avec le fuseau horaire UTC.
Sysmon est installé sur les serveurs, les points de terminaison et les contrôleurs de domaine.
Le serveur Microsoft Windows du collecteur reçoit les journaux des serveurs, des points de terminaison et des contrôleurs de domaine.
Les systèmes Microsoft Windows de l'architecture de déploiement utilisent:
- Source des abonnements initiés pour collecter des événements sur plusieurs appareils.
- Service WinRM pour la gestion de système à distance
NXLog est installé sur le serveur Window du collecteur pour transférer les journaux vers le redirecteur Google Security Operations.
Le redirecteur Google Security Operations est installé sur un serveur central Microsoft Windows ou Linux.

Remarque :Si vous choisissez de déployer le redirecteur Linux de Google Security Operations, le serveur Linux central et le serveur Microsoft Windows du collecteur seront des systèmes différents. Si vous choisissez de déployer le redirecteur Google Security Operations pour Microsoft Windows, le serveur central Microsoft Windows et le serveur Microsoft Windows de collecteur peuvent être le même système.

Examiner les appareils et les versions compatibles

L'analyseur Google Security Operations accepte les journaux générés par les versions suivantes de Microsoft Windows Server. Publication de Microsoft Windows Server avec les éditions suivantes : Foundation, Essentials, Standard et Datacenter Le schéma d'événement des journaux générés par chaque édition ne diffère pas.

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

L'analyseur Google Security Operations accepte les journaux générés par:

Systèmes clients Microsoft Windows 7 ou version ultérieure
Sysmon version 13.24.

L'analyseur Google Security Operations accepte les journaux collectés par NXLog Community ou Enterprise Edition.

Examiner les types de journaux compatibles

L'analyseur Google Security Operations accepte les types de journaux suivants, générés par Microsoft Windows Sysmon. Pour en savoir plus sur ces types de journaux, consultez la documentation de Microsoft Windows sur Sysmon. Il est compatible avec les journaux générés avec du texte en anglais et n'est pas compatible avec les journaux générés dans des langues autres que l'anglais.

Type de journal	Description
Journaux sysmon	Le canal Sysmon contient 27 ID d'événements. (ID d'événement: 1 à 26, et 255). Pour obtenir une description de ce type de journal, consultez la documentation relative aux événements Sysmon de Microsoft Windows

Configurer les serveurs, points de terminaison et contrôleurs de domaine Microsoft Windows

Installer et configurer les serveurs, les points de terminaison et les contrôleurs de domaine Pour en savoir plus, consultez la documentation sur la configuration du système Sysmon Microsoft Windows.
Configurez un serveur Microsoft Windows de collecteur pour analyser les journaux collectés à partir de plusieurs systèmes.
Configurer le serveur central Microsoft Windows ou Linux
Configurez tous les systèmes avec le fuseau horaire UTC.
Configurez les appareils pour qu'ils transfèrent les journaux au collecteur Microsoft Windows.
- Configurer les abonnements initiés par la source sur les systèmes Microsoft Windows. Pour en savoir plus, consultez la page Configurer un abonnement initié par la source.
- Activez WinRM sur les serveurs et les clients Microsoft Windows. Pour plus d'informations, consultez la page Installation et configuration de Microsoft Windows Remote Management.

Configurer l'agent BindPlane

Collectez les journaux Sysmon Windows à l'aide de l'agent BindPlane. Après l'installation, le service de l'agent BindPlane apparaît en tant que service observerIQ dans la liste des services Windows.

Installez l'agent BindPlane sur le collecteur qui s'exécute sur un serveur Windows. Pour en savoir plus sur l'installation de l'agent BindPlane, consultez les instructions d'installation de l'agent BindPlane.

Créez un fichier de configuration pour l'agent BindPlane avec le contenu suivant.

receivers:
  windowseventlog/sysmon:
    channel: Microsoft-Windows-Sysmon/Operational
    raw: true
processors:
  batch:

exporters:
  chronicle/winsysmon:
    endpoint: https://malachiteingestion-pa.googleapis.com
    creds: '{
    "type": "service_account",
    "project_id": "malachite-projectname",
    "private_key_id": `PRIVATE_KEY_ID`,
    "private_key": `PRIVATE_KEY`,
    "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "client_id": `CLIENT_ID`,
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "universe_domain": "googleapis.com"
    }'
  log_type: 'WINDOWS_SYSMON'
  override_log_type: false
  raw_log_field: body
  customer_id: `CUSTOMER_ID`

service:
  pipelines:
    logs/winsysmon:
      receivers:
        - windowseventlog/sysmon
      processors: [batch]
      exporters: [chronicle/winsysmon]

Remplacez PRIVATE_KEY_ID, PRIVATE_KEY SERVICSERVICE_ACCOUNT_NAME,PROJECT_ID, CLIENT_ID et CUSTOMER_ID par les valeurs respectives du fichier JSON du compte de service que vous pouvez télécharger depuis Google Cloud Platform. Pour en savoir plus sur les clés de compte de service, consultez la documentation Créer et supprimer des clés de compte de service.
Pour démarrer le service de l'agent observerIQ, sélectionnez Services > Étendu > Service observerIQ > Démarrer.

