admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '147eb224af'
${ noResults }
Deploiement_Server/deployment-apps/TA-microsoft-sysmon/default/transforms.conf

104 lines
2.0 KiB
Raw Blame History

[sysmon-eventid]
REGEX = <EventID>(\d+)</EventID>
FORMAT = EventCode::$1
[sysmon-version]
REGEX = <Version>(\d+)</Version>
FORMAT = Version::$1
[sysmon-level]
REGEX = <Level>(\d+)</Level>
FORMAT = Level::$1
[sysmon-task]
REGEX = <Task>(\d+)</Task>
FORMAT = Task::$1
[sysmon-opcode]
REGEX = <Opcode>(\d+)</Opcode>
FORMAT = Opcode::$1
[sysmon-keywords]
REGEX = <Keywords>(0x[0-9a-fA-F]+)</Keywords>
FORMAT = Keywords::$1
[sysmon-created]
REGEX = <TimeCreated SystemTime='(.*?)'/>
FORMAT = TimeCreated::$1
[sysmon-record]
REGEX = <EventRecordID>(\d+)</EventRecordID>
FORMAT = RecordID::$1
[sysmon-correlation]
REGEX = <Correlation>(.*?)</Correlation>
FORMAT = Correlation::$1
[sysmon-channel]
REGEX = <Channel>(.*?)</Channel>
FORMAT = EventChannel::$1
[sysmon-computer]
REGEX = <Computer>(.*?)</Computer>
FORMAT = Computer::$1
[sysmon-sid]
REGEX = <Security UserID='(S-[0-9a-fA-f-]+)'/>
FORMAT = SecurityID::$1
[sysmon-data]
REGEX = <Data Name='(.*?)'>(.*?)</Data>
FORMAT = $1::$2
[sysmon-md5]
REGEX = MD5\=([a-fA-F0-9]{32}?)
FORMAT = MD5::$1
[sysmon-sha1]
REGEX = SHA1\=([a-fA-F0-9]{40}?)
FORMAT = SHA1::$1
[sysmon-sha256]
REGEX = SHA256\=([a-fA-F0-9]{64}?)
FORMAT = SHA256::$1
[sysmon-imphash]
REGEX = IMPHASH\=([a-fA-F0-9]{32}?)
FORMAT = IMPHASH::$1
[sysmon-hashes]
SOURCE_KEY = Hashes
REGEX = (?<hashes>[A-Fa-f0-9]{32,})
MV_ADD = true
REPEAT_MATCH=true
[sysmon-filename]
SOURCE_KEY = TargetFilename
REGEX = (?<file_name>[^\\\\]+$)
[sysmon-registry]
SOURCE_KEY = TargetObject
REGEX = (?<object>[^\\\\]+$)
[eventcode]
default_match = Unknown
filename = eventcode.csv
min_matches = 1
[User_as_user]
SOURCE_KEY = User
REGEX = (?:[^\\]+\\)?(.+)
FORMAT = user::"$1"
[sysmon-dns-record-data]
SOURCE_KEY = QueryResults
REGEX = type:\s+(?<record_type>\d+)((?<record>[^;]+)+)
REPEAT_MATCH = true
MV_ADD = true
[sysmon-dns-ip-data]
SOURCE_KEY = QueryResults
REGEX = (?<answer>(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})+)
REPEAT_MATCH = true
MV_ADD = true
Reference in new issue View Git Blame Copy Permalink