You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
81 lines
1.3 KiB
81 lines
1.3 KiB
[sysmonforlinux_sourcetype]
|
|
REGEX = \ssysmon:\s\<Event
|
|
DEST_KEY = MetaData:Sourcetype
|
|
FORMAT = sourcetype::sysmon_linux
|
|
|
|
[sysmonforlinux_source]
|
|
DEST_KEY = MetaData:Source
|
|
REGEX = \ssysmon:\s\<Event\>\<System\>\<Provider Name=\"Linux-Sysmon\"
|
|
FORMAT = source::Syslog:Linux-Sysmon/Operational
|
|
|
|
[lx_eventdata_xml_data]
|
|
# Extracts from <Data Name='name'>value</Data> as name:value. Skips ComplexData tags
|
|
SOURCE_KEY = EventData_Xml
|
|
REGEX = <(?:\w+)\sName=\"([^>]*)\"\/?>([^<]*)(?:<\/\1>)?
|
|
FORMAT = $1::$2
|
|
MV_ADD = 1
|
|
|
|
# Transforms from TA Sysmon
|
|
|
|
[sysmon-eventid]
|
|
|
|
[sysmon-version]
|
|
|
|
[sysmon-task]
|
|
|
|
[sysmon-opcode]
|
|
|
|
[sysmon-keywords]
|
|
|
|
[sysmon-created]
|
|
|
|
[sysmon-record]
|
|
|
|
[sysmon-correlation]
|
|
|
|
[sysmon-channel]
|
|
|
|
[sysmon-computer]
|
|
|
|
[sysmon-sid]
|
|
|
|
[sysmon-registryvaluedata]
|
|
|
|
[sysmon-registryvaluetype]
|
|
|
|
[sysmon-data]
|
|
|
|
[sysmon-md5]
|
|
|
|
[sysmon-sha1]
|
|
|
|
[sysmon-sha256]
|
|
|
|
[sysmon-imphash]
|
|
|
|
[sysmon-filename]
|
|
|
|
[sysmon-dns-answer-data]
|
|
|
|
[sysmon-user]
|
|
|
|
[sysmon-user-and-src_host-from-clientinfo]
|
|
|
|
# Transforms from TA Windows
|
|
|
|
[system_xml_block]
|
|
|
|
[eventdata_xml_block]
|
|
|
|
[userdata_xml_block]
|
|
|
|
[debugdata_xml_block]
|
|
|
|
[renderinginfo_xml_block]
|
|
|
|
[system_props_xml_kv]
|
|
|
|
[system_props_xml_attributes]
|
|
|
|
[rendering_info_xml_data]
|