Configurer NXLog et le redirecteur Google Security Operations

Installez NXLog sur le collecteur qui s'exécute sur un serveur Windows. Suivez la documentation NXLog, y compris les informations sur la configuration de NXLog pour collecter les journaux de Sysmon.

Créez un fichier de configuration pour NXLog. Utilisez le module d'entrée im_msvistalog. Voici un exemple de configuration NXLog. Remplacez les valeurs <hostname> et <port> par des informations sur le serveur central de destination Microsoft Windows ou Linux. Pour en savoir plus, consultez la documentation NXLog sur le module om_tcp.

define ROOT     C:\Program Files (x86)\nxlog
define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
define SYSMON_OUTPUT_DESTINATION_PORT <port>
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module      xm_json
</Extension>

<Input windows_sysmon_eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    ReadFromLast  False 
    SavePos  False
</Input>

<Output out_chronicle_sysmon>
    Module      om_tcp
    Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
    Port        %SYSMON_OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
</Output>

<Route r2>
    Path    windows_sysmon_eventlog => out_chronicle_sysmon
</Route>

Installez le redirecteur Google Security Operations sur le serveur central Microsoft Windows ou Linux. Pour en savoir plus sur l'installation et la configuration du redirecteur, consultez les pages Installer et configurer le redirecteur sous Linux ou Installer et configurer le redirecteur sous Microsoft Windows.

Configurez le redirecteur Google Security Operations pour qu'il envoie les journaux à Google Security Operations. Voici un exemple de configuration du redirecteur.

  - syslog:
      common:
        enabled: true
        data_type: WINDOWS_SYSMON
        Data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Démarrez le service NXLog.

Documentation de référence sur le mappage de champs: champs d'événement d'appareil et champs UDM

Cette section explique comment l'analyseur mappe les champs de journal d'origine de l'appareil avec les champs de modèle de données unifié (UDM, Unified Data Model). Le mappage de champs peut différer selon l'ID d'événement.

Champs communs

Champ NXLog	Champ de l'UDM
UtcTime	metadata.event_timestamp
Catégorie	`security_result.summary` et `metadata.product_event_type`
AccountName	principal.user.userid
Domaine	principal.administrative_domain
RecordNumber	metadata.product_log_id
HostName	principal.hostname
UserID	principal.user.windows_sid
SeverityValue	security_result.severity
ProcessID	observer.process.pid
ProviderGuid	observer.asset_id
LogonId	principal.network.session_id
ThreadID	`additional.fields.key` définie sur `thread_id` et la valeur stockée dans `additional.fields.value.string_value`
Canal	`additional.fields.key` définie sur `channel` et la valeur stockée dans `additional.fields.value.string_value`
EventID	`security_result.rule_name` définie sur `EventID: <EventID>` `metadata.product_event_type` définie sur `<Category> [<EventID>]`

ID de l'événement: 1

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path
FileVersion	target.asset.software.version
Description	target.asset.software.description
Product	target.asset.software.name
Company	target.asset.software.vendor_name
CommandLine	target.process.command_line
CurrentDirectory	`additional.fields.key` set to `current_directory` and value stored in `additional.fields.value.string_value`
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Hashes	Based on Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
ParentProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ParentProcessGuid>`
ParentProcessId	principal.process.pid
ParentImage	principal.process.file.full_path
ParentCommandLine	principal.process.command_line

ID d'événement: 2

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `FILE_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
PreviousCreationUtcTime	`target.resource.attribute.labels.key` set to `PreviousCreationUtcTime` and value stored in `target.resource.attribute.labels.value`

ID d'événement: 3

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `NETWORK_CONNECTION` `security_result.action` set to `ALLOW` `network.direction` set to `OUTBOUND`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Protocol	network.ip_protocol
SourceIp	principal.ip
SourcePort	principal.port
DestinationIp	target.ip
DestinationHostname	target.hostname
DestinationPort	target.port

ID d'événement: 4

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `SETTING_MODIFICATION` `target.resource.resource_type` set to `SETTING` `target.resource.resource_subtype` set to `State`
UtcTime	metadata.event_timestamp
State	target.resource.name
Version	metadata.product_version

ID de l'événement: 5

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `PROCESS_TERMINATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

ID de l'événement: 6

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ImageLoaded	principal.process.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value set to `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` and value stored in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

