From f97b97fa3d158c12aae8d94f25b753cc79ea0e56 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 28 Apr 2020 13:11:56 -0400 Subject: [PATCH 1/4] [Winlogbeat] Add sysmon module ECS categorization fields --- .../module/sysmon/config/winlogbeat-sysmon.js | 730 +++++++++++++----- 1 file changed, 553 insertions(+), 177 deletions(-) diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index b882df875fc..955e6e84d1b 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -4,11 +4,11 @@ // Polyfill for String startsWith. if (!String.prototype.startsWith) { - Object.defineProperty(String.prototype, 'startsWith', { - value: function(search, pos) { + Object.defineProperty(String.prototype, "startsWith", { + value: function (search, pos) { pos = !pos || pos < 0 ? 0 : +pos; return this.substring(pos, pos + search.length) === search; - } + }, }); } @@ -284,15 +284,19 @@ var sysmon = (function () { "65282": "WINSR", }; - var setProcessNameUsingExe = function(evt) { + var setProcessNameUsingExe = function (evt) { setProcessNameFromPath(evt, "process.executable", "process.name"); }; - var setParentProcessNameUsingExe = function(evt) { - setProcessNameFromPath(evt, "process.parent.executable", "process.parent.name"); + var setParentProcessNameUsingExe = function (evt) { + setProcessNameFromPath( + evt, + "process.parent.executable", + "process.parent.name" + ); }; - var setProcessNameFromPath = function(evt, pathField, nameField) { + var setProcessNameFromPath = function (evt, pathField, nameField) { var name = evt.Get(nameField); if (name) { return; @@ -301,7 +305,7 @@ var sysmon = (function () { evt.Put(nameField, path.basename(exe)); }; - var splitCommandLine = function(evt, source, target) { + var splitCommandLine = function (evt, source, target) { var commandLine = evt.Get(source); if (!commandLine) { return; @@ -309,15 +313,19 @@ var sysmon = (function () { evt.Put(target, winlogbeat.splitCommandLine(commandLine)); }; - var splitProcessArgs = function(evt) { + var splitProcessArgs = function (evt) { splitCommandLine(evt, "process.command_line", "process.args"); }; - var splitParentProcessArgs = function(evt) { - splitCommandLine(evt, "process.parent.command_line", "process.parent.args"); + var splitParentProcessArgs = function (evt) { + splitCommandLine( + evt, + "process.parent.command_line", + "process.parent.args" + ); }; - var addUser = function(evt) { + var addUser = function (evt) { var userParts = evt.Get("winlog.event_data.User").split("\\"); if (userParts.length === 2) { evt.Delete("user"); @@ -327,7 +335,7 @@ var sysmon = (function () { } }; - var addNetworkDirection = function(evt) { + var addNetworkDirection = function (evt) { switch (evt.Get("winlog.event_data.Initiated")) { case "true": evt.Put("network.direction", "outbound"); @@ -339,7 +347,7 @@ var sysmon = (function () { evt.Delete("winlog.event_data.Initiated"); }; - var addNetworkType = function(evt) { + var addNetworkType = function (evt) { switch (evt.Get("winlog.event_data.SourceIsIpv6")) { case "true": evt.Put("network.type", "ipv6"); @@ -352,10 +360,10 @@ var sysmon = (function () { evt.Delete("winlog.event_data.DestinationIsIpv6"); }; - var addHashes = function(evt, hashField) { + var addHashes = function (evt, hashField) { var hashes = evt.Get(hashField); evt.Delete(hashField); - hashes.split(",").forEach(function(hash){ + hashes.split(",").forEach(function (hash) { var parts = hash.split("="); if (parts.length !== 2) { return; @@ -363,26 +371,26 @@ var sysmon = (function () { var key = parts[0].toLowerCase(); var value = parts[1].toLowerCase(); - evt.Put("hash."+key, value); + evt.Put("hash." + key, value); }); }; - var splitHashes = function(evt) { + var splitHashes = function (evt) { addHashes(evt, "winlog.event_data.Hashes"); }; - var splitHash = function(evt) { + var splitHash = function (evt) { addHashes(evt, "winlog.event_data.Hash"); }; - var removeEmptyEventData = function(evt) { + var removeEmptyEventData = function (evt) { var eventData = evt.Get("winlog.event_data"); if (eventData && Object.keys(eventData).length === 0) { evt.Delete("winlog.event_data"); } }; - var translateDnsQueryStatus = function(evt) { + var translateDnsQueryStatus = function (evt) { var statusCode = evt.Get("sysmon.dns.status"); if (!statusCode) { return; @@ -396,12 +404,12 @@ var sysmon = (function () { // Splits the QueryResults field that contains the DNS responses. // Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" - var splitDnsQueryResults = function(evt) { + var splitDnsQueryResults = function (evt) { var results = evt.Get("winlog.event_data.QueryResults"); if (!results) { return; } - results = results.split(';'); + results = results.split(";"); var answers = []; var ips = []; @@ -411,7 +419,7 @@ var sysmon = (function () { continue; } - if (answer.startsWith('type:')) { + if (answer.startsWith("type:")) { var parts = answer.split(/\s+/); if (parts.length !== 3) { throw "unexpected QueryResult format"; @@ -431,7 +439,10 @@ var sysmon = (function () { if (answer.indexOf(":") !