Microsoft Windows Sysmon データを収集する

このドキュメント:

  • デプロイ アーキテクチャとインストール手順に加えて、Microsoft Windows Sysmon イベントに対して Google Security Operations パーサーがサポートするログを生成するために必要な構成について説明します。Google Security Operations へのデータの取り込みの概要については、Google Security Operations へのデータの取り込みをご覧ください。
  • パーサーが元のログのフィールドを Google Security Operations Unified Data Model フィールドにマッピングする方法に関する情報を含みます。

このドキュメントの情報は、WINDOWS_SYSMON 取り込みラベルを持つパーサーに適用されます。取り込みラベルによって、未加工のログデータを構造化 UDM 形式に正規化するパーサーが識別されます。

準備

この図は、Microsoft Windows Sysmon データを収集して Google Security Operations に送信するデプロイ アーキテクチャで推奨されるコア コンポーネントを示しています。 この情報とお客様の環境を比較して、これらのコンポーネントがインストールされていることを確認してください。それぞれのお客様のデプロイはこの表現とは異なるため、より複雑になる可能性があります。以下が必須です。

  • デプロイ アーキテクチャ内のシステムは、UTC タイムゾーンで構成されています。
  • Sysmon はサーバー、エンドポイント、ドメイン コントローラにインストールされます。
  • コレクタ Microsoft Windows サーバーは、サーバー、エンドポイント、ドメイン コントローラからログを受信します。

  • デプロイ アーキテクチャ内の Microsoft Windows システムでは、以下を使用します。

    • 複数のデバイスでイベントを収集するソース開始サブスクリプション。
    • リモート システム管理用の WinRM サービス。

  • コレクタ Windows サーバーに NXLog がインストールされ、ログを Google Security Operations フォワーダーに転送します。

  • Google Security Operations フォワーダーは、中央の Microsoft Windows サーバーまたは Linux サーバーにインストールされます。

    Deployment のアーキテクチャ

サポートされているデバイスとバージョンを確認する

Google Security Operations パーサーは、次の Microsoft Windows サーバー バージョンによって生成されたログをサポートしています。Microsoft Windows Server は、Foundation、Essentials、Standard、Datacenter でリリースされています。各エディションによって生成されたログのイベント スキーマに違いはありません。

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012

Google Security Operations パーサーは、以下によって生成されたログをサポートしています。

  • Microsoft Windows 7 以降のクライアント システム
  • Sysmon バージョン 13.24。

Google Security Operations パーサーは、NXLog Community または Enterprise エディションによって収集されたログをサポートします。

サポートされているログタイプを確認する

Google Security Operations パーサーは、Microsoft Windows Sysmon によって生成された次のログタイプをサポートします。これらのログタイプの詳細については、Microsoft Windows Sysmon のドキュメントをご覧ください。 英語のテキストで生成されたログはサポートされますが、英語以外の言語で生成されたログはサポートされません。

ログタイプ Description
Sysmon ログ Sysmon チャネルには 27 のイベント ID が含まれます。(イベント ID: 1 ~ 26、255)。
このログタイプの詳細については、Microsoft Windows Sysmon イベントのドキュメントをご覧ください。

Microsoft Windows サーバー、エンドポイント、ドメイン コントローラを構成する

  1. サーバー、エンドポイント、ドメイン コントローラをインストールして構成します。 詳細については、Microsoft Windows Sysmon の構成のドキュメントをご覧ください。
  2. コレクタ Microsoft Windows サーバーを設定して、複数のシステムから収集したログを解析します。
  3. 中央の Microsoft Windows サーバーまたは Linux サーバーを設定します。
  4. すべてのシステムを UTC タイムゾーンで構成します。
  5. コレクタ Microsoft Windows サーバーにログを転送するようにデバイスを構成します。

BindPlane Agent を構成する

BindPlane Agent を使用して Windows Sysmon ログを収集します。インストール後、BindPlane Agent サービスが Windows サービスのリストに observerIQ サービスとして表示されます。

  1. Windows サーバーで実行されているコレクタに BindPlane Agent をインストールします。BindPlane Agent のインストールの詳細については、BindPlane Agent のインストール手順をご覧ください。

