Mengumpulkan data Sysmon Microsoft Windows

Dokumen ini:

menjelaskan arsitektur deployment dan langkah-langkah penginstalan, serta konfigurasi yang diperlukan yang menghasilkan log yang didukung oleh peristiwa Chronicle Parser for Microsoft Windows Sysmon. Untuk mengetahui ringkasan penyerapan data Chronicle, lihat Penyerapan data ke Chronicle.
menyertakan informasi tentang cara parser memetakan kolom dalam log asli ke kolom Chronicle Unified Data Model.

Informasi dalam dokumen ini berlaku untuk parser dengan label penyerapan WINDOWS_SYSMON. Label penyerapan mengidentifikasi parser mana yang menormalisasi data log mentah ke format UDM terstruktur.

Sebelum memulai

Meninjau arsitektur deployment yang direkomendasikan

Diagram ini merepresentasikan komponen inti yang direkomendasikan dalam arsitektur deployment untuk mengumpulkan dan mengirimkan data Sysmon Microsoft Windows ke Chronicle. Bandingkan informasi ini dengan lingkungan Anda untuk memastikan komponen tersebut diinstal. Setiap deployment pelanggan akan berbeda dari representasi ini dan mungkin lebih kompleks. Hal berikut diperlukan:

Sistem dalam arsitektur deployment dikonfigurasi dengan zona waktu UTC.
Sysmon diinstal di server, endpoint, dan pengontrol domain.
Server Microsoft Windows kolektor menerima log dari server, endpoint, dan pengontrol domain.
Sistem Microsoft Windows dalam arsitektur deployment menggunakan:
- Langganan yang Dimulai Sumber untuk mengumpulkan peristiwa di beberapa perangkat.
- Layanan WinRM untuk manajemen sistem jarak jauh.
NXLog diinstal di server Window kolektor untuk meneruskan log ke Forwarder Chronicer.
Forwarder Chronicle diinstal di server Microsoft Windows pusat atau server Linux.

Catatan: Jika Anda memilih untuk men-deploy forwarder Chronicle Linux, server Linux pusat dan server kolektor Microsoft Windows akan berbeda sistem. Jika Anda memilih untuk men-deploy forwarder Chronicle untuk Microsoft Windows, server Microsoft Windows pusat dan server Microsoft Windows kolektor dapat menjadi sistem yang sama.

Meninjau perangkat dan versi yang didukung

Parser Chronicle mendukung log yang dibuat oleh versi server Microsoft Windows berikut. Microsoft Windows Server dirilis dengan edisi berikut: Foundation, Essentials, Standard, dan Datacenter. Skema log peristiwa yang dihasilkan oleh setiap edisi tidak berbeda.

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

Parser Chronicle mendukung log yang dihasilkan oleh:

Microsoft Windows 7 dan sistem klien yang lebih tinggi
Sysmon versi 13.24.

Parser Chronicle mendukung log yang dikumpulkan oleh Community atau Enterprise Edition NXLog.

Meninjau jenis log yang didukung

Parser Chronicle mendukung jenis log berikut yang dihasilkan oleh Microsoft Windows Sysmon. Untuk mengetahui informasi selengkapnya tentang jenis log ini, lihat dokumentasi Sysmon Microsoft Windows. Alat ini mendukung log yang dibuat dengan teks bahasa Inggris dan tidak didukung dengan log yang dibuat dalam bahasa selain bahasa Inggris.

Jenis Log	Deskripsi
Log Sistem	Saluran Sysmon berisi 27 ID Peristiwa. (ID Peristiwa: 1 hingga 26, dan 255). Untuk mengetahui deskripsi jenis log ini, lihat dokumentasi Peristiwa Sysmon Microsoft Windows

Mengonfigurasi server, endpoint, dan pengontrol domain Microsoft Windows

Menginstal dan mengonfigurasi server, endpoint, dan pengontrol domain. Untuk mengetahui informasinya, lihat dokumentasi Konfigurasi Sysmon Microsoft Windows.
Siapkan server Microsoft Windows kolektor untuk mengurai log yang dikumpulkan dari beberapa sistem.
Siapkan server Microsoft Windows atau Linux pusat
Konfigurasikan semua sistem dengan zona waktu UTC.
Konfigurasi perangkat untuk meneruskan log ke server Microsoft Windows kolektor.
- Mengonfigurasi Langganan yang Dimulai Sumber di sistem Microsoft Windows. Untuk mengetahui informasi selengkapnya, lihat Menyiapkan Langganan yang Dimulai Sumber.
- Aktifkan WinRM pada server dan klien Microsoft Windows. Untuk mengetahui informasinya, lihat Penginstalan dan konfigurasi untuk Microsoft Windows Remote Management.

