From 6841db2f349579270e223463012fe62824fbe392 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Tue, 7 Nov 2023 13:52:22 +0000 Subject: [PATCH] Refresh intakes documentation --- .../c10307ea-5dd1-45c6-85aa-2a6a900df99b.md | 1183 ++++++++++++++++- 1 file changed, 1167 insertions(+), 16 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md index 9b6a192fca..e2d06fa7a5 100644 --- a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md +++ b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md @@ -264,7 +264,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\n \"fields.gdp-redis\": \"3\",\n \"message\": \"File created:\\nRuleName: technique_id=T1047,technique_name=File System Permissions Weakness\\nUtcTime: 2023-10-19 11:22:01.885\\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\\nProcessId: 4504\\nImage: C:\\\\WINDOWS\\\\system32\\\\svchost.exe\\nTargetFilename: C:\\\\Windows\\\\System32\\\\WinBioDatabase\\\\ABCD1234-E5F6-1234-ABCD-0123456789EF.ABC~DE123abcde.TMP\\nCreationUtcTime: 2023-10-19 11:22:01.885\\nUser: USER\\\\Syst\u00e8me\",\n \"fields\": {\n \"gdp-version-winlogbeat\": 3.4,\n \"gdp-sousparc\": \"prod\",\n \"gdp-version\": \"2.8\",\n \"gdp-parc\": \"defaut\",\n \"gdp-config\": \"desktop\",\n \"gdp-version-sysmon\": 15,\n \"gdp-indice\": [\n \"l-desk\",\n \"l-desk\"\n ]\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"type\": \"R3\",\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"name\": \"WB-DK-PC01234567\",\n \"type\": \"winlogbeat\",\n \"version\": \"8.8.2\"\n },\n \"event\": {\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"action\": \"File created (rule: FileCreate)\",\n \"created\": \"2023-10-19T11:22:03.054Z\",\n \"kind\": \"event\",\n \"code\": \"11\"\n },\n \"event_ingest_logstash\": \"2023-10-19T11:22:03.810843Z\",\n \"fields.gdp-logstash\": \"6\",\n \"winlog\": {\n \"process\": {\n \"thread\": {\n \"id\": 7408\n },\n \"pid\": 4524\n },\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"type\": \"Well Known Group\",\n \"identifier\": \"S-1-2-3\",\n \"domain\": \"USER\"\n },\n \"event_id\": \"11\",\n \"api\": \"wineventlog\",\n \"record_id\": 5103594,\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"version\": 2,\n \"provider_guid\": \"{a0b1c2d3-1234-abcd-e4f5-0123456789ab}\",\n \"task\": \"File created (rule: FileCreate)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"event_data\": {\n \"TargetFilename\": \"C:\\\\Windows\\\\System32\\\\WinBioDatabase\\\\ABCD1234-E5F6-1234-ABCD-0123456789EF.ABC~DE123abcde.TMP\",\n \"UtcTime\": \"2023-10-19 11:22:01.885\",\n \"User\": \"USER\\\\Syst\u00e8me\",\n \"ProcessId\": \"4504\",\n \"ProcessGuid\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"Image\": \"C:\\\\WINDOWS\\\\system32\\\\svchost.exe\",\n \"CreationUtcTime\": \"2023-10-19 11:22:01.885\",\n \"RuleName\": \"technique_id=T1047,technique_name=File System Permissions Weakness\"\n },\n \"computer_name\": \"PC01234567.company.com\",\n \"opcode\": \"Informations\"\n },\n \"ecs\": {\n \"version\": \"8.0.0\"\n },\n \"host\": {\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"name\": \"PC01234567\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"AA:BB:CC:DD:EE:FF\",\n \"A0:B1:C2:D3:E4:F5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:AB\",\n \"AB:CD:EF:01:23:45\"\n ],\n \"hostname\": \"PC01234567\",\n \"os\": {\n \"name\": \"Windows 10 Enterprise\",\n \"platform\": \"windows\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3448 (WinBuild.160101.0800)\",\n \"build\": \"19045.3448\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ],\n \"architecture\": \"x86_64\"\n },\n \"@timestamp\": \"2023-10-19T11:22:01.893Z\"\n}", + "message": "{\n \"fields.gdp-redis\": \"3\",\n \"message\": \"File created:\\nRuleName: technique_id=T1047,technique_name=File System Permissions Weakness\\nUtcTime: 2023-10-19 11:22:01.885\\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\\nProcessId: 4504\\nImage: C:\\\\WINDOWS\\\\system32\\\\svchost.exe\\nTargetFilename: C:\\\\Windows\\\\System32\\\\WinBioDatabase\\\\ABCD1234-E5F6-1234-ABCD-0123456789EF.ABC~DE123abcde.TMP\\nCreationUtcTime: 