Raccogliere dati Microsoft Windows Sysmon
Questo documento:
- descrive l'architettura di deployment e i passaggi di installazione, oltre a qualsiasi configurazione richiesta che produce log supportati da Chronicle Parser per gli eventi Microsoft Windows Sysmon. Per una panoramica dell'importazione dei dati di Chronicle, consulta Importazione dei dati in Chronicle.
- include informazioni su come il parser mappa i campi nel log originale ai campi Chronicle Unified Data Model.
Le informazioni contenute in questo documento si applicano al parser con l'etichetta di importazione WINDOWS_SYSMON. L'etichetta di importazione identifica il parser normalizza i dati di log non elaborati nel formato UDM strutturato.
Prima di iniziare
Esamina l'architettura di deployment consigliata
Questo diagramma rappresenta i componenti principali consigliati in un'architettura di deployment per raccogliere e inviare dati di Microsoft Windows Sysmon a Chronicle. Confronta queste informazioni con il tuo ambiente per assicurarti che questi componenti siano installati. Ogni deployment del cliente è diverso da questa rappresentazione e può essere più complesso. È obbligatorio specificare quanto segue:
- I sistemi nell'architettura di deployment sono configurati con il fuso orario UTC.
- Sysmon è installato su server, endpoint e controller di dominio.
- Il raccoglitore Microsoft Windows Server riceve i log da server, endpoint e controller di dominio.
I sistemi Microsoft Windows nell'architettura di deployment utilizzano:
- Origini degli abbonamenti avviati per raccogliere eventi su più dispositivi.
- Servizio WinRM per la gestione remota del sistema.
NXLog è installato sul server Windows del raccoglitore per inoltrare i log al forwarding Chronicle.
Il forwarding Chronicle è installato su un server Microsoft Windows centrale o un server Linux.
Esamina i dispositivi e le versioni supportati
Il parser Chronicle supporta i log generati dalle seguenti versioni dei server Microsoft Windows. Microsoft Windows Server è disponibile nelle seguenti versioni: Foundation, Essentials, Standard e Datacenter. Lo schema di eventi dei log generati da ogni versione non è diverso.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Il parser Chronicle supporta i log generati da:
- Microsoft Windows 7 e sistemi client successivi
- Sysmon versione 13.24.
L'analizzatore sintattico Chronicle supporta i log raccolti dalla community NXLog o Enterprise Edition.
Esamina i tipi di log supportati
Il parser Chronicle supporta i seguenti tipi di log generati da Microsoft Windows Sysmon. Per ulteriori informazioni su questi tipi di log, consulta la documentazione di Microsoft Windows Sysmon. Supporta i log generati in lingua inglese e non è supportato con i log generati in lingue diverse dall'inglese.
Tipo di log | Description |
---|---|
Log Sysmon | Il canale Sysmon contiene 27 ID evento. (ID evento: da 1 a 26 e 255). Per una descrizione di questo tipo di log, consulta la documentazione di Microsoft Windows Sysmon Eventi |
Configurare server, endpoint e controller di dominio Microsoft Windows
- Installare e configurare server, endpoint e controller di dominio. Per informazioni, consulta la documentazione relativa alla configurazione di Microsoft Windows Sysmon.
- Configura un server Microsoft Windows raccoglitore per analizzare i log raccolti da più sistemi.
- Configurare il server Microsoft Windows o Linux centrale
- Configura tutti i sistemi con il fuso orario UTC.
- Configura i dispositivi per inoltrare i log al server Microsoft Windows del raccoglitore.
- Configura gli abbonamenti avviati dall'origine sui sistemi Microsoft Windows. Per informazioni, consulta la sezione Configurare un abbonamento avviato dall'origine.
- Attiva WinRM su server e client Microsoft Windows. Per informazioni, vedi Installazione e configurazione per Gestione remota Microsoft Windows.
Configura NXLog e inoltro Chronicle
- Installare NXLog sul server Microsoft Windows del raccoglitore. Segui la documentazione di NXLog, che include informazioni sulla configurazione di NXLog per la raccolta dei log da Sysmon.