== -1) { type = "AAAA"; } - answers.push({type: type, data: answer}); + answers.push({ + type: type, + data: answer, + }); } } @@ -453,27 +464,60 @@ var sysmon = (function () { ignore_missing: true, }); + // Event ID 1 - Process Create. var event1 = new processor.Chain() .Add(parseUtcTime) .AddFields({ - "fields": { - "event.category": "process", - "event.type": "process_start", + fields: { + "event.category": ["process"], + "event.type": ["start", "process_start"], }, - "target": "", + target: "", }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.CommandLine", to: "process.command_line"}, - {from: "winlog.event_data.CurrentDirectory", to: "process.working_directory"}, - {from: "winlog.event_data.ParentProcessGuid", to: "process.parent.entity_id"}, - {from: "winlog.event_data.ParentProcessId", to: "process.parent.pid", type: "long"}, - {from: "winlog.event_data.ParentImage", to: "process.parent.executable"}, - {from: "winlog.event_data.ParentCommandLine", to: "process.parent.command_line"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.CommandLine", + to: "process.command_line", + }, + { + from: "winlog.event_data.CurrentDirectory", + to: "process.working_directory", + }, + { + from: "winlog.event_data.ParentProcessGuid", + to: "process.parent.entity_id", + }, + { + from: "winlog.event_data.ParentProcessId", + to: "process.parent.pid", + type: "long", + }, + { + from: "winlog.event_data.ParentImage", + to: "process.parent.executable", + }, + { + from: "winlog.event_data.ParentCommandLine", + to: "process.parent.command_line", + }, ], mode: "rename", ignore_missing: true, @@ -488,15 +532,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 2 - File creation time changed. var event2 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], + "event.type": ["change"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.TargetFilename", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.TargetFilename", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -506,22 +573,72 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 3 - Network connection detected. var event3 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["network"], + "event.type": ["connection", "start", "protocol"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.Protocol", to: "network.transport"}, - {from: "winlog.event_data.SourceIp", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.SourceHostname", to: "source.domain", type: "string"}, - {from: "winlog.event_data.SourcePort", to: "source.port", type: "long"}, - {from: "winlog.event_data.DestinationIp", to: "destination.ip", type: "ip"}, - {from: "winlog.event_data.DestinationHostname", to: "destination.domain", type: "string"}, - {from: "winlog.event_data.DestinationPort", to: "destination.port", type: "long"}, - {from: "winlog.event_data.DestinationPortName", to: "network.protocol"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Protocol", + to: "network.transport", + }, + { + from: "winlog.event_data.SourceIp", + to: "source.ip", + type: "ip", + }, + { + from: "winlog.event_data.SourceHostname", + to: "source.domain", + type: "string", + }, + { + from: "winlog.event_data.SourcePort", + to: "source.port", + type: "long", + }, + { + from: "winlog.event_data.DestinationIp", + to: "destination.ip", + type: "ip", + }, + { + from: "winlog.event_data.DestinationHostname", + to: "destination.domain", + type: "string", + }, + { + from: "winlog.event_data.DestinationPort", + to: "destination.port", + type: "long", + }, + { + from: "winlog.event_data.DestinationPortName", + to: "network.protocol", + }, ], mode: "rename", ignore_missing: true, @@ -535,11 +652,21 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 4 - Sysmon service state changed. var event4 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["process"], + "event.type": ["change"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, ], mode: "rename", ignore_missing: true, @@ -548,21 +675,35 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 5 - Process terminated. var event5 = new processor.Chain() .Add(parseUtcTime) .AddFields({ - "fields": { - "event.category": "process", - "event.type": "process_end", + fields: { + "event.category": ["process"], + "event.type": ["end", "process_end"], }, - "target": "", + target: "", }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -572,12 +713,25 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 6 - Driver loaded. var event6 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["driver"], + "event.type": ["start"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ImageLoaded", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ImageLoaded", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -587,15 +741,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 7 - Image loaded. var event7 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["process"], + "event.type": ["change"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.ImageLoaded", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.ImageLoaded", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -606,14 +783,28 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 8 - CreateRemoteThread detected. var event8 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.SourceProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.SourceProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.SourceImage", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.SourceProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.SourceProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.SourceImage", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -623,15 +814,32 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 9 - RawAccessRead detected. var event9 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.Device", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Device", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -641,15 +849,39 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 10 - Process accessed. var event10 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["process"], + "event.type": ["access"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.SourceProcessGUID", to: "process.entity_id"}, - {from: "winlog.event_data.SourceProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.SourceThreadId", to: "process.thread.id", type: "long"}, - {from: "winlog.event_data.SourceImage", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.SourceProcessGUID", + to: "process.entity_id", + }, + { + from: "winlog.event_data.SourceProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.SourceThreadId", + to: "process.thread.id", + type: "long", + }, + { + from: "winlog.event_data.SourceImage", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -659,15 +891,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 11 - File created. var event11 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], + "event.type": ["creation"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.TargetFilename", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.TargetFilename", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -677,14 +932,28 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 12 - Registry object added or deleted. var event12 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -694,14 +963,28 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 13 - Registry value set. var event13 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -711,14 +994,28 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 14 - Registry object renamed. var event14 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -728,15 +1025,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 15 - File stream created. var event15 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], + "event.type": ["access"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.TargetFilename", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.TargetFilename", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -747,11 +1067,15 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 16 - Sysmon config state changed. var event16 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, ], mode: "rename", ignore_missing: true, @@ -760,15 +1084,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 17 - Pipe Created. var event17 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], // pipes are files + "event.type": ["creation"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.PipeName", to: "file.name"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.PipeName", + to: "file.name", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -778,15 +1125,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 18 - Pipe Connected. var event18 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], // pipes are files + "event.type": ["access"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.PipeName", to: "file.name"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.PipeName", + to: "file.name", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -796,11 +1166,15 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 19 - WmiEventFilter activity detected. var event19 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, ], mode: "rename", ignore_missing: true, @@ -810,12 +1184,19 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 20 - WmiEventConsumer activity detected. var event20 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.Destination", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.Destination", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -826,11 +1207,15 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 21 - WmiEventConsumerToFilter activity detected. var event21 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, ], mode: "rename", ignore_missing: true, @@ -840,16 +1225,45 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 22 - DNSEvent (DNS query). var event22 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["network"], + "event.type": ["connection", "protocol", "info"], + }, + network: { + protocol: "dns", + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.QueryName", to: "dns.question.name"}, - {from: "winlog.event_data.QueryStatus", to: "sysmon.dns.status"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.QueryName", + to: "dns.question.name", + }, + { + from: "winlog.event_data.QueryStatus", + to: "sysmon.dns.status", + }, ], mode: "rename", ignore_missing: true, @@ -867,12 +1281,19 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 255 - Error report. var event255 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ID", to: "error.code"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ID", + to: "error.code", + }, ], mode: "rename", ignore_missing: true, @@ -882,76 +1303,31 @@ var sysmon = (function () { .Build(); return { - // Event ID 1 - Process Create. 1: event1.Run, - - // Event ID 2 - File creation time changed. 2: event2.Run, - - // Event ID 3 - Network connection detected. 3: event3.Run, - - // Event ID 4 - Sysmon service state changed. 4: event4.Run, - - // Event ID 5 - Process terminated. 5: event5.Run, - - // Event ID 6 - Driver loaded. 6: event6.Run, - - // Event ID 7 - Image loaded. 7: event7.Run, - - // Event ID 8 - CreateRemoteThread detected. 8: event8.Run, - - // Event ID 9 - RawAccessRead detected. 