From e4cc937ece77d0003678a4e3d79e0126f38a958c Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Thu, 5 Sep 2024 13:14:50 +1000 Subject: [PATCH 1/2] add image to executableinfo --- ...ows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map index 48b2d68e..99a4032b 100644 --- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map +++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map @@ -57,6 +57,13 @@ Maps: - Name: User Value: "/Event/EventData/Data[@Name=\"User\"]" + - + Property: ExecutableInfo + PropertyValue: "%Image%" + Values: + - + Name: Image + Value: "/Event/EventData/Data[@Name=\"Image\"]" # Documentation: # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events @@ -104,4 +111,4 @@ Maps: # 49304 # # -# +# \ No newline at end of file From 40a9532736d0222ac5c25ed3c52b5dfd1208f05e Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 5 Sep 2024 09:43:31 -0400 Subject: [PATCH 2/2] Update Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map add newline --- ...ft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map index 99a4032b..b1ee0b03 100644 --- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map +++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map @@ -111,4 +111,4 @@ Maps: # 49304 # # -# \ No newline at end of file +#