Mengonfigurasi Forwarder NXLog dan Chronicle

Instal NXLog pada server Microsoft Windows kolektor. Ikuti dokumentasi NXLog, termasuk informasi tentang cara mengonfigurasi NXLog untuk mengumpulkan log dari Sysmon.

Buat file konfigurasi untuk NXLog. Gunakan modul input im_msvistalog. Berikut adalah contoh konfigurasi NXLog. Ganti nilai <hostname> dan <port> dengan informasi tentang server pusat Microsoft Windows atau Linux tujuan. Untuk informasi selengkapnya, lihat dokumentasi NXLog tentang modul om_tcp.

define ROOT     C:\Program Files (x86)\nxlog
define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
define SYSMON_OUTPUT_DESTINATION_PORT <port>
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module      xm_json
</Extension>

<Input windows_sysmon_eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    ReadFromLast  False
    SavePos  False
</Input>

<Output out_chronicle_sysmon>
    Module      om_tcp
    Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
    Port        %SYSMON_OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
</Output>

<Route r2>
    Path    windows_sysmon_eventlog => out_chronicle_sysmon
</Route>

Instal forwarder Chronicle di server Microsoft Windows atau Linux pusat. Lihat artikel Menginstal dan mengonfigurasi forwarder di Linux atau Menginstal dan mengonfigurasi forwarder di Microsoft Windows untuk mengetahui informasi cara menginstal dan mengonfigurasi forwarder.

Konfigurasi penerusan Chronicle untuk mengirim log ke Chronicle. Berikut adalah contoh konfigurasi forwarder.

  - syslog:
      common:
        enabled: true
        data_type: WINDOWS_SYSMON
        Data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Mulai layanan NXLog.

Referensi pemetaan kolom: kolom peristiwa perangkat ke kolom UDM

Bagian ini menjelaskan cara parser memetakan kolom log perangkat asli ke kolom Model Data Terpadu (UDM). Pemetaan kolom mungkin berbeda berdasarkan ID Peristiwa.

Kolom umum

Kolom NXLog	Kolom UDM
UtcTime	metadata.event_timestamp
Kategori	`security_result.summary` dan `metadata.product_event_type`
AccountName	principal.user.userid
Domain	principal.administrative_domain
RecordNumber	metadata.product_log_id
HostName	principal.hostname
UserID	principal.user.windows_sid
SeverityValue	security_result.severity
ProcessID	observer.process.pid
ProviderGuid	observer.asset_id
LogonId	principal.network.session_id
ThreadID	`additional.fields.key` ditetapkan ke `thread_id` dan nilai disimpan di `additional.fields.value.string_value`
Saluran	`additional.fields.key` ditetapkan ke `channel` dan nilai disimpan di `additional.fields.value.string_value`
EventID	`security_result.rule_name` ditetapkan ke `EventID: <EventID>` `metadata.product_event_type` ditetapkan ke `<Category> [<EventID>]`

ID peristiwa: 1

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path
Description	metadata.description
CommandLine	target.process.command_line
CurrentDirectory	`additional.fields.key` set to `current_directory` and value stored in `additional.fields.value.string_value`
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Hashes	Based on Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
ParentProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ParentProcessGuid>`
ParentProcessId	principal.process.pid
ParentImage	principal.process.file.full_path
ParentCommandLine	principal.process.command_line

ID peristiwa: 2

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `FILE_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
PreviousCreationUtcTime	`target.resource.attribute.labels.key` set to `PreviousCreationUtcTime` and value stored in `target.resource.attribute.labels.value`

ID peristiwa: 3

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `NETWORK_CONNECTION` `security_result.action` set to `ALLOW` `network.direction` set to `OUTBOUND`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Protocol	network.ip_protocol
SourceIp	principal.ip
SourcePort	principal.port
DestinationIp	target.ip
DestinationHostname	target.hostname
DestinationPort	target.port

ID peristiwa: 4

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `SETTING_MODIFICATION` `target.resource.resource_type` set to `SETTING` `target.resource.resource_subtype` set to `State`
UtcTime	metadata.event_timestamp
State	target.resource.name
Version	metadata.product_version

ID peristiwa: 5

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `PROCESS_TERMINATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

ID peristiwa: 6

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ImageLoaded	principal.process.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value set to `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` and value stored in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

ID peristiwa: 7

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
ImageLoaded	target.process.file.full_path
Description	metadata.description
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value stored in `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` Signature value in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

ID peristiwa: 8

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGuid>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGuid>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path