9: event9.Run, - - // Event ID 10 - Process accessed. 10: event10.Run, - - // Event ID 11 - File created. 11: event11.Run, - - // Event ID 12 - Registry object added or deleted. 12: event12.Run, - - // Event ID 13 - Registry value set. 13: event13.Run, - - // Event ID 14 - Registry object renamed. 14: event14.Run, - - // Event ID 15 - File stream created. 15: event15.Run, - - // Event ID 16 - Sysmon config state changed. 16: event16.Run, - - // Event ID 17 - Pipe Created. 17: event17.Run, - - // Event ID 18 - Pipe Connected. 18: event18.Run, - - // Event ID 19 - WmiEventFilter activity detected. 19: event19.Run, - - // Event ID 20 - WmiEventConsumer activity detected. 20: event20.Run, - - // Event ID 21 - WmiEventConsumerToFilter activity detected. 21: event21.Run, - - // Event ID 22 - DNSEvent (DNS query). 22: event22.Run, - - // Event ID 255 - Error report. 255: event255.Run, - process: function(evt) { + process: function (evt) { var event_id = evt.Get("winlog.event_id"); var processor = this[event_id]; if (processor === undefined) { From 13e8b6b9d58ae09fa9ee4549bdc2536a4c3e9d7b Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 5 May 2020 02:24:18 -0400 Subject: [PATCH 2/4] Add registry and code signature information --- .../module/sysmon/config/winlogbeat-sysmon.js | 107 + .../testdata/sysmon-10.2-dns.evtx.golden.json | 1872 +++++++++++++++++ .../testdata/sysmon-9.01.evtx.golden.json | 334 ++- 3 files changed, 2297 insertions(+), 16 deletions(-) diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 955e6e84d1b..21db0a40509 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -464,6 +464,82 @@ var sysmon = (function () { ignore_missing: true, }); + var setAdditionalSignatureFields = function (evt) { + var signed = evt.Get("winlog.event_data.Signed"); + if (!signed) { + return; + } + evt.Put("file.code_signature.signed", true); + var signatureStatus = evt.Get("winlog.event_data.SignatureStatus"); + evt.Put("file.code_signature.valid", signatureStatus === "Valid"); + }; + + // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives + var commonRegistryHives = { + HKEY_CLASSES_ROOT: "HKCR", + HKCR: "HKCR", + HKEY_CURRENT_CONFIG: "HKCC", + HKCC: "HKCC", + HKEY_CURRENT_USER: "HKCU", + HKCU: "HKCU", + HKEY_DYN_DATA: "HKDD", + HKDD: "HKDD", + HKEY_LOCAL_MACHINE: "HKLM", + HKLM: "HKLM", + HKEY_PERFORMANCE_DATA: "HKPD", + HKPD: "HKPD", + HKEY_USERS: "HKU", + HKU: "HKU", + }; + + var qwordRegex = new RegExp(/ab+c/, "i"); + var dwordRegex = new RegExp(/DWORD \(()\)/, "i"); + + var setRegistryFields = function (evt) { + var path = evt.Get("winlog.event_data.TargetObject"); + if (!path) { + return; + } + evt.Put("registry.path", path); + var pathTokens = path.split("\\"); + var hive = commonRegistryHives[pathTokens[0]]; + if (hive) { + evt.Put("registry.hive", hive); + pathTokens.splice(0, 1); + if (pathTokens.length > 0) { + evt.Put("registry.key", pathTokens.join("\\")); + } + } + var value = pathTokens[pathTokens.length - 1]; + evt.Put("registry.value", value); + var data = evt.Get("winlog.event_data.Details"); + if (!data) { + return; + } + // sysmon only returns details of a registry modification + // if it's a qword or dword + var dataType; + var dataValue; + var match = qwordRegex.exec(data); + if (match.length > 0) { + dataType = "SZ_QWORD"; + dataValue = match[1]; + } else { + match = dwordRegex.exec(data); + if (match.length > 0) { + dataType = "SZ_DWORD"; + dataValue = match[1]; + } + } + if (match.length > 0) { + var parsedValue = parseInt(dataValue); + if (!isNan(parsedValue)) { + evt.Put("registry.data.strings", [parsedValue]); + evt.Put("registry.data.type", dataType); + } + } + }; + // Event ID 1 - Process Create. var event1 = new processor.Chain() .Add(parseUtcTime) @@ -737,6 +813,20 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.event_data.Signature", + to: "file.code_signature.subject_name", + }, + { + from: "winlog.event_data.SignatureStatus", + to: "file.code_signature.status", + }, + ], + fail_on_error: false, + }) + .Add(setAdditionalSignatureFields) .Add(splitHashes) .Add(removeEmptyEventData) .Build(); @@ -778,6 +868,20 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.event_data.Signature", + to: "file.code_signature.subject_name", + }, + { + from: "winlog.event_data.SignatureStatus", + to: "file.code_signature.status", + }, + ], + fail_on_error: false, + }) + .Add(setAdditionalSignatureFields) .Add(setProcessNameUsingExe) .Add(splitHashes) .Add(removeEmptyEventData) @@ -959,6 +1063,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -990,6 +1095,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -1021,6 +1127,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json index 72d09fa2971..52fc0fe7f22 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json @@ -30,6 +30,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -101,6 +113,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -173,6 +197,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -249,6 +285,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -320,6 +368,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -398,6 +458,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -465,6 +537,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -541,6 +625,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -604,6 +700,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -683,6 +791,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -794,6 +914,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -861,6 +993,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -932,6 +1076,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1008,6 +1164,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1071,6 +1239,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1148,6 +1328,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1219,6 +1411,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1290,6 +1494,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1388,6 +1604,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1466,6 +1694,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1589,6 +1829,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1700,6 +1952,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1816,6 +2080,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1897,6 +2173,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2015,6 +2303,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2136,6 +2436,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2203,6 +2515,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2315,6 +2639,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2386,6 +2722,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2498,6 +2846,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2565,6 +2925,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2632,6 +3004,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2738,6 +3122,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2833,6 +3229,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2900,6 +3308,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3002,6 +3422,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3119,6 +3551,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3237,6 +3681,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3304,6 +3760,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3421,6 +3889,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3532,6 +4012,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3599,6 +4091,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3662,6 +4166,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3742,6 +4258,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3849,6 +4377,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3960,6 +4500,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4035,6 +4587,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4153,6 +4717,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4229,6 +4805,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4325,6 +4913,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4396,6 +4996,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4463,6 +5075,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4517,6 +5141,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4571,6 +5207,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4683,6 +5331,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4759,6 +5419,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4826,6 +5498,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4938,6 +5622,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5014,6 +5710,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5126,6 +5834,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5193,6 +5913,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5275,6 +6007,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5357,6 +6101,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5425,6 +6181,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5537,6 +6305,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5655,6 +6435,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5773,6 +6565,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5885,6 +6689,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5961,6 +6777,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6043,6 +6871,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6110,6 +6950,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6222,6 +7074,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6344,6 +7208,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6455,6 +7331,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6526,6 +7414,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6643,6 +7543,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6714,6 +7626,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6831,6 +7755,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6943,6 +7879,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7033,6 +7981,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7151,6 +8111,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7243,6 +8215,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7306,6 +8290,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7418,6 +8414,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7500,6 +8508,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7563,6 +8583,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7675,6 +8707,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7788,6 +8832,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7880,6 +8936,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7992,6 +9060,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8093,6 +9173,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8194,6 +9286,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8316,6 +9420,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8429,6 +9545,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8535,6 +9663,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8647,6 +9787,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8759,6 +9911,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8830,6 +9994,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8940,6 +10116,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9011,6 +10199,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9093,6 +10293,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9165,6 +10377,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9237,6 +10461,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9308,6 +10544,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9380,6 +10628,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9447,6 +10707,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9523,6 +10795,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9594,6 +10878,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9669,6 +10965,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9740,6 +11048,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9811,6 +11131,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9882,6 +11214,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10000,6 +11344,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10082,6 +11438,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10155,6 +11523,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10268,6 +11648,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10331,6 +11723,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10402,6 +11806,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10519,6 +11935,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10586,6 +12014,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10657,6 +12097,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10772,6 +12224,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10893,6 +12357,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10964,6 +12440,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11081,6 +12569,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11199,6 +12699,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11312,6 +12824,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11420,6 +12944,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11538,6 +13074,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11865,6 +13413,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11997,6 +13557,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12064,6 +13636,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12139,6 +13723,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12193,6 +13789,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12264,6 +13872,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12382,6 +14002,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12500,6 +14132,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12571,6 +14215,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12683,6 +14339,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12795,6 +14463,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12906,6 +14586,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13006,6 +14698,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13077,6 +14781,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13148,6 +14864,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13260,6 +14988,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13343,6 +15083,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13461,6 +15213,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13528,6 +15292,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13599,6 +15375,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13666,6 +15454,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13720,6 +15520,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13773,6 +15585,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13826,6 +15650,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13901,6 +15737,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13968,6 +15816,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -14069,6 +15929,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index b083f5aba41..3608a7889ed 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -44,6 +44,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "process" + ], + "type": [ + "change" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -81,12 +91,17 @@ { "@timestamp": "2019-03-18T16:57:37.949Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 1, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_start" + "type": [ + "start", + "process_start" + ] }, "hash": { "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" @@ -158,12 +173,17 @@ { "@timestamp": "2019-03-18T16:57:37.964Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 1, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_start" + "type": [ + "start", + "process_start" + ] }, "hash": { "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" @@ -238,12 +258,17 @@ { "@timestamp": "2019-03-18T16:57:38.981Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -283,12 +308,17 @@ { "@timestamp": "2019-03-18T16:57:38.981Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -328,12 +358,17 @@ { "@timestamp": "2019-03-18T16:57:39.012Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 1, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_start" + "type": [ + "start", + "process_start" + ] }, "hash": { "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" @@ -417,6 +452,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -479,6 +526,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -542,6 +601,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -605,6 +676,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -668,6 +751,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -735,6 +830,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -800,6 +907,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -863,6 +982,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -925,6 +1056,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -990,6 +1133,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1055,6 +1210,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1117,6 +1284,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1179,6 +1358,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1245,6 +1436,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1311,6 +1514,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1377,6 +1592,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1434,12 +1661,17 @@ { "@timestamp": "2019-03-18T16:57:52.35Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -1479,12 +1711,17 @@ { "@timestamp": "2019-03-18T16:57:52.364Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -1529,6 +1766,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp" }, @@ -1579,6 +1826,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp" }, @@ -1629,6 +1886,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp" }, @@ -1679,6 +1946,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp" }, @@ -1724,12 +2001,17 @@ { "@timestamp": "2019-03-18T16:57:52.433Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -1774,6 +2056,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp" }, @@ -1824,6 +2116,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp" }, From d0942ce45ee1f9e2620ddf919624ba6aac84473a Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 5 May 2020 02:27:43 -0400 Subject: [PATCH 3/4] Add changelog entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b3eaf0a08dc..5a9c6ec6b57 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -385,6 +385,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add experimental event log reader implementation that should be faster in most cases. {issue}6585[6585] {pull}16849[16849] - Set process.command_line and process.parent.command_line from Sysmon Event ID 1. {pull}17327[17327] - Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517] +- Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058] ==== Deprecated From 112c17b04e784eb8d81e57d1244bee2fc71421fd Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 5 May 2020 10:53:53 -0400 Subject: [PATCH 4/4] Add baseline registry event json --- .../module/sysmon/config/winlogbeat-sysmon.js | 32 +- .../test/testdata/sysmon-11-registry.evtx | Bin 0 -> 69632 bytes .../sysmon-11-registry.evtx.golden.json | 289 ++++++++++++++++++ 3 files changed, 307 insertions(+), 14 deletions(-) create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 21db0a40509..2e449580d87 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -492,8 +492,8 @@ var sysmon = (function () { HKU: "HKU", }; - var qwordRegex = new RegExp(/ab+c/, "i"); - var dwordRegex = new RegExp(/DWORD \(()\)/, "i"); + var qwordRegex = new RegExp(/QWORD \(((0x\d{8})-(0x\d{8}))\)/, "i"); + var dwordRegex = new RegExp(/DWORD \((0x\d{8})\)/, "i"); var setRegistryFields = function (evt) { var path = evt.Get("winlog.event_data.TargetObject"); @@ -521,22 +521,26 @@ var sysmon = (function () { var dataType; var dataValue; var match = qwordRegex.exec(data); - if (match.length > 0) { - dataType = "SZ_QWORD"; - dataValue = match[1]; + if (match && match.length > 0) { + var parsedHighByte = parseInt(match[2]); + var parsedLowByte = parseInt(match[3]); + if (!isNaN(parsedHighByte) && !isNaN(parsedLowByte)) { + dataValue = "" + ((parsedHighByte << 8) + parsedLowByte); + dataType = "SZ_QWORD"; + } } else { match = dwordRegex.exec(data); - if (match.length > 0) { - dataType = "SZ_DWORD"; - dataValue = match[1]; + if (match && match.length > 0) { + var parsedValue = parseInt(match[1]); + if (!isNaN(parsedValue)) { + dataType = "SZ_DWORD"; + dataValue = "" + parsedValue; + } } } - if (match.length > 0) { - var parsedValue = parseInt(dataValue); - if (!isNan(parsedValue)) { - evt.Put("registry.data.strings", [parsedValue]); - evt.Put("registry.data.type", dataType); - } + if (dataType) { + evt.Put("registry.data.strings", [dataValue]); + evt.Put("registry.data.type", dataType); } }; diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx new file mode 100644 index 0000000000000000000000000000000000000000..6e17bee603d030f05cac959bda33f3a2441e90b3 GIT binary patch literal 69632 zcmeHQ3v^Z0ncny2=0Si2Y7rE%0kk|6NJ4-lJ|N_w4)Tyk1x)LtCP*YCDG3jSLJBJA za*8_3DQ#!EkUj?2preemjE*gXj~45*YhY@9F{{*y(j~SqWo&Kc`}W!Y%{@2w#!14- zEbsdFT_@+9efBy3f4^`4|Ni$r`|eaWEUT(-s59{?!)3H#A2Mmi3<|{;>Gk=yMrWSi z>xbwA6ahs*5l{pa0YyL&Py`eKML-cy1QY>9;1dz3Y*<#lym1Bk_+CnP`}p%V+P~zQ)|IuTSe+7mix|?45gnKr*fsPUG zi~rG;-z5Ve5cqB6EsN7!ZV+Udro)1PgmtX@AQ!} zuVuO=A{yBLnk3;>}FZs*VA3Xo+b0<&V ziEqMEWrNLaIOG>(dSXDjsWfX$ooO_!INypb;}&=E-*VHz{7Gglt~Fv`X!7wX!co2{#^1WA z_!i$;IMm+$Jh&3xnigi51?E;fxz$QECS2Cuz65#+qaUu%GV`qTHIP+{Qmb%vDz+-A zjI$nym^n~(B`zA1lVd^|i(P#fHzZ=NGOO*KxRh&h)5_A!Y!tiAl{j6K83WcerUKW- zV9Q{Y<73ACD%)I#N7MkadVKwQs{*0RiI|LVPMXPxg!