Creare un file di configurazione per NXLog. Utilizza il modulo di input im_msvistalog. Ecco un esempio di configurazione NXLog. Sostituisci i valori
<hostname>
e<port>
con informazioni sul server Microsoft Windows o Linux centrale di destinazione. Per ulteriori informazioni, consulta la documentazione di NXLog sul modulo om_tcp.define ROOT C:\Program Files (x86)\nxlog define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname> define SYSMON_OUTPUT_DESTINATION_PORT <port> define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_sysmon_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input> <Output out_chronicle_sysmon> Module om_tcp Host %SYSMON_OUTPUT_DESTINATION_ADDRESS% Port %SYSMON_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_sysmon_eventlog => out_chronicle_sysmon </Route>
Installa il server di inoltro Chronicle sul server Microsoft Windows o Linux centrale. Per informazioni sull'installazione e sulla configurazione del server di inoltro, vedi gli articoli Installazione e configurazione del forwarding su Linux o Installazione e configurazione del forwarding su Microsoft Windows.
Configura il forwarding di Chronicle per l'invio dei log a Chronicle. Ecco un esempio di configurazione del forwarding.
- syslog: common: enabled: true data_type: WINDOWS_SYSMON Data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Avviare il servizio NXLog.
Riferimento per la mappatura dei campi: dai campi degli eventi del dispositivo ai campi UDM
Questa sezione descrive in che modo il parser mappa i campi dei log del dispositivo originali ai campi UDM (Unified Data Model). La mappatura dei campi può variare in base all'ID evento.
Campi comuni
Campo NXLog | Campo UDM |
---|---|
UtcTime | metadata.event_timestamp |
Categoria | security_result.summary e metadata.product_event_type |
AccountName | principal.user.userid |
Dominio | principal.administrative_domain |
RecordNumber | metadata.product_log_id |
HostName | principal.hostname |
UserID | principal.user.windows_sid |
SeverityValue | security_result.severity |
ProcessID | observer.process.pid |
ProviderGuid | observer.asset_id |
LogonId | principal.network.session_id |
ThreadID | additional.fields.key impostato su thread_id e
valore archiviato in additional.fields.value.string_value |
Canale | additional.fields.key impostato su channel e
valore archiviato in additional.fields.value.string_value |
EventID | Valore security_result.rule_name impostato su EventID: <EventID> metadata.product_event_type impostato su <Category> [<EventID>] |
ID evento: 1
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
Description | metadata.description |
CommandLine | target.process.command_line |
CurrentDirectory | additional.fields.key set to current_directory and
value stored in additional.fields.value.string_value |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid |
Hashes | Based on Hash algorithm.
|
ParentProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ParentProcessGuid> |
ParentProcessId | principal.process.pid |
ParentImage | principal.process.file.full_path |
ParentCommandLine | principal.process.command_line |
ID evento: 2
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to FILE_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
PreviousCreationUtcTime | target.resource.attribute.labels.key set to PreviousCreationUtcTime and
value stored in target.resource.attribute.labels.value |
ID evento: 3
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to NETWORK_CONNECTION security_result.action set to ALLOW network.direction set to OUTBOUND |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid |
Protocol | network.ip_protocol |
SourceIp | principal.ip |
SourcePort | principal.port |
DestinationIp | target.ip |
DestinationHostname | target.hostname |
DestinationPort | target.port |
ID evento: 4
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to SETTING_MODIFICATION target.resource.resource_type set to SETTING target.resource.resource_subtype set to State |
|
UtcTime | metadata.event_timestamp |
State | target.resource.name |
Version | metadata.product_version |
ID evento: 5
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to PROCESS_TERMINATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
ID evento: 6
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ImageLoaded | principal.process.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to Signed and value set to
target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to Signature and value stored in
target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
ID evento: 7
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
ImageLoaded | target.process.file.full_path |
Description | metadata.description |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to Signed and value stored in
target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to Signature Signature value in target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
ID evento: 8
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGuid> |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGuid | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGuid> |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
ID evento: 9
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to FILE_READ
If the |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
Device | target.file.full_path |
ID evento: 10
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to PROCESS_OPEN target.resource.resource_subtype set to GrantedAccess |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGUID | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGUID> |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGUID | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGUID> |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
GrantedAccess | target.resource.name |
ID evento: 11
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to FILE_CREATION target.resource.resource_subtype set to CreationUtcTime |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.name |
ID evento: 12
Campo NXLog | Campo UDM |
---|---|
If the Message the field contains CreateKey|CreateValue , then
metadata.event_type set to REGISTRY_CREATION If the Message field contains DeleteKey|DeleteValue , thenmetadata.event_type set to REGISTRY_DELETION Otherwise, metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
ID evento: 13
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
Details | target.registry.registry_value_data |
ID evento: 14
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | src.registry.registry_key |
NewName | target.registry.registry_key |
ID evento: 15
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to FILE_CREATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
Hash | The field populated is determined by the Hash algorithm.