ID peristiwa: 9

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `FILE_READ` If the `Device` log field, which is required to validate the `FILE_READ` UDM event type, is not available, then `metadata.event_type` is set to `GENERIC_EVENT`.
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
Device	target.file.full_path

ID peristiwa: 10

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `PROCESS_OPEN` `target.resource.resource_subtype` set to `GrantedAccess`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGUID	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGUID>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGUID	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGUID>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path
GrantedAccess	target.resource.name

ID peristiwa: 11

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `FILE_CREATION` `target.resource.resource_subtype` set to `CreationUtcTime`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	target.resource.name

ID peristiwa: 12

Kolom NXLog	Kolom UDM
	If the Message the field contains `CreateKey\|CreateValue`, then `metadata.event_type` set to `REGISTRY_CREATION` If the Message field contains `DeleteKey\|DeleteValue`, then `metadata.event_type` set to `REGISTRY_DELETION` Otherwise, `metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key

ID peristiwa: 13

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key
Details	target.registry.registry_value_data

ID peristiwa: 14

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	src.registry.registry_key
NewName	target.registry.registry_key

ID peristiwa: 15

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
Hash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

ID peristiwa: 16

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `SETTING_MODIFICATION`
UtcTime	metadata.event_timestamp
ProcessID	target.process.pid
Configuration	The value is stored in `target.process.command_line` when this field value contains any command line or process The value is stored in `target.process.file.full_path` when this field value contains the configuration file path.
ConfigurationFileHash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

ID peristiwa: 17

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

ID peristiwa: 18

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

ID peristiwa: 19

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation
User	The Domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
EventNamespace	target.file.full_path
Name	target.application
Query	target.resource.name

ID peristiwa: 20

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
Name	`target.resource.attribute.labels.key` set to `Name` Name value in `target.resource.attribute.labels.value`
Type	`target.resource.attribute.labels.key` set to `Type` and the value is stored in `target.resource.attribute.labels.value`
Destination	target.resource.name

ID peristiwa: 21

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The username is stored in `principal.user.userid`
Consumer	`target.resource.attribute.labels.key` set to `Consumer` and the value is stored in `target.resource.attribute.labels.value`
Filter	target.resource.name

ID peristiwa: 22

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `NETWORK_DNS` `network.application_protocol` set to `DNS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
QueryName	network.dns.questions
QueryStatus	Stored in `security_result.summary` as `Query Status: <QueryStatus>`
QueryResults	Type is saved to `network.dns.answers.type` with values separated by a semicolon (;) Data is saved to `network.dns.answers.data` Values that do not have type are mapped to `network.dns.answers.data`.
Image	principal.process.file.full_path

ID peristiwa: 23

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain stored into `principal.administrative_domain` Username stored in `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	Field `target.resource.attribute.labels.key` set to `IsExecutable` and the value is stored in `target.resource.attribute.labels.value`
Archived	`target.resource.attribute.labels.key` set to `Archived` and the value is stored in `target.resource.attribute.labels.value`

ID peristiwa: 24

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `RESOURCE_READ`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path target.resource.name
ClientInfo	ip stored in `target.ip` hostname stored in `target.hostname` user stored in `principal.user.userid`
Hashes	The field populated is determined by the Hash algorithm. If MD5, value stored in `target.process.file.md5` If SHA256, value stored in `target.process.file.sha256` If SHA1, value stored in `target.process.file.sha1`
Archived	`target.resource.attribute.labels.key` set to `Archived` and value stored in `target.resource.attribute.labels.value`

ID peristiwa: 25

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` stored as `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

ID peristiwa: 26

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<%{ProcessGuid}>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain set to `principal.administrative_domain` Username set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	`target.resource.attribute.labels.key` set to `IsExecutable` & value in `target.resource.attribute.labels.value`

ID peristiwa: 29

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` is set to `SYSMON:<PROCESS_GUID>` `PROCESS_GUID` is the `ProcessGuid`. The `ProcessGuid` field is a unique value for this process across a domain to make event correlation easier.
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain is set to `principal.administrative_domain` Username is set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on the hash algorithm, the following values are set: MD5 is set to `target.process.file.md5` SHA256 is set to `target.process.file.sha256` SHA1 is set to `target.process.file.sha1`

ID peristiwa: 255

Kolom NXLog	Kolom UDM
	`metadata.event_type` set to `SERVICE_UNSPECIFIED` `metadata.product_event_type` set to `Error - [255]` `target.application` set to `Microsoft Sysmon`
UtcTime	metadata.event_timestamp
ID	security_result.summary
Description	security_result.description