  2. 次の内容で BindPlane Agent の構成ファイルを作成します。

    receivers:
  windowseventlog/sysmon:
    channel: Microsoft-Windows-Sysmon/Operational
    raw: true
processors:
  batch:

exporters:
  chronicle/winsysmon:
    endpoint: https://malachiteingestion-pa.googleapis.com
    creds: '{
    "type": "service_account",
    "project_id": "malachite-projectname",
    "private_key_id": `PRIVATE_KEY_ID`,
    "private_key": `PRIVATE_KEY`,
    "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "client_id": `CLIENT_ID`,
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
    "universe_domain": "googleapis.com"
    }'
  log_type: 'WINDOWS_SYSMON'
  override_log_type: false
  raw_log_field: body
  customer_id: `CUSTOMER_ID`

service:
  pipelines:
    logs/winsysmon:
      receivers:
        - windowseventlog/sysmon
      processors: [batch]
      exporters: [chronicle/winsysmon]

  3. PRIVATE_KEY_IDPRIVATE_KEYSERVICSERVICE_ACCOUNT_NAMEPROJECT_IDCLIENT_IDCUSTOMER_ID を、Google Cloud Platform からダウンロードできるサービス アカウント JSON ファイルのそれぞれの値に置き換えます。サービス アカウント キーの詳細については、サービス アカウント キーの作成と削除に関するドキュメントをご覧ください。

  4. observerIQ エージェント サービスを開始するには、サービス > 拡張 > observerIQ サービス > 開始 の順に選択します。

NXLog と Google Security Operations フォワーダーを構成する

  1. Windows サーバー上で実行されているコレクターに NXLog をインストールします。Sysmon からログを収集するように NXLog を構成する方法に関する情報などは、NXLog のドキュメントをご確認ください。

  2. NXLog の構成ファイルを作成します。im_msvistalog 入力モジュールを使用します。NXLog の構成例を以下に示します。<hostname><port> の値は、転送先の中央の Microsoft Windows または Linux サーバーに関する情報に置き換えます。詳細については、om_tcp モジュールに関する NXLog のドキュメントを参照してください。

    define ROOT     C:\Program Files (x86)\nxlog
define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
define SYSMON_OUTPUT_DESTINATION_PORT <port>
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module      xm_json
</Extension>

<Input windows_sysmon_eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    ReadFromLast  False 
    SavePos  False
</Input>

<Output out_chronicle_sysmon>
    Module      om_tcp
    Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
    Port        %SYSMON_OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
</Output>

<Route r2>
    Path    windows_sysmon_eventlog => out_chronicle_sysmon
</Route>

  3. 中央の Microsoft Windows または Linux サーバーに Google Security Operations フォワーダーをインストールします。フォワーダーのインストールと構成については、Linux でのフォワーダーのインストールと構成または Microsoft Windows でのフォワーダーのインストールと構成をご覧ください。

  4. Google Security Operations にログを送信するように Google Security Operations フォワーダーを構成します。フォワーダー構成の例を次に示します。

      - syslog:
      common:
        enabled: true
        data_type: WINDOWS_SYSMON
        Data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

  5. NXLog サービスを起動します。

フィールド マッピング リファレンス: デバイスイベント フィールドから UDM フィールド

このセクションでは、パーサーが元のデバイスログ フィールドを統合データモデル(UDM)フィールドにマッピングする方法について説明します。フィールド マッピングは、イベント ID によって異なる場合があります。

共通フィールド

NXLog フィールド UDM フィールド
UtcTime metadata.event_timestamp
カテゴリ security_result.summarymetadata.product_event_type
AccountName principal.user.userid
ドメイン principal.administrative_domain
RecordNumber metadata.product_log_id
HostName principal.hostname
UserID principal.user.windows_sid
SeverityValue security_result.severity
ProcessID observer.process.pid
ProviderGuid observer.asset_id
LogonId principal.network.session_id
ThreadID thread_id に設定されたadditional.fields.keyadditional.fields.value.string_value に保存された値
Channel channel に設定されたadditional.fields.keyadditional.fields.value.string_value に保存された値
EventID EventID: <EventID> に設定された security_result.rule_name

<Category> [<EventID>] に設定された metadata.product_event_type

イベント ID:1

NXLog フィールド UDM フィールド
metadata.event_type set to PROCESS_LAUNCH
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId target.process.pid
IntegrityLevel The value for the field target.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the target.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the target.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the target.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the target.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the target.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the target.process.integrity_level_rid UDM field is set to 20480
Image target.process.file.full_path
FileVersion target.asset.software.version
Description target.asset.software.description
Product target.asset.software.name
Company target.asset.software.vendor_name
CommandLine target.process.command_line
CurrentDirectory additional.fields.key set to current_directory and value stored in additional.fields.value.string_value
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid
Hashes Based on Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
ParentProcessGuid principal.process.product_specific_process_id set to SYSMON:<ParentProcessGuid>
ParentProcessId principal.process.pid
ParentImage principal.process.file.full_path
ParentCommandLine principal.process.command_line