|
ID evento: 16
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to SETTING_MODIFICATION |
|
UtcTime | metadata.event_timestamp |
ProcessID | target.process.pid |
Configuration | The value is stored in target.process.command_line when this field value
contains any command line or processThe value is stored in target.process.file.full_path when this field value
contains the configuration file path. |
ConfigurationFileHash | The field populated is determined by the Hash algorithm.
|
ID evento: 17
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to PROCESS_UNCATEGORIZED target.resource.resource_type set to PIPE |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
PipeName | target.resource.name |
Image | target.process.file.full_path |
ID evento: 18
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to PROCESS_UNCATEGORIZED target.resource.resource_type set to PIPE |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
PipeName | target.resource.name |
Image | target.process.file.full_path |
ID evento: 19
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | |
User | The Domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
EventNamespace | target.file.full_path |
Name | target.application |
Query | target.resource.name |
ID evento: 20
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
Name | target.resource.attribute.labels.key set to Name Name value in target.resource.attribute.labels.value |
Type | target.resource.attribute.labels.key set to Type and the value is stored
in target.resource.attribute.labels.value |
Destination | target.resource.name |
ID evento: 21
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The username is stored in principal.user.userid |
Consumer | target.resource.attribute.labels.key set to Consumer and the value is
stored in target.resource.attribute.labels.value |
Filter | target.resource.name |
ID evento: 22
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to NETWORK_DNS network.application_protocol set to DNS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
QueryName | network.dns.questions |
QueryStatus | Stored in security_result.summary as Query Status: <QueryStatus> |
QueryResults | Type is saved to network.dns.answers.type with values separated by a
semicolon (;)Data is saved to network.dns.answers.data Values that do not have type are mapped to network.dns.answers.data . |
Image | principal.process.file.full_path |
ID evento: 23
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to FILE_DELETION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain stored into principal.administrative_domain Username stored in principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
IsExecutable | Field target.resource.attribute.labels.key set to IsExecutable and the
value is stored in target.resource.attribute.labels.value |
Archived | target.resource.attribute.labels.key set to Archived and the value is
stored in target.resource.attribute.labels.value |
ID evento: 24
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to RESOURCE_READ |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path target.resource.name |
ClientInfo | ip stored in target.ip hostname stored in target.hostname user stored in principal.user.userid |
Hashes | The field populated is determined by the Hash algorithm.
|
Archived | target.resource.attribute.labels.key set to Archived and value stored in
target.resource.attribute.labels.value |
ID evento: 25
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id stored as
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
ID evento: 26
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to FILE_DELETION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<%{ProcessGuid}> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain set to principal.administrative_domain Username set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1 |
IsExecutable | target.resource.attribute.labels.key set to IsExecutable & value in
target.resource.attribute.labels.value |
ID evento: 29
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to FILE_CREATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id is set to
SYSMON:<PROCESS_GUID>
PROCESS_GUID is the ProcessGuid . The ProcessGuid field is a unique value for this process across a domain to make event correlation easier.
|
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain is set to principal.administrative_domain Username is set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on the hash algorithm, the following values are set:
|
ID evento: 255
Campo NXLog | Campo UDM |
---|---|
metadata.event_type set to SERVICE_UNSPECIFIED metadata.product_event_type set to Error - [255] target.application set to Microsoft Sysmon |
|
UtcTime | metadata.event_timestamp |
ID | security_result.summary |
Description | security_result.description |