2023-10-19 11:22:01.885\\nUser: USER\\\\Syst\u00e8me\",\n \"fields\": {\n \"gdp-version-winlogbeat\": 3.4,\n \"gdp-sousparc\": \"prod\",\n \"gdp-version\": \"2.8\",\n \"gdp-parc\": \"defaut\",\n \"gdp-config\": \"desktop\",\n \"gdp-version-sysmon\": 15,\n \"gdp-indice\": [\n \"l-desk\",\n \"l-desk\"\n ]\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"type\": \"R3\",\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"name\": \"WB-DK-PC01234567\",\n \"type\": \"winlogbeat\",\n \"version\": \"8.8.2\"\n },\n \"event\": {\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"action\": \"File created (rule: FileCreate)\",\n \"created\": \"2023-10-19T11:22:03.054Z\",\n \"kind\": \"event\",\n \"code\": \"11\"\n },\n \"event_ingest_logstash\": \"2023-10-19T11:22:03.810843Z\",\n \"fields.gdp-logstash\": \"6\",\n \"winlog\": {\n \"process\": {\n \"thread\": {\n \"id\": 7408\n },\n \"pid\": 4524\n },\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"type\": \"Well Known Group\",\n \"identifier\": \"S-1-2-3\",\n \"domain\": \"USER\"\n },\n \"event_id\": \"11\",\n \"api\": \"wineventlog\",\n \"record_id\": 5103594,\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"version\": 2,\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"task\": \"File created (rule: FileCreate)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"event_data\": {\n \"TargetFilename\": \"C:\\\\Windows\\\\System32\\\\WinBioDatabase\\\\ABCD1234-E5F6-1234-ABCD-0123456789EF.ABC~DE123abcde.TMP\",\n \"UtcTime\": \"2023-10-19 11:22:01.885\",\n \"User\": \"USER\\\\Syst\u00e8me\",\n \"ProcessId\": \"4504\",\n \"ProcessGuid\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"Image\": \"C:\\\\WINDOWS\\\\system32\\\\svchost.exe\",\n \"CreationUtcTime\": \"2023-10-19 11:22:01.885\",\n \"RuleName\": \"technique_id=T1047,technique_name=File System Permissions Weakness\"\n },\n \"computer_name\": \"PC01234567.company.com\",\n \"opcode\": \"Informations\"\n },\n \"ecs\": {\n \"version\": \"8.0.0\"\n },\n \"host\": {\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"name\": \"PC01234567\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"AA:BB:CC:DD:EE:FF\",\n \"A0:B1:C2:D3:E4:F5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:AB\",\n \"AB:CD:EF:01:23:45\"\n ],\n \"hostname\": \"PC01234567\",\n \"os\": {\n \"name\": \"Windows 10 Enterprise\",\n \"platform\": \"windows\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3448 (WinBuild.160101.0800)\",\n \"build\": \"19045.3448\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ],\n \"architecture\": \"x86_64\"\n },\n \"@timestamp\": \"2023-10-19T11:22:01.893Z\"\n}", "event": { "action": "File created (rule: FileCreate)", "code": "11", @@ -379,7 +379,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": 7408 } }, - "provider_guid": "{a0b1c2d3-1234-abcd-e4f5-0123456789ab}", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "5103594", "task": "File created (rule: FileCreate)", @@ -401,7 +401,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\n \"winlog\": {\n \"event_data\": {\n \"Product\": \"Microsoft Teams\",\n \"RuleName\": \"technique_id=T1036,technique_name=Masquerading\",\n \"CommandLine\": \"\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --type=renderer --enable-wer --user-data-dir=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\\\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\\\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=89 --launch-time-ticks=212569133487 --mojo-platform-channel-handle=6672 --field-trial-handle=1780,i,5843992499021049077,4525004813667802135,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\",\n \"FileVersion\": \"1.6.00.27573\",\n \"ParentCommandLine\": \"\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" \",\n \"LogonGuid\": \"{abcdef01-b1c2-d3c4-1234-123400000000}\",\n \"ParentProcessGuid\": \"{10fecdba-1234-abcd-0a1b-000000000000}\",\n \"Hashes\": \"SHA1=68D25B5F5A57CF5DC0D63644338C04EA906D472B,MD5=89B717809A5A49D19E7E06746982BF0B,SHA256=2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE,IMPHASH=00590C8FDC1F372F8DB1D3F49D342D34\",\n \"User\": \"COMPANY\\\\asmithee\",\n \"ProcessId\": \"4980\",\n \"LogonId\": \"0x1234abc\",\n \"ProcessGuid\": \"{10fecdba-1234-abcd-0a1b-000000000000}\",\n \"Description\": \"Microsoft Teams\",\n \"OriginalFileName\": \"Teams.exe\",\n \"Image\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"CurrentDirectory\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\\",\n \"ParentImage\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"IntegrityLevel\": \"Low\",\n \"ParentProcessId\": \"1124\",\n \"Company\": \"Microsoft Corporation\",\n \"TerminalSessionId\": \"1\",\n \"UtcTime\": \"2023-10-17 12:03:14.183\",\n \"ParentUser\": \"COMPANY\\\\asmithee\"\n },\n \"task\": \"Process Create (rule: ProcessCreate)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"Well Known Group\",\n \"domain\": \"Domain\"\n },\n \"event_id\": \"1\",\n \"provider_guid\": \"{a0b1c2d3-1234-abcd-e4f5-0123456789ab}\",\n \"process\": {\n \"thread\": {\n \"id\": 5760\n },\n \"pid\": 3852\n },\n \"api\": \"wineventlog\",\n \"version\": 5,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 9359683,\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"opcode\": \"Informations\"\n },\n \"message\": \"Process Create:\\nRuleName: technique_id=T1036,technique_name=Masquerading\\nUtcTime: 2023-10-17 12:03:14.183\\nProcessGuid: {10fecdba-1234-abcd-0a1b-000000000000}\\nProcessId: 4980\\nImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nFileVersion: 1.6.00.27573\\nDescription: Microsoft Teams\\nProduct: Microsoft Teams\\nCompany: Microsoft Corporation\\nOriginalFileName: Teams.exe\\nCommandLine: \\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --type=renderer --enable-wer --user-data-dir=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\\\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\\\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=89 --launch-time-ticks=212569133487 --mojo-platform-channel-handle=6672 --field-trial-handle=1780,i,5843992499021049077,4525004813667802135,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\\nCurrentDirectory: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\\\nUser: COMPANY\\\\asmithee\\nLogonGuid: {abcdef01-b1c2-d3c4-1234-123400000000}\\nLogonId: 0x1234abc\\nTerminalSessionId: 1\\nIntegrityLevel: Low\\nHashes: SHA1=68D25B5F5A57CF5DC0D63644338C04EA906D472B,MD5=89B717809A5A49D19E7E06746982BF0B,SHA256=2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE,IMPHASH=00590C8FDC1F372F8DB1D3F49D342D34\\nParentProcessGuid: {10fecdba-1234-abcd-0a1b-000000000000}\\nParentProcessId: 1124\\nParentImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nParentCommandLine: \\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" \\nParentUser: COMPANY\\\\asmithee\",\n \"event_ingest_logstash\": \"2023-10-17T12:03:18.802068Z\",\n \"fields.gdp-logstash\": \"6\",\n \"event\": {\n \"kind\": \"event\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"created\": \"2023-10-17T12:03:17.092Z\",\n \"code\": \"1\",\n \"action\": \"Process Create (rule: ProcessCreate)\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"ecs\": {\n \"version\": \"8.0.0\"\n },\n \"@timestamp\": \"2023-10-17T12:03:15.436Z\",\n \"fields.gdp-redis\": \"2\",\n \"fields\": {\n \"gdp-parc\": \"defaut\",\n \"gdp-version-winlogbeat\": 3.4,\n \"gdp-indice\": [\n \"l-desk\",\n \"l-desk\"\n ],\n \"gdp-sousparc\": \"prod\",\n \"gdp-version\": \"2.8\",\n \"gdp-config\": \"desktop\",\n \"gdp-version-sysmon\": 15\n },\n \"host\": {\n \"os\": {\n \"platform\": \"windows\",\n \"name\": \"Windows 10 Enterprise\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3448 (WinBuild.160101.0800)\",\n \"build\": \"19045.3448\",\n \"family\": \"windows\",\n \"type\": \"windows\"\n },\n \"mac\": [\n \"A1-B2-C3-D4-E5-F6\"\n ],\n \"name\": \"PC01234567\",\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\"\n ]\n },\n \"type\": \"R2\",\n \"agent\": {\n \"id\": \"01234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"8.8.2\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"type\": \"winlogbeat\"\n }\n}", + "message": "{\n \"winlog\": {\n \"event_data\": {\n \"Product\": \"Microsoft Teams\",\n \"RuleName\": \"technique_id=T1036,technique_name=Masquerading\",\n \"CommandLine\": \"\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --type=renderer --enable-wer --user-data-dir=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\\\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\\\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=89 --launch-time-ticks=212569133487 --mojo-platform-channel-handle=6672 --field-trial-handle=1780,i,5843992499021049077,4525004813667802135,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\",\n \"FileVersion\": \"1.6.00.27573\",\n \"ParentCommandLine\": \"\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" \",\n \"LogonGuid\": \"{abcdef01-b1c2-d3c4-1234-123400000000}\",\n \"ParentProcessGuid\": \"{10fecdba-1234-abcd-0a1b-000000000000}\",\n \"Hashes\": \"SHA1=68D25B5F5A57CF5DC0D63644338C04EA906D472B,MD5=89B717809A5A49D19E7E06746982BF0B,SHA256=2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE,IMPHASH=00590C8FDC1F372F8DB1D3F49D342D34\",\n \"User\": \"COMPANY\\\\asmithee\",\n \"ProcessId\": \"4980\",\n \"LogonId\": \"0x1234abc\",\n \"ProcessGuid\": \"{10fecdba-1234-abcd-0a1b-000000000000}\",\n \"Description\": \"Microsoft Teams\",\n \"OriginalFileName\": \"Teams.exe\",\n \"Image\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"CurrentDirectory\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\\",\n \"ParentImage\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"IntegrityLevel\": \"Low\",\n \"ParentProcessId\": \"1124\",\n \"Company\": \"Microsoft Corporation\",\n \"TerminalSessionId\": \"1\",\n \"UtcTime\": \"2023-10-17 12:03:14.183\",\n \"ParentUser\": \"COMPANY\\\\asmithee\"\n },\n \"task\": \"Process Create (rule: ProcessCreate)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"Well Known Group\",\n \"domain\": \"Domain\"\n },\n \"event_id\": \"1\",\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"process\": {\n \"thread\": {\n \"id\": 5760\n },\n \"pid\": 3852\n },\n \"api\": \"wineventlog\",\n \"version\": 5,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 9359683,\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"opcode\": \"Informations\"\n },\n \"message\": \"Process Create:\\nRuleName: technique_id=T1036,technique_name=Masquerading\\nUtcTime: 2023-10-17 12:03:14.183\\nProcessGuid: {10fecdba-1234-abcd-0a1b-000000000000}\\nProcessId: 4980\\nImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nFileVersion: 1.6.00.27573\\nDescription: Microsoft Teams\\nProduct: Microsoft Teams\\nCompany: Microsoft Corporation\\nOriginalFileName: Teams.exe\\nCommandLine: \\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --type=renderer --enable-wer --user-data-dir=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\\\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\\\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=89 --launch-time-ticks=212569133487 --mojo-platform-channel-handle=6672 --field-trial-handle=1780,i,5843992499021049077,4525004813667802135,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\\nCurrentDirectory: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\\\nUser: COMPANY\\\\asmithee\\nLogonGuid: {abcdef01-b1c2-d3c4-1234-123400000000}\\nLogonId: 0x1234abc\\nTerminalSessionId: 1\\nIntegrityLevel: Low\\nHashes: SHA1=68D25B5F5A57CF5DC0D63644338C04EA906D472B,MD5=89B717809A5A49D19E7E06746982BF0B,SHA256=2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE,IMPHASH=00590C8FDC1F372F8DB1D3F49D342D34\\nParentProcessGuid: {10fecdba-1234-abcd-0a1b-000000000000}\\nParentProcessId: 1124\\nParentImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nParentCommandLine: \\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" \\nParentUser: COMPANY\\\\asmithee\",\n \"event_ingest_logstash\": \"2023-10-17T12:03:18.802068Z\",\n \"fields.gdp-logstash\": \"6\",\n \"event\": {\n \"kind\": \"event\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"created\": \"2023-10-17T12:03:17.092Z\",\n \"code\": \"1\",\n \"action\": \"Process Create (rule: ProcessCreate)\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"ecs\": {\n \"version\": \"8.0.0\"\n },\n \"@timestamp\": \"2023-10-17T12:03:15.436Z\",\n \"fields.gdp-redis\": \"2\",\n \"fields\": {\n \"gdp-parc\": \"defaut\",\n \"gdp-version-winlogbeat\": 3.4,\n \"gdp-indice\": [\n \"l-desk\",\n \"l-desk\"\n ],\n \"gdp-sousparc\": \"prod\",\n \"gdp-version\": \"2.8\",\n \"gdp-config\": \"desktop\",\n \"gdp-version-sysmon\": 15\n },\n \"host\": {\n \"os\": {\n \"platform\": \"windows\",\n \"name\": \"Windows 10 Enterprise\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3448 (WinBuild.160101.0800)\",\n \"build\": \"19045.3448\",\n \"family\": \"windows\",\n \"type\": \"windows\"\n },\n \"mac\": [\n \"A1-B2-C3-D4-E5-F6\"\n ],\n \"name\": \"PC01234567\",\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\"\n ]\n },\n \"type\": \"R2\",\n \"agent\": {\n \"id\": \"01234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"8.8.2\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"type\": \"winlogbeat\"\n }\n}", "event": { "action": "Process Create (rule: ProcessCreate)", "code": "1", @@ -475,9 +475,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --type=renderer --enable-wer --user-data-dir=\"C:\\Users\\asmithee\\AppData\\Roaming\\Microsoft\\Teams\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\resources\\app.test\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=89 --launch-time-ticks=212569133487 --mojo-platform-channel-handle=6672 --field-trial-handle=1780,i,5843992499021049077,4525004813667802135,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1", "executable": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", "hash": { - "md5": "89B717809A5A49D19E7E06746982BF0B", - "sha1": "68D25B5F5A57CF5DC0D63644338C04EA906D472B", - "sha256": "2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE" + "md5": "89b717809a5a49d19e7e06746982bf0b", + "sha1": "68d25b5f5a57cf5dc0d63644338c04ea906d472b", + "sha256": "2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee" }, "name": "Teams.exe", "parent": { @@ -485,15 +485,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Teams.exe" }, "pe": { + "imphash": "00590c8fdc1f372f8db1d3f49d342d34", "original_file_name": "Teams.exe" }, "working_directory": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\" }, "related": { "hash": [ - "2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE", - "68D25B5F5A57CF5DC0D63644338C04EA906D472B", - "89B717809A5A49D19E7E06746982BF0B", + "2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee", + "68d25b5f5a57cf5dc0d63644338c04ea906d472b", + "89b717809a5a49d19e7e06746982bf0b", "bddeaca04a56e79e76ded95babeaa07f36b3935e" ], "hosts": [ @@ -516,7 +517,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": 5760 } }, - "provider_guid": "{a0b1c2d3-1234-abcd-e4f5-0123456789ab}", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "9359683", "task": "Process Create (rule: ProcessCreate)", @@ -538,7 +539,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\n \"winlog\": {\n \"event_data\": {\n \"IntegrityLevel\": \"Low\",\n \"Product\": \"Microsoft Teams\",\n \"Description\": \"Microsoft Teams\",\n \"LogonId\": \"0x1234abc\",\n \"TerminalSessionId\": \"1\",\n \"FileVersion\": \"1.6.00.27573\",\n \"LogonGuid\": \"{abcdef01-b1c2-d3c4-1234-123400000000}\",\n \"Company\": \"Microsoft Corporation\",\n \"ParentUser\": \"COMPANY\\\\asmithee\"\n },\n \"task\": \"Process Create (rule: ProcessCreate)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"User\",\n \"domain\": \"DOMAIN\"\n },\n \"api\": \"wineventlog\",\n \"provider_guid\": \"{a0b1c2d3-1234-abcd-e4f5-0123456789ab}\",\n \"process\": {\n \"thread\": {\n \"id\": 7248\n },\n \"pid\": 5624\n },\n \"event_id\": \"1\",\n \"version\": 5,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 67177799,\n \"opcode\": \"Informations\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\"\n },\n \"message\": \"Process Create:\\nRuleName: technique_id=T1036,technique_name=Masquerading\\nUtcTime: 2023-10-17 12:05:25.091\\nProcessGuid: {1c03cf6e-7885-652e-190c-00000000fa00}\\nProcessId: 