イベント ID:2

NXLog フィールド UDM フィールド
metadata.event_type set to FILE_MODIFICATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to CreationUtcTime and value stored in target.resource.attribute.labels.value
PreviousCreationUtcTime target.resource.attribute.labels.key set to PreviousCreationUtcTime and value stored in target.resource.attribute.labels.value

イベント ID:3

NXLog フィールド UDM フィールド
metadata.event_type set to NETWORK_CONNECTION

security_result.action set to ALLOW

network.direction set to OUTBOUND
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid
Protocol network.ip_protocol
SourceIp principal.ip
SourcePort principal.port
DestinationIp target.ip
DestinationHostname target.hostname
DestinationPort target.port

イベント ID:4

NXLog フィールド UDM フィールド
metadata.event_type set to SETTING_MODIFICATION

target.resource.resource_type set to SETTING

target.resource.resource_subtype set to State
UtcTime metadata.event_timestamp
State target.resource.name
Version metadata.product_version

イベント ID:5

NXLog フィールド UDM フィールド
metadata.event_type set to PROCESS_TERMINATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId target.process.pid
IntegrityLevel The value for the field target.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the target.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the target.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the target.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the target.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the target.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the target.process.integrity_level_rid UDM field is set to 20480
Image target.process.file.full_path

イベント ID:6

NXLog フィールド UDM フィールド
metadata.event_type set to PROCESS_MODULE_LOAD
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ImageLoaded principal.process.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to Signed and value set to target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to Signature and value stored in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to SignatureStatus and value stored in target.resource.attribute.labels.value

イベント ID:7

NXLog フィールド UDM フィールド
metadata.event_type set to PROCESS_MODULE_LOAD
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
ImageLoaded target.process.file.full_path
FileVersion target.asset.software.version
Description target.asset.software.description
Product target.asset.software.name
Company target.asset.software.vendor_name
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to Signed and value stored in target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to Signature
Signature value in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to SignatureStatus and value stored in target.resource.attribute.labels.value

イベント ID:8

NXLog フィールド UDM フィールド
metadata.event_type set to PROCESS_MODULE_LOAD
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGuid principal.process.product_specific_process_id set to SYSMON:<SourceProcessGuid>
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGuid target.process.product_specific_process_id set to SYSMON:<TargetProcessGuid>
TargetProcessId target.process.pid
TargetImage target.process.file.full_path

イベント ID:9

NXLog フィールド UDM フィールド
metadata.event_type set to FILE_READ

If the Device log field, which is required to validate the FILE_READ UDM event type, is not available, then metadata.event_type is set to GENERIC_EVENT.

RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
Device target.file.full_path

イベント ID:10

NXLog フィールド UDM フィールド
metadata.event_type set to PROCESS_OPEN

target.resource.resource_subtype set to GrantedAccess
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGUID principal.process.product_specific_process_id set to SYSMON:<SourceProcessGUID>
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGUID target.process.product_specific_process_id set to SYSMON:<TargetProcessGUID>
TargetProcessId target.process.pid
TargetImage target.process.file.full_path
GrantedAccess target.resource.name

イベント ID:11

NXLog フィールド UDM フィールド
metadata.event_type set to FILE_CREATION

target.resource.resource_subtype set to CreationUtcTime
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.name

イベント ID:12

NXLog フィールド UDM フィールド
If the Message the field contains CreateKey|CreateValue, then metadata.event_type set to REGISTRY_CREATION

If the Message field contains DeleteKey|DeleteValue, then
metadata.event_type set to REGISTRY_DELETION

Otherwise, metadata.event_type set to REGISTRY_MODIFICATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetObject target.registry.registry_key

イベント ID:13

NXLog フィールド UDM フィールド
metadata.event_type set to REGISTRY_MODIFICATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetObject target.registry.registry_key
Details target.registry.registry_value_data

イベント ID:14

NXLog フィールド UDM フィールド
metadata.event_type set to REGISTRY_MODIFICATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetObject src.registry.registry_key
NewName target.registry.registry_key

イベント ID:15

NXLog フィールド UDM フィールド
metadata.event_type set to FILE_CREATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to CreationUtcTime and value stored in target.resource.attribute.labels.value
Hash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

イベント ID:16

NXLog フィールド UDM フィールド
metadata.event_type set to SETTING_MODIFICATION
UtcTime metadata.event_timestamp
ProcessID target.process.pid
Configuration The value is stored in target.process.command_line when this field value contains any command line or process

The value is stored in target.process.file.full_path when this field value contains the configuration file path.
ConfigurationFileHash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