-FN$dH;otY4=2f-6=Jq#AK8 zoYUV#BH;K!oJbX~eJR~si-P2;!4@(s6gC&&?@A(Mv_ngG)y z7iO5bAds{WB8m&~N$KVyoQUPz@^Y4$h0C{swW-3*BU_IWtD&pq+7ulI-0 zdW&f}iq=5^QdEmF79Ls=>(u4zvwaN8O@JrE3{DGWqqcPTlB%?UF=)@n1F14K@sJPa zWSea2atCe_hp_AS{Y|+oMm-v=CIV|U%2ic43(x*A+mzvntx%k`r4`@Qdu~pq$<3fs zAnjA09c(DtdlJ7>lA8vyy0o{igbZ;a`}g(37g%Q%Uu^|>^j=Lpz^0)t+5g$k)!Ca+ zumvBdMV86Rplc~$7+#IUUDlXofm(^GK;=AJ38#lL0Y{Cw8M63{Rzrkm;zn`3J11s=M3S)@Wjx@F z`5a1Qh!!FJ&xdrTb9YT z<#4;r&&SyylWVTVeq7o}lo^PROKm$c&avKb-4J6MK;CWH-jy&+fGM4#XG3Sdi<)4r zM_wbiZ9-*lF%w)RU5WEXb7OJy_2Um7E&s{28K>*F|LL{v-apA&8=;_8cy*Ef!E@PZ zPoDqJ;`n)7bzkG5Sx@a<+oA&jIM_k{;SE0(|5 zl}DH%PtOGPtw30eJ3KJ#m7UPMhq=^3A5<2WAL(SU zwzzMbjw;CJ>1L~Ux~Iz|SB~XfxdGO3uCnD?!P%G1Ex3aYB0Mmoi*H+jQiQl3h_;|? zCd#tvf)HC-LvU(drDg7=INpryB5bT@y!Q*Zy8(>U*`|@r;{E=hN`F z2v;WJxY(4K#!2&Ucx3HkU%C{mvUcnT3*{(N9ao>LQTOWX_o{`KY?AA&SGpPwei2G9 zfTRL!lvrqw3Ls@FiyF`mryu6=aP(Iw)C< zWV_gmTF(ZZzHuU4+G1?~Uv;vxSMO{^<+jD6zEUGs!QwrSUTs_Y*l$!FZ34?siscx% zR-5&((MmJZRN*rP#}%-aGMiV3qax&To8at>wp4;oA#99SXnVBCO5F2RJdLr=YO7B* zu$ym|V!IJu^(wOj<>zCog6+&i>6y@=(c0jxu(pndA)od{yV?z-vYrIgz4^_11GKBA zP`q7<9gAIU`t;kCc>2<_WLKYNPhW^$QP-Z{YxCm${}k*0oxQPsvYzflB}D*h(>al! z-4&ewU(w0`PYrwWq@Hg6^w(4R|DC<^|5M?;i_vlytN)K_(fZ#1uSX=u=xZ+aj1w8N z6~OX}kjs{(5czClN^tJQmyGeQLo1PwdkS&q0<;{3xXPA=t#T{2ub``OGZT`U=+4uI@v-s>LJ3cAH zsh!6v79pzR5EkvV1@T=2`mr3Z;-D;hm#ffcFUL8@A{n=C+Iv@R`Gz|ek1*LaPmZ5< zL+8l1_cD@=c?<~E6f~W<6{8L8zzsvo!vP%jf>+@ia9pMiQ7i|KITr2Gfsp4{xJMVz zrn=!@U32KfVK?r5-^jAxor|tUqJAF*$;c9l*iofKBTEaR3`dq4u%B!gpH9OEBE49n zO(ZT_zP0(#31hz7!2RJ+Ge+$%zyOwLX3&%}{h!C0QkOpu2t(f3F1&)hbH`@t!%qgt zU%BOPhM5t=pGdUi;16iCiToV^f1+86^EYGc;IY#&6ujVptY55W^dAGf zEVDKAlaX5k_WM_uD`NbHNSyIr(*w^yi$^C{z4Q?@qTgta(JaO5Sufjd)FzuQe{JoM zZ2|LFh%OBMgdHPj6NyfNsGoQgKH^<$qFIXbSM)chcND-U(s_#CPv-9(RJ1#>zZ{o$ zXwE%>^XIoek(h|TVstY_vlQpAm-d(I;2U*a@cb2HAfdzlL}D`jL^I_t+V3HFNU`?E zo(t3Ag~9W8rMWVOKauFk?}(e}KWTrWnerFq&p{>porKTzW;Gb|!Q(Fn=s#}?vEMoz zA66kRP8Nw&>Q9@DIeEih9$14*nC$N1ya+e1AO|B)GFhVq z?*zSfgf)n^Ih%+xDQuiw;O=Au?e2`7{?vjuc9hwSk9S|#yRXvSH?8Bop@_^m9j`S; zGT*e`jCU~Jj2%w*X^fenk%oy>kxqR=PQFPNBkV)J05!-w`qNo|_z2YsiS=CK1&+ip z9on_@+@Rw<|2U0Er1bduz5#5CW+`6ZyAv-YXm7mPR>s`$wWVu==FcCmi$wCrgl?8i zdvI_Rn`oBe{Pi+k$JB3|em|xraQ^)9x=3^i`1m^j`xDJloWJhapMy%`1@1Y1!t{@0 zgXhm5?}OC(YOwtq*9ny&p3G@}1}1N@0* z%3oLfaXu^4$4mN}Kaoi3iTD%El)or{aq-J9aXyUjAq}1VV1V{_m3=Sa?{A4jN{{F7 z4D3%dOL6|BzZL(UsjEIk4Sdrt0Nb2nFWOErAw(jd(y!n<3#QT^9bOl7TQ`M=kBv+DyAY;_7nh%RcfkDl;~J4j>GZ1ycKdA~6}CqFIXb*~@V@z8hew`{fIP z^XHFeM4~6(Z;z+&qF*#iasIj!k2sxSM9wS(; zWWhI7Rs4N)bae_@i-Kc6T$F%wjqREfzEveSgO#gFL|2bs23L;=V~&hnDS{bXP9U7) z)`egO*M*3#0Kp8d01;j1fy!{X04tK~ILJy3EXh@0qN^}aeXhb_)#u6v(RCDZ+}a2% z!L<==3I0MoN7guyl??b$u4E8hv4Eo`T(Ka@x&(aEc3igF?ZrXPC#*97sCzgY+~0ai zeZ%8yLMPIuJb2!n*rZ;jxb^m+^+eANRZ_-tMmgNBT=YQ#`z5{ni2yfQDWc~L`rA*D z=oE;)ry_$dU_3xHOK}E!*?x|8@NKz1c>et30U|LOf1;W47i~Y$)-c7!KNopf=IuV< z&maGYM5lny{$7FoiDt@Qls^ZR@W*lSi(Ot`+t52Y$3JJweEYn)(&Nt`*N8+`u-HWYzK6*hqM7p7m0um}pqqC8 z)BE;B$62Lc8KhqoiRNT`*(qo-@6yr3xbg-0`!imUie@R!Ur+q%$5=h^i-7DOzBj}= zO~;}5Rqn^Ryu6l&-g&f7c@>GmYyN}|UWcLoDw-*;oqh*i0(kf{gZ~+H&>CX`UdOw< zH~;1RVf*@&SCJ^Z&MSR;sMzaKIAPIDdF{mODGUT~I`7u>-PRZr@Op{Mdt_eQU;S&J z@+uOA*FjS{c-??WtfHCn+KJa2;b>{EpWAiZ8e<%yLxu)r*h(;|3y; z3h;*u%_SXv_+HqnXqMuZf+CPz)XnY_Gt+r^U{6+cmsPfq#f33+>GInm@ z{Q28Ik(h|TJiI>@&6K~c_$&12Gr1dnnDJfT|IgsOfwMKflgR!=Vj}*IL9l41{6+ao z(Ed$!{GHx*NmkJO`Rz|6KK1WsHtx<&Ge_FFKN8~j9PLjuQ~r|i$8oqK$KQL$FFYO` ze~I2(iA3qw-@9}`bi8I5rg4a7Db8O{##c|_wccEixB0G(b}+_qDC4V)Pp7!N!^6M$ z-|qzMSN$_`M50q5`aZcBHn|&{XqMuetJaYSM={zNn7 zFUp^TD%O9NxV+2{ZVTLh`r}fOn20~l#}UnxzbJpOHzwhaaZIU~WgdI+`vLNoC@vL= zP61#0cM|-GW+~2JPvTO}r{dPde5%VFtXIAD<4wQq)3{V5#`8K1{lz`lM6(p=@kyX2j2^xKYv^*5|i;K znkj$D+C|#ml@7j~4}<5=AD4>6Wc-O{%3qW}2bK6w#x>Jj-kW!Z+k$KV62&zlF%f_J z;Xg&Q6z4CXxMqffb@`Z_0C`RH9#|wM;+5^9XqMu-}Z~XraU2po`CT|BVc4|eqqjGo2#i;+UA!E9c!;(?$un&tk>dZ1`H2U{bnv9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy z1QY>9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL&Py`eK zML-cy1QY>9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL& zPy`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa O0YyL&Pz3rIf&T@pVFDHa literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json new file mode 100644 index 00000000000..8fc9f23662e --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json @@ -0,0 +1,289 @@ +[ + { + "@timestamp": "2020-05-05T14:57:40.589Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, + "registry": { + "data": { + "strings": [ + "4" + ], + "type": "SZ_DWORD" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "value": "Key 1" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "DWORD (0x00000004)", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2682, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "Binary Data", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2686, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, + "registry": { + "data": { + "strings": [ + "5" + ], + "type": "SZ_QWORD" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "value": "Key 2" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "QWORD (0x00000000-0x00000005)", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2687, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "value": "ertrqvg.rkr" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "Binary Data", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2690, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "Binary Data", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2691, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + } +] \ No newline at end of file