ID de l'événement: 7

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
ImageLoaded	target.process.file.full_path
FileVersion	target.asset.software.version
Description	target.asset.software.description
Product	target.asset.software.name
Company	target.asset.software.vendor_name
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value stored in `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` Signature value in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

ID de l'événement: 8

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGuid>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGuid>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path

ID de l'événement: 9

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `FILE_READ` If the `Device` log field, which is required to validate the `FILE_READ` UDM event type, is not available, then `metadata.event_type` is set to `GENERIC_EVENT`.
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
Device	target.file.full_path

ID de l'événement: 10

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `PROCESS_OPEN` `target.resource.resource_subtype` set to `GrantedAccess`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGUID	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGUID>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGUID	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGUID>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path
GrantedAccess	target.resource.name

ID de l'événement: 11

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `FILE_CREATION` `target.resource.resource_subtype` set to `CreationUtcTime`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	target.resource.name

ID d'événement: 12

Champ NXLog	Champ de l'UDM
	If the Message the field contains `CreateKey\|CreateValue`, then `metadata.event_type` set to `REGISTRY_CREATION` If the Message field contains `DeleteKey\|DeleteValue`, then `metadata.event_type` set to `REGISTRY_DELETION` Otherwise, `metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key

ID de l'événement: 13

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key
Details	target.registry.registry_value_data

ID de l'événement: 14

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	src.registry.registry_key
NewName	target.registry.registry_key

ID de l'événement: 15

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
Hash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

ID de l'événement: 16

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `SETTING_MODIFICATION`
UtcTime	metadata.event_timestamp
ProcessID	target.process.pid
Configuration	The value is stored in `target.process.command_line` when this field value contains any command line or process The value is stored in `target.process.file.full_path` when this field value contains the configuration file path.
ConfigurationFileHash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

ID de l'événement: 17

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

ID de l'événement: 18

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

ID de l'événement: 19

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation
User	The Domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
EventNamespace	target.file.full_path
Name	target.application
Query	target.resource.name

ID d'événement: 20

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
Name	`target.resource.attribute.labels.key` set to `Name` Name value in `target.resource.attribute.labels.value`
Type	`target.resource.attribute.labels.key` set to `Type` and the value is stored in `target.resource.attribute.labels.value`
Destination	target.resource.name

ID d'événement: 21

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The username is stored in `principal.user.userid`
Consumer	`target.resource.attribute.labels.key` set to `Consumer` and the value is stored in `target.resource.attribute.labels.value`
Filter	target.resource.name

ID d'événement: 22

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `NETWORK_DNS` `network.application_protocol` set to `DNS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
QueryName	network.dns.questions
QueryStatus	Stored in `security_result.summary` as `Query Status: <QueryStatus>`
QueryResults	Type is saved to `network.dns.answers.type` with values separated by a semicolon (;) Data is saved to `network.dns.answers.data` Values that do not have type are mapped to `network.dns.answers.data`.
Image	principal.process.file.full_path

ID d'événement: 23

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain stored into `principal.administrative_domain` Username stored in `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	Field `target.resource.attribute.labels.key` set to `IsExecutable` and the value is stored in `target.resource.attribute.labels.value`
Archived	`target.resource.attribute.labels.key` set to `Archived` and the value is stored in `target.resource.attribute.labels.value`

ID d'événement: 24

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `RESOURCE_READ`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path target.resource.name
ClientInfo	ip stored in `target.ip` hostname stored in `target.hostname` user stored in `principal.user.userid`
Hashes	The field populated is determined by the Hash algorithm. If MD5, value stored in `target.process.file.md5` If SHA256, value stored in `target.process.file.sha256` If SHA1, value stored in `target.process.file.sha1`
Archived	`target.resource.attribute.labels.key` set to `Archived` and value stored in `target.resource.attribute.labels.value`

ID d'événement: 25

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` stored as `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

ID d'événement: 26

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<%{ProcessGuid}>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain set to `principal.administrative_domain` Username set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	`target.resource.attribute.labels.key` set to `IsExecutable` & value in `target.resource.attribute.labels.value`

ID d'événement: 29

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` is set to `SYSMON:<PROCESS_GUID>` `PROCESS_GUID` is the `ProcessGuid`. The `ProcessGuid` field is a unique value for this process across a domain to make event correlation easier.
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain is set to `principal.administrative_domain` Username is set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on the hash algorithm, the following values are set: MD5 is set to `target.process.file.md5` SHA256 is set to `target.process.file.sha256` SHA1 is set to `target.process.file.sha1`

ID de l'événement: 255

Champ NXLog	Champ de l'UDM
	`metadata.event_type` set to `SERVICE_UNSPECIFIED` `metadata.product_event_type` set to `Error - [255]` `target.application` set to `Microsoft Sysmon`
UtcTime	metadata.event_timestamp
ID	security_result.summary
Description	security_result.description