[syslog] TRANSFORMS-sysmonlinux = sysmonforlinux_sourcetype, sysmonforlinux_source [sysmon_linux] TIME_PREFIX = TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N% TZ = UTC REPORT-sysmon = sysmon-eventid,sysmon-version,sysmon-level,sysmon-task,sysmon-opcode,sysmon-keywords,sysmon-created,sysmon-record, \ sysmon-correlation,sysmon-channel,sysmon-computer,sysmon-sid,sysmon-registryvaluedata,sysmon-registryvaluetype,sysmon-data,sysmon-md5,sysmon-sha1,sysmon-sha256,sysmon-imphash, \ sysmon-filename,sysmon-dns-answer-data,sysmon-user,sysmon-user-and-src_host-from-clientinfo #sysmon-hashes,sysmon-filename,sysmon-registry,sysmon-dns-record-data,sysmon-dns-ip-data,sysmon-user,sysmon-dns-record-data, REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,lx_eventdata_xml_data,rendering_info_xml_data EVAL-file_hash = case( EventCode IN ("15"), Hash, \ EventCode IN ("23","26"), Hashes ) EVAL-process_hash = case( EventCode IN ("1","6","7","24"), Hashes ) EVAL-object_path = case( EventCode="20", Destination, \ EventCode="21", Consumer, \ EventCode IN ("12", "13"), TargetObject, \ EventCode="14", NewName ) EVAL-object = case( EventCode = "20", replace(replace(Destination,"(.*\\\)",""),"\"",""), \ EventCode="21", replace(replace(Consumer,"(\\\\\"\")",""),".+(\\\\\")","" ) ) EVAL-action = case( EventCode IN ("1", "3", "6", "8", "9", "10", "15", "17", "18", "24", "25"), "allowed", \ EventCode="5", "blocked", \ (EventCode = "11" AND UtcTime==CreationUtcTime) OR (EventCode = "12" AND EventType="CreateKey") OR (EventCode = "19") OR (EventCode IN ("20","21") AND Operation="Created"), "created", \ (EventCode = "12" AND EventType="DeleteKey") OR (EventCode IN ("20","21") AND Operation="Deleted") OR EventCode IN ("23", "26"), "deleted", \ EventCode IN ("2", "13","14") OR (EventCode = "11" AND UtcTime!=CreationUtcTime), "modified", \ EventCode="7", "success" ) EVAL-dest = case( EventCode IN ("1","2","4","5","6","7","8","9","10","11","12","13","14","15","16","17","18","19","20","21","23","24","25","26","255"), Computer, \ EventCode="3" AND isnotnull(DestinationHostname) AND DestinationHostname != "-", DestinationHostname, \ EventCode="3", DestinationIp ) # ID 1 only FIELDALIAS-parent_process = ParentCommandLine AS parent_process FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory EVAL-original_file_name = case( EventCode="1",OriginalFileName ) # ID 3 only (DNS query) FIELDALIAS-dest_port = DestinationPort AS dest_port FIELDALIAS-SourcePort = SourcePort AS src_port FIELDALIAS-Protocol = Protocol AS transport EVAL-dest_host = case( EventCode="3" AND DestinationHostname != '-', DestinationHostname) FIELDALIAS-dest_ip = DestinationIp AS dest_ip FIELDALIAS-dvc_ip = SourceIp AS dvc_ip FIELDALIAS-src_ip = SourceIp AS src_ip EVAL-src_host = case( EventCode="3", SourceHostname, EventCode="24", SrcHost ) EVAL-app = case( EventCode="3", Image ) EVAL-creation_time = case( EventCode=="3",UtcTime ) EVAL-direction = case( EventCode="3" AND Initiated=="true","outbound", EventCode="3", "inbound" ) EVAL-protocol = case( EventCode="3", "ip" ) EVAL-protocol_version = case( EventCode="3" AND DestinationIsIpv6="true", "ipv6", EventCode="3", "ipv4" ) EVAL-rule = case( EventID="3" AND isnotnull(RuleName) AND RuleName != '-', RuleName) EVAL-state = case(EventCode=="3", "established") EVAL-transport_dest_port = mvzip(transport,dest_port,"/") # ID 6 only EVAL-service_signature_exists = case( EventCode="6",Signed ) EVAL-service_signature_verified = case( EventCode="6" AND SignatureStatus="Valid", "true", EventCode="6", "false" ) # ID 7 only EVAL-service_dll_signature_exists = case( EventCode="7",Signed ) EVAL-service_dll_signature_verified = case( EventCode="7" AND SignatureStatus="Valid", "true", EventCode="7", "false" ) # ID 8 only FIELDALIAS-src_function = StartFunction AS src_function FIELDALIAS-src_address = StartAddress AS src_address FIELDALIAS-src_module = StartModule AS src_module # ID 10 only FIELDALIAS-granted_access = GrantedAccess AS granted_access # ID 15 only FIELDALIAS-http_referrer = ReferrerUrl AS http_referrer FIELDALIAS-url = HostUrl AS url EVAL-http_referrer_domain = case( EventCode="15", replace(ReferrerUrl, "(^\w+:|^)\/\/(.*)\/$" ,"\2")) EVAL-url_domain = case (EventCode="15",replace(HostUrl, "(^\w+:|^)\/\/([\w.]*).*$" ,"\2")) EVAL-uri_path = case (EventCode="15", replace(HostUrl, "(.*/)" ,"")) EVAL-url_length = len(url) # ID 21 only FIELDALIAS-object_attrs = Filter AS object_attrs # ID 22 only FIELDALIAS-QueryName = QueryName AS query FIELDALIAS-QueryStatus = QueryStatus AS reply_code_id EVAL-answer_count = mvcount(answer) EVAL-query_count = mvcount(query) LOOKUP-record_type = sysmon-record_type-lookup record_type OUTPUT record_type_name AS record_type EVAL-vendor_product = "Linux Sysmon" EVAL-src = case( EventCode IN ("19","20","21","22"), Computer, \ isnotnull(SourceHostname), SourceHostname, \ isnotnull(SourceIp), SourceIp ) # ID 4, 16, 255 only # Endpoint:Services EVAL-description = case( EventCode="255","Error occured within Sysmon", \ EventCode="4", "Sysmon state changed", \ EventCode="16", "Sysmon configuration changed") EVAL-service = case( EventCode IN ("4","16","255"), "Sysmon" ) EVAL-service_name = case( EventCode IN ("4","16","255"), "Sysmon" ) # ID 12, 13, 14 only # Endpoint:Registry FIELDALIAS-registry_path = TargetObject AS registry_path EVAL-registry_key_name = case( EventCode IN ("12","14"),TargetObject, \ EventCode="13", replace(TargetObject,"\\\(\w+)$","") ) EVAL-registry_hive = case( EventCode IN ("12","13","14") AND like(TargetObject, "HKLM\System\%"), "HKEY_LOCAL_MACHINE\\\\System", \ EventCode IN ("12","13","14") AND like(TargetObject, "HKU\%"), "HKEY_CURRENT_USER" ) EVAL-registry_value_data = case( EventCode="14" AND EventType="RenameValue",RegistryValueData, \ EventCode="13", RegistryValueData ) EVAL-registry_value_name = case( EventCode="14" AND EventType="RenameValue",replace(TargetObject,"(.*)\\\(\w+)$","\2"), \ EventCode ="13", replace(TargetObject,"(.*)\\\(\w+)$","\2") ) EVAL-registry_value_type=case( EventCode="14" AND EventType="RenameValue","REG_"+RegistryValueType, \ EventCode ="13", "REG_"+RegistryValueType) # ID 17 & 18 only FIELDALIAS-pipe_name = PipeName AS pipe_name # ID 19, 20, 21 # Change:Endpoint_Changes EVAL-change_type = case( EventCode IN ("19","20","21"), "filesystem" ) EVAL-user_name = case( EventCode IN ("19","20","21"), user ) EVAL-os = case( EventCode IN ("1","5","6","7","8","9","10","15","17","18","24","25"),"Linux" ) EVAL-parent_process_path = case( EventCode="1", ParentImage, \ EventCode="7", Image, \ EventCode IN ("8","10"), SourceImage ) EVAL-parent_process_exec = case( EventCode="1", replace(ParentImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \ EventCode="7", replace(Image,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \ EventCode IN ("8","10"), replace(SourceImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)","") ) EVAL-parent_process_name = case( EventCode="1", replace(ParentImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \ EventCode="7", replace(Image,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \ EventCode IN ("8","10"), replace(SourceImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)","") ) EVAL-parent_process_id = case( EventCode="1", ParentProcessId, \ EventCode="7", ProcessId, \ EventCode IN ("8","10"), SourceProcessId ) EVAL-parent_process_guid = case( EventCode="1", ParentProcessGuid, \ EventCode="7", ProcessGuid, \ EventCode="8", SourceProcessGuid, \ EventCode="10", SourceProcessGUID ) EVAL-process = case( EventCode="1",CommandLine, \ EventCode="5",Image ) EVAL-process_path = case( EventCode IN ("1","2","5","9","11","12","13","14","15","17","18","23","24","25","26"), Image, \ EventCode IN ("6","7"), ImageLoaded, \ EventCode IN ("8","10"), TargetImage ) EVAL-process_exec = case( EventCode IN ("1","2","3","5","9","11","12","13","14","15","17","18","22","23","24","26"), replace(Image,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \ EventCode IN ("7"), replace(ImageLoaded,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \ EventCode IN ("8","10"), replace(TargetImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)","") ) EVAL-process_name = case( EventCode IN ("1","2","3","5","9","11","12","13","14","15","17","18","22","23","24","26"), replace(Image,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \ EventCode IN ("7"), replace(ImageLoaded,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \ EventCode IN ("8","10"), replace(TargetImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)","") ) EVAL-process_guid = case( EventCode IN ("1","2","3","5","9","11","12","13","14","15","17","18","22","23","24","25","26"), ProcessGuid, \ EventCode="8", TargetProcessGuid, \ EventCode="10", TargetProcessGUID ) EVAL-process_id = case( EventCode IN ("1","2","3","5","9","11","12","13","14","15","17","18","23","24","25","26"), ProcessId, \ EventCode IN ("8","10"), TargetProcessId, \ EventCode IN ("16","255"), replace(ProcessID, "'", "") ) FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level EVAL-dvc = case( EventCode IN ("3", "10","13","19","20","21","24", "26", "255") , Computer ) EVAL-status = case( EventCode="255","critical", \ EventCode IN ("12","13","19","20","21") OR (EventCode=14 AND Keywords="0x8000000000000000"),"success", \ EventCode="16","started", \ EventCode="4",lower(State) ) EVAL-result = case( EventCode="25",Type, \ EventCode="255",Description, \ EventCode IN ("19","21"),lower(Operation) ) FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time EVAL-file_modify_time = case( EventCode IN ("2","23","26"),UtcTime ) EVAL-file_access_time = case( EventCode="26",UtcTime ) EVAL-file_path = case (EventCode IN ("2","11","15", "23","26"), replace(TargetFilename,"(:[\w\. ]+)","") ) EVAL-file_name = case ( EventCode IN ("11","15","23","2","26"), replace(replace(TargetFilename,"(.*/)",""),"(:[\w\. ]+)","") ) EVAL-object_category = case( EventCode IN ("2","11","23","26"), "file", \ EventCode IN ("12","13","14"), "registry", \ EventCode IN ("19","20","21"), "wmi" ) #Fields for ChangeAnalysis DM LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature FIELDALIAS-eventid = EventCode AS EventID FIELDALIAS-signature_id = EventCode AS signature_id FIELDALIAS-user = User as user