-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathLogRhythm.yml
137 lines (134 loc) · 2.64 KB
/
LogRhythm.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
title: LogRhythm Field Mapping
# order: 20
#
User: 43 #User = 43
username: 43
EventID: 37 #VendorMsgID = 37
event_id: 37
Hashes: 138 #Hash = 138
src_ip: 18 #SIP = 18
c-ip: 18
cs-ip: 18
dst_ip: 19 #DIP = 19
src_port: 27 #DPort = 27
dst_port: 26 #SPort = 26
ProcessId: 109 #PID = 109
cs_url: 42 #URL = 42
Version: 111 #Version = 111
# Parent image is parsed into two fields for Sysmon: ParentProcessName (taskeng.exe) and ParentProcessPath (C:\Windows\System32)
ParentImage:
- 146 #ParentProcessName = 146
- 147 #ParentProcessPath = 147
Command: 112 #Command = 112
ParentProcessId: 145 #ParentProcessId = 145
TargetObject: 34 #Object = 34
Image: 34 #Object = 34
mac: 132 #MAC = 132
SourceImage:
- 146 #ParentProcessName = 146
- 147 #ParentProcessPath = 147
QueryName: 113 #ObjectName = 113 for Sysmon 22
QueryResult: 141 #Result = 141 for Sysmon 22
sc-bytes: 59 #BytesOut = 59
c-useragent: 144 #UserAgent = 144
TargetFilename: # For Sysmon 11
- 33 #Subject = 33
- 43 #Object = 34
#Address = 44
#Amount = 64
#Application = 97
#MsgClass = 10
#CommonEvent = 11
#Direction = 2
#Duration = 62
#Group = 38
#BytesIn = 58
#BytesOut = 59
#BytesInOut = 95
#DHost = 100
#Host = 98
#SHost = 99
#ItemsIn = 60
#ItemsOut = 61
#ItemsInOut = 96
#DHostName = 25
#HostName = 23
#SHostName = 24
#KnownService = 16
#DInterface = 108
#Interface = 133
#SInterface = 107
#IP = 17
#DIPRange = 22
#IPRange = 20
#SIPRange = 21
#KnownDHost = 15
#KnownHost = 13
#KnownSHost = 14
#Location = 87
#SLocation = 85
#DLocation = 86
#MsgSource = 7
#Entity = 6
#RootEntity = 136
#MsgSourceType = 9
#DMAC = 104
#SMAC = 103
#Message = 35
#MPERule = 12
#DNATIP = 106
#NATIP = 126
#SNATIP = 105
#DNATIPRange = 125
#NATIPRange = 127
#SNATIPRange = 124
#DNATPort = 115
#NATPort = 130
#SNATPort = 114
#DNATPortRange = 129
#NATPortRange = 131
#SNATPortRange = 128
#DNetwork = 50
#Network = 51
#SNetwork = 49
#Login = 29
#IDMGroupForLogin = 52
#Priority = 3
#Process = 41
#Protocol = 28
#Quantity = 63
#Rate = 65
#Recipient = 32
#Sender = 31
#Session = 40
#Severity = 110
#Size = 66
#Port = 45
#DPortRange = 47
#PortRange = 48
#SPortRange = 46
#Account = 30
#IDMGroupForUser = 54
#SZone = 93
#DZone = 94
#FilterGroup = 1000
#PolyListItem = 1001
#Domain = 39
#DomainOrigin = 137
#Policy = 139
#VendorInfo = 140
#ObjectType = 142
#CVE = 143
#SerialNumber = 148
#Reason = 149
#Status = 150
#ThreatId = 151
#ThreatName = 152
#SessionType = 153
#Action = 154
#ResponseCode = 155
#UserOriginIdentityID = 167
#Identity = 160
#UserImpactedIdentityID = 168
#SenderIdentityID = 169
#RecipientIdentityID = 170