[sysmon-eventid]
REGEX = <EventID>(\d+)</EventID>
FORMAT = EventCode::$1

[sysmon-version]
REGEX = <Version>(\d+)</Version>
FORMAT = Version::$1

[sysmon-level]
REGEX = <Level>(\d+)</Level>
FORMAT = Level::$1

[sysmon-task]
REGEX = <Task>(\d+)</Task>
FORMAT = Task::$1

[sysmon-opcode]
REGEX = <Opcode>(\d+)</Opcode>
FORMAT = Opcode::$1

[sysmon-keywords]
REGEX = <Keywords>(0x[0-9a-fA-F]+)</Keywords>
FORMAT = Keywords::$1

[sysmon-created]
REGEX = <TimeCreated SystemTime='(.*?)'/>
FORMAT = TimeCreated::$1

[sysmon-record]
REGEX = <EventRecordID>(\d+)</EventRecordID>
FORMAT = RecordID::$1

[sysmon-correlation]
REGEX = <Correlation>(.*?)</Correlation>
FORMAT = Correlation::$1

[sysmon-channel]
REGEX = <Channel>(.*?)</Channel>
FORMAT = EventChannel::$1

[sysmon-computer]
REGEX = <Computer>(.*?)</Computer>
FORMAT = Computer::$1

[sysmon-sid]
REGEX = <Security UserID='(S-[0-9a-fA-f-]+)'/>
FORMAT = SecurityID::$1

[sysmon-data]
REGEX = <Data Name='(.*?)'>(.*?)</Data>
FORMAT = $1::$2

[sysmon-md5]
REGEX = MD5\=([a-fA-F0-9]{32}?)
FORMAT = MD5::$1

[sysmon-sha1]
REGEX = SHA1\=([a-fA-F0-9]{40}?)
FORMAT = SHA1::$1

[sysmon-sha256]
REGEX = SHA256\=([a-fA-F0-9]{64}?)
FORMAT = SHA256::$1

[sysmon-imphash]
REGEX = IMPHASH\=([a-fA-F0-9]{32}?)
FORMAT = IMPHASH::$1

[sysmon-hashes]
SOURCE_KEY = Hashes
REGEX = (?<hashes>[A-Fa-f0-9]{32,})
MV_ADD = true
REPEAT_MATCH=true

[sysmon-filename]
SOURCE_KEY = TargetFilename
REGEX = (?<file_name>[^\\\\]+$)

[sysmon-registry]
SOURCE_KEY = TargetObject
REGEX = (?<object>[^\\\\]+$)

[eventcode]
default_match = Unknown
filename = eventcode.csv
min_matches = 1

[User_as_user]
SOURCE_KEY = User
REGEX = (?:[^\\]+\\)?(.+)
FORMAT = user::"$1"

[sysmon-dns-record-data]
SOURCE_KEY = QueryResults
REGEX = type:\s+(?<record_type>\d+)((?<record>[^;]+)+)
REPEAT_MATCH = true
MV_ADD = true

[sysmon-dns-ip-data]
SOURCE_KEY = QueryResults
REGEX = (?<answer>(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})+)
REPEAT_MATCH = true
MV_ADD = true