イベント ID:17

NXLog フィールド UDM フィールド
metadata.event_type set to PROCESS_UNCATEGORIZED

target.resource.resource_type set to PIPE
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId target.process.pid
IntegrityLevel The value for the field target.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the target.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the target.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the target.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the target.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the target.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the target.process.integrity_level_rid UDM field is set to 20480
PipeName target.resource.name
Image target.process.file.full_path

イベント ID:18

NXLog フィールド UDM フィールド
metadata.event_type set to PROCESS_UNCATEGORIZED

target.resource.resource_type set to PIPE
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId target.process.pid
IntegrityLevel The value for the field target.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the target.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the target.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the target.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the target.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the target.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the target.process.integrity_level_rid UDM field is set to 20480
PipeName target.resource.name
Image target.process.file.full_path

イベント ID:19

NXLog フィールド UDM フィールド
metadata.event_type set to USER_RESOURCE_ACCESS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation
User The Domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
EventNamespace target.file.full_path
Name target.application
Query target.resource.name

イベント ID:20

NXLog フィールド UDM フィールド
metadata.event_type set to USER_RESOURCE_ACCESS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to Operation and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
Name target.resource.attribute.labels.key set to Name
Name value in target.resource.attribute.labels.value
Type target.resource.attribute.labels.key set to Type and the value is stored in target.resource.attribute.labels.value
Destination target.resource.name

イベント ID:21

NXLog フィールド UDM フィールド
metadata.event_type set to USER_RESOURCE_ACCESS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to Operation and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The username is stored in principal.user.userid
Consumer target.resource.attribute.labels.key set to Consumer and the value is stored in target.resource.attribute.labels.value
Filter target.resource.name

イベント ID:22

NXLog フィールド UDM フィールド
metadata.event_type set to NETWORK_DNS

network.application_protocol set to DNS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
QueryName network.dns.questions
QueryStatus Stored in security_result.summary as Query Status: <QueryStatus>
QueryResults Type is saved to network.dns.answers.type with values separated by a semicolon (;)
Data is saved to network.dns.answers.data
Values that do not have type are mapped to network.dns.answers.data.
Image principal.process.file.full_path

イベント ID:23

NXLog フィールド UDM フィールド
metadata.event_type set to FILE_DELETION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
User Domain stored into principal.administrative_domain

Username stored in principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 set to target.process.file.md5
  • SHA256 set to target.process.file.sha256
  • SHA1 set to target.process.file.sha1
IsExecutable Field target.resource.attribute.labels.key set to IsExecutable and the value is stored in target.resource.attribute.labels.value
Archived target.resource.attribute.labels.key set to Archived and the value is stored in target.resource.attribute.labels.value

イベント ID:24

NXLog フィールド UDM フィールド
metadata.event_type set to RESOURCE_READ
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image target.process.file.full_path

target.resource.name
ClientInfo ip stored in target.ip
hostname stored in target.hostname
user stored in principal.user.userid
Hashes The field populated is determined by the Hash algorithm.
  • If MD5, value stored in target.process.file.md5
  • If SHA256, value stored in target.process.file.sha256
  • If SHA1, value stored in target.process.file.sha1
Archived target.resource.attribute.labels.key set to Archived and value stored in target.resource.attribute.labels.value

イベント ID:25

NXLog フィールド UDM フィールド
metadata.event_type set to PROCESS_LAUNCH
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id stored as SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image target.process.file.full_path

イベント ID:26

NXLog フィールド UDM フィールド
metadata.event_type set to FILE_DELETION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<%{ProcessGuid}>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
User Domain set to principal.administrative_domain

Username set to principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes Based on Hash algorithm.
MD5 set to target.process.file.md5
SHA256 set to target.process.file.sha256
SHA1 set to target.process.file.sha1
IsExecutable target.resource.attribute.labels.key set to IsExecutable & value in target.resource.attribute.labels.value

イベント ID:29

NXLog フィールド UDM フィールド
metadata.event_type set to FILE_CREATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id is set to SYSMON:<PROCESS_GUID> PROCESS_GUID is the ProcessGuid. The ProcessGuid field is a unique value for this process across a domain to make event correlation easier.
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
User Domain is set to principal.administrative_domain

Username is set to principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes Based on the hash algorithm, the following values are set:
  • MD5 is set to target.process.file.md5
  • SHA256 is set to target.process.file.sha256
  • SHA1 is set to target.process.file.sha1

イベント ID:255

NXLog フィールド UDM フィールド
metadata.event_type set to SERVICE_UNSPECIFIED

metadata.product_event_type set to Error - [255]

target.application set to Microsoft Sysmon
UtcTime metadata.event_timestamp
ID security_result.summary
Description security_result.description