## ## SPDX-FileCopyrightText: 2021 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## ## [sysmon:linux] TIME_PREFIX = TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N% TZ = UTC REPORT-sysmon = sysmon-eventid,sysmon-keywords,sysmon-computer,sysmon-data,sysmon-filename FIELDALIAS-dvc = Computer AS dvc EVAL-file_hash = case( EventID IN ("23") AND NOT Hashes IN ("-"), Hashes ) EVAL-process_hash = case( EventID IN ("1") AND NOT Hashes IN ("-"), Hashes ) EVAL-action = case( EventID IN ("1", "3", "9"), "allowed", \ EventID="5", "blocked", \ (EventID = "11" AND UtcTime==CreationUtcTime), "created", \ EventID IN ("23"), "deleted", \ (EventID = "11" AND UtcTime!=CreationUtcTime), "modified" ) EVAL-dest = case( EventID IN ("1","4","5","9","11","16","23"), Computer, \ EventID="3" AND isnotnull(DestinationHostname) AND DestinationHostname != "-", DestinationHostname, \ EventID="3", DestinationIp ) # ID 1 only EVAL-parent_process = case( EventID="1", ParentCommandLine) FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory EVAL-original_file_name = case( EventID="1", replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) # ID 3 only (DNS query) FIELDALIAS-dest_port = DestinationPort AS dest_port FIELDALIAS-SourcePort = SourcePort AS src_port FIELDALIAS-Protocol = Protocol AS transport EVAL-dest_host = case( EventID="3" AND DestinationHostname != '-', DestinationHostname) FIELDALIAS-dest_ip = DestinationIp AS dest_ip FIELDALIAS-dvc_ip = SourceIp AS dvc_ip FIELDALIAS-src_ip = SourceIp AS src_ip EVAL-src_host = case( EventID="3" AND NOT SourceHostname IN ("-"), SourceHostname ) EVAL-app = case( EventID="3", Image ) EVAL-creation_time = case( EventID=="3",UtcTime ) EVAL-direction = case( EventID="3" AND Initiated=="true","outbound", EventID="3", "inbound" ) EVAL-protocol = case( EventID="3", "IP" ) EVAL-protocol_version = case( EventID="3" AND DestinationIsIpv6="true", "ipv6", EventID="3", "ipv4" ) EVAL-rule = case( EventID="3" AND isnotnull(RuleName) AND RuleName != '-', RuleName) EVAL-state = case(EventID=="3", "established") EVAL-transport_dest_port = mvzip(transport,dest_port,"/") EVAL-vendor_product = "Sysmon For Linux" EVAL-src = case( EventID IN ("3"), SourceIp, \ isnotnull(SourceHostname), SourceHostname, \ isnotnull(SourceIp), SourceIp ) # ID 4, 16 only # Endpoint:Services EVAL-description = case( EventID="4", "Sysmon state changed", \ EventID="16", "Sysmon configuration changed") EVAL-service = case( EventID IN ("4","16"), "Linux-Sysmon" ) EVAL-service_name = case( EventID IN ("4","16"), "Linux-Sysmon" ) EVAL-user = case( EventID IN ("3"), User, UserId="0","root") FIELDALIAS-UserId = UserId AS user_id EVAL-os = case( EventID IN ("1","5","9"),"Linux" ) EVAL-parent_process_path = case( EventID="1", ParentImage ) EVAL-parent_process_exec = case( EventID="1", replace(ParentImage,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) EVAL-parent_process_name = case( EventID="1", replace(ParentImage,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) EVAL-parent_process_id = case( EventID="1", ParentProcessId ) EVAL-parent_process_guid = case( EventID="1", ParentProcessGuid ) EVAL-process = case( EventID IN ("1"), CommandLine, EventID IN ("5"), Image ) EVAL-process_path = case( EventID IN ("1","5","9","11","23"), Image ) EVAL-process_exec = case( EventID IN ("1","3","5","9","11","23"), replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) EVAL-process_name = case( EventID IN ("1","3","5","9","11","23"), replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) EVAL-process_guid = case( EventID IN ("1","3","5","9","11","23"), ProcessGuid ) EVAL-process_id = case( EventID IN ("4","16"), ProcessID, \ EventID IN ("1","3","5","9","11","23"), ProcessId ) FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level EVAL-status = case( (EventID=14 AND Keywords="0x8000000000000000"),"success", \ EventID="16","started", \ EventID="4",lower(State) ) FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time EVAL-file_modify_time = case( EventID IN ("23"),UtcTime ) EVAL-file_path = case ( EventID IN ("11", "23"), replace(TargetFilename,"(:[\w\. ]+)",""), EventID IN ("16"), Configuration ) EVAL-file_name = case ( EventID IN ("11","23"), replace(replace(TargetFilename,"(.*/)",""),"(:[\w\. ]+)","") ) EVAL-object_category = case( EventID IN ("11","23"), "file" ) #Fields for ChangeAnalysis DM LOOKUP-sysmon-eventid-lookup = sysmon-eventid-lookup EventID OUTPUTNEW EventDescription EventDescription AS signature FIELDALIAS-signature_id = EventID AS signature_id