[sysmonforlinux_sourcetype]
REGEX = \ssysmon:\s\<Event
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::sysmon_linux

[sysmonforlinux_source]
DEST_KEY = MetaData:Source
REGEX = \ssysmon:\s\<Event\>\<System\>\<Provider Name=\"Linux-Sysmon\"
FORMAT = source::Syslog:Linux-Sysmon/Operational

[lx_eventdata_xml_data]
# Extracts from <Data Name='name'>value</Data> as name:value. Skips ComplexData tags
SOURCE_KEY = EventData_Xml
REGEX = <(?:\w+)\sName=\"([^>]*)\"\/?>([^<]*)(?:<\/\1>)?
FORMAT = $1::$2
MV_ADD = 1

# Transforms from TA Sysmon

[sysmon-eventid]

[sysmon-version]

[sysmon-task]

[sysmon-opcode]

[sysmon-keywords]

[sysmon-created]

[sysmon-record]

[sysmon-correlation]

[sysmon-channel]

[sysmon-computer]

[sysmon-sid]

[sysmon-registryvaluedata]

[sysmon-registryvaluetype]

[sysmon-data]

[sysmon-md5]

[sysmon-sha1]

[sysmon-sha256]

[sysmon-imphash]

[sysmon-filename]

[sysmon-dns-answer-data]

[sysmon-user]

[sysmon-user-and-src_host-from-clientinfo]

# Transforms from TA Windows

[system_xml_block]

[eventdata_xml_block]

[userdata_xml_block]

[debugdata_xml_block]

[renderinginfo_xml_block]

[system_props_xml_kv]

[system_props_xml_attributes]

[rendering_info_xml_data]