27804\\nImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nFileVersion: 1.6.00.27573\\nDescription: Microsoft Teams\\nProduct: Microsoft Teams\\nCompany: Microsoft Corporation\\nOriginalFileName: Teams.exe\\nCommandLine: \\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --type=renderer --enable-wer --user-data-dir=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\\\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\\\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=196 --launch-time-ticks=17880973283 --mojo-platform-channel-handle=2520 --field-trial-handle=1808,i,7578868639254466484,17758186584081941877,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\\nCurrentDirectory: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\\\nUser: COMPANY\\\\asmithee\\nLogonGuid: {abcdef01-b1c2-d3c4-1234-123400000000}\\nLogonId: 0x1234ABC\\nTerminalSessionId: 1\\nIntegrityLevel: Low\\nHashes: SHA1=68D25B5F5A57CF5DC0D63644338C04EA906D472B,MD5=89B717809A5A49D19E7E06746982BF0B,SHA256=2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE,IMPHASH=00590C8FDC1F372F8DB1D3F49D342D34\\nParentProcessGuid: {1c03cf6e-331c-652e-b001-00000000fa00}\\nParentProcessId: 17772\\nParentImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nParentCommandLine: \\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --system-initiated\\nParentUser: COMPANY\\\\asmithee\",\n \"hash\": {\n \"sha256\": \"2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee\",\n \"sha1\": \"68d25b5f5a57cf5dc0d63644338c04ea906d472b\",\n \"md5\": \"89b717809a5a49d19e7e06746982bf0b\",\n \"imphash\": \"00590c8fdc1f372f8db1d3f49d342d34\"\n },\n \"event_ingest_logstash\": \"2023-10-17T12:05:27.363678Z\",\n \"fields.gdp-logstash\": \"6\",\n \"user\": {\n \"name\": \"asmithee\",\n \"id\": \"S-1-2-3\",\n \"domain\": \"COMPANY\"\n },\n \"event\": {\n \"created\": \"2023-10-17T12:05:26.268Z\",\n \"kind\": \"event\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"category\": [\n \"process\"\n ],\n \"code\": \"1\",\n \"module\": \"sysmon\",\n \"action\": \"Process Create (rule: ProcessCreate)\",\n \"type\": [\n \"start\",\n \"process_start\"\n ]\n },\n \"process\": {\n \"name\": \"Teams.exe\",\n \"args\": [\n \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"--type=renderer\",\n \"--enable-wer\",\n \"--user-data-dir=C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\",\n \"--ms-teams-less-cors=522133263\",\n \"--app-user-model-id=com.squirrel.Teams.Teams\",\n \"--app-path=C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\",\n \"--autoplay-policy=no-user-gesture-required\",\n \"--disable-background-timer-throttling\",\n \"--lang=fr\",\n \"--device-scale-factor=1.25\",\n \"--num-raster-threads=4\",\n \"--enable-main-frame-before-activation\",\n \"--renderer-client-id=196\",\n \"--launch-time-ticks=17880973283\",\n \"--mojo-platform-channel-handle=2520\",\n \"--field-trial-handle=1808,i,7578868639254466484,17758186584081941877,131072\",\n \"--enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker\",\n \"--disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand\",\n \"/prefetch:1\"\n ],\n \"hash\": {\n \"sha256\": \"2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee\",\n \"sha1\": \"68d25b5f5a57cf5dc0d63644338c04ea906d472b\",\n \"md5\": \"89b717809a5a49d19e7e06746982bf0b\"\n },\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"command_line\": \"\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --type=renderer --enable-wer --user-data-dir=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\\\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\\\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=196 --launch-time-ticks=17880973283 --mojo-platform-channel-handle=2520 --field-trial-handle=1808,i,7578868639254466484,17758186584081941877,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\",\n \"pe\": {\n \"description\": \"Microsoft Teams\",\n \"company\": \"Microsoft Corporation\",\n \"file_version\": \"1.6.00.27573\",\n \"imphash\": \"00590c8fdc1f372f8db1d3f49d342d34\",\n \"original_file_name\": \"Teams.exe\",\n \"product\": \"Microsoft Teams\"\n },\n \"parent\": {\n \"name\": \"Teams.exe\",\n \"args\": [\n \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"--system-initiated\"\n ],\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"command_line\": \"\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --system-initiated\",\n \"pid\": 17772,\n \"executable\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\"\n },\n \"pid\": 27804,\n \"working_directory\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\\",\n \"executable\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"rule\": {\n \"name\": \"technique_id=T1036,technique_name=Masquerading\"\n },\n \"related\": {\n \"hash\": [\n \"68d25b5f5a57cf5dc0d63644338c04ea906d472b\",\n \"89b717809a5a49d19e7e06746982bf0b\",\n \"2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee\",\n \"00590c8fdc1f372f8db1d3f49d342d34\"\n ],\n \"user\": \"asmithee\"\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"@timestamp\": \"2023-10-17T12:05:25.091Z\",\n \"fields\": {\n \"gdp-version-sysmon\": 13.33,\n \"gdp-version-winlogbeat\": 2.8,\n \"gdp-indice\": \"l-desk\",\n \"gdp-sousparc\": \"prod\",\n \"gdp-config\": \"desktop\",\n \"gdp-version\": \"1.16\",\n \"gdp-parc\": \"defaut\"\n },\n \"host\": {\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"name\": \"PC01234567.company.com\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"aa:bb:cc:dd:ee:ff\",\n \"a0:b1:c2:d3:e4:f5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:ab\",\n \"ab:cd:ef:01:23:45\"\n ],\n \"os\": {\n \"platform\": \"windows\",\n \"name\": \"Windows 10 Enterprise\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3570 (WinBuild.160101.0800)\",\n \"build\": \"19044.3570\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ]\n },\n \"tags\": [\n \"beats_input_codec_plain_applied\"\n ],\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"7.17.1\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"hostname\": \"PC01234567\",\n \"type\": \"winlogbeat\"\n }\n}", + "message": "{\n \"winlog\": {\n \"event_data\": {\n \"IntegrityLevel\": \"Low\",\n \"Product\": \"Microsoft Teams\",\n \"Description\": \"Microsoft Teams\",\n \"LogonId\": \"0x1234abc\",\n \"TerminalSessionId\": \"1\",\n \"FileVersion\": \"1.6.00.27573\",\n \"LogonGuid\": \"{abcdef01-b1c2-d3c4-1234-123400000000}\",\n \"Company\": \"Microsoft Corporation\",\n \"ParentUser\": \"COMPANY\\\\asmithee\"\n },\n \"task\": \"Process Create (rule: ProcessCreate)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"User\",\n \"domain\": \"DOMAIN\"\n },\n \"api\": \"wineventlog\",\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"process\": {\n \"thread\": {\n \"id\": 7248\n },\n \"pid\": 5624\n },\n \"event_id\": \"1\",\n \"version\": 5,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 67177799,\n \"opcode\": \"Informations\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\"\n },\n \"message\": \"Process Create:\\nRuleName: technique_id=T1036,technique_name=Masquerading\\nUtcTime: 2023-10-17 12:05:25.091\\nProcessGuid: {1c03cf6e-7885-652e-190c-00000000fa00}\\nProcessId: 27804\\nImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nFileVersion: 1.6.00.27573\\nDescription: Microsoft Teams\\nProduct: Microsoft Teams\\nCompany: Microsoft Corporation\\nOriginalFileName: Teams.exe\\nCommandLine: \\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --type=renderer --enable-wer --user-data-dir=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\\\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\\\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=196 --launch-time-ticks=17880973283 --mojo-platform-channel-handle=2520 --field-trial-handle=1808,i,7578868639254466484,17758186584081941877,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\\nCurrentDirectory: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\\\nUser: COMPANY\\\\asmithee\\nLogonGuid: {abcdef01-b1c2-d3c4-1234-123400000000}\\nLogonId: 0x1234ABC\\nTerminalSessionId: 1\\nIntegrityLevel: Low\\nHashes: SHA1=68D25B5F5A57CF5DC0D63644338C04EA906D472B,MD5=89B717809A5A49D19E7E06746982BF0B,SHA256=2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE,IMPHASH=00590C8FDC1F372F8DB1D3F49D342D34\\nParentProcessGuid: {1c03cf6e-331c-652e-b001-00000000fa00}\\nParentProcessId: 17772\\nParentImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nParentCommandLine: \\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --system-initiated\\nParentUser: COMPANY\\\\asmithee\",\n \"hash\": {\n \"sha256\": \"2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee\",\n \"sha1\": \"68d25b5f5a57cf5dc0d63644338c04ea906d472b\",\n \"md5\": \"89b717809a5a49d19e7e06746982bf0b\",\n \"imphash\": \"00590c8fdc1f372f8db1d3f49d342d34\"\n },\n \"event_ingest_logstash\": \"2023-10-17T12:05:27.363678Z\",\n \"fields.gdp-logstash\": \"6\",\n \"user\": {\n \"name\": \"asmithee\",\n \"id\": \"S-1-2-3\",\n \"domain\": \"COMPANY\"\n },\n \"event\": {\n \"created\": \"2023-10-17T12:05:26.268Z\",\n \"kind\": \"event\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"category\": [\n \"process\"\n ],\n \"code\": \"1\",\n \"module\": \"sysmon\",\n \"action\": \"Process Create (rule: ProcessCreate)\",\n \"type\": [\n \"start\",\n \"process_start\"\n ]\n },\n \"process\": {\n \"name\": \"Teams.exe\",\n \"args\": [\n \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"--type=renderer\",\n \"--enable-wer\",\n \"--user-data-dir=C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\",\n \"--ms-teams-less-cors=522133263\",\n \"--app-user-model-id=com.squirrel.Teams.Teams\",\n \"--app-path=C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\",\n \"--autoplay-policy=no-user-gesture-required\",\n \"--disable-background-timer-throttling\",\n \"--lang=fr\",\n \"--device-scale-factor=1.25\",\n \"--num-raster-threads=4\",\n \"--enable-main-frame-before-activation\",\n \"--renderer-client-id=196\",\n \"--launch-time-ticks=17880973283\",\n \"--mojo-platform-channel-handle=2520\",\n \"--field-trial-handle=1808,i,7578868639254466484,17758186584081941877,131072\",\n \"--enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker\",\n \"--disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand\",\n \"/prefetch:1\"\n ],\n \"hash\": {\n \"sha256\": \"2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee\",\n \"sha1\": \"68d25b5f5a57cf5dc0d63644338c04ea906d472b\",\n \"md5\": \"89b717809a5a49d19e7e06746982bf0b\"\n },\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"command_line\": \"\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --type=renderer --enable-wer --user-data-dir=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\\\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\resources\\\\app.test\\\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=196 --launch-time-ticks=17880973283 --mojo-platform-channel-handle=2520 --field-trial-handle=1808,i,7578868639254466484,17758186584081941877,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\",\n \"pe\": {\n \"description\": \"Microsoft Teams\",\n \"company\": \"Microsoft Corporation\",\n \"file_version\": \"1.6.00.27573\",\n \"imphash\": \"00590c8fdc1f372f8db1d3f49d342d34\",\n \"original_file_name\": \"Teams.exe\",\n \"product\": \"Microsoft Teams\"\n },\n \"parent\": {\n \"name\": \"Teams.exe\",\n \"args\": [\n \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"--system-initiated\"\n ],\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"command_line\": \"\\\"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\\" --system-initiated\",\n \"pid\": 17772,\n \"executable\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\"\n },\n \"pid\": 27804,\n \"working_directory\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\\",\n \"executable\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"rule\": {\n \"name\": \"technique_id=T1036,technique_name=Masquerading\"\n },\n \"related\": {\n \"hash\": [\n \"68d25b5f5a57cf5dc0d63644338c04ea906d472b\",\n \"89b717809a5a49d19e7e06746982bf0b\",\n \"2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee\",\n \"00590c8fdc1f372f8db1d3f49d342d34\"\n ],\n \"user\": \"asmithee\"\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"@timestamp\": \"2023-10-17T12:05:25.091Z\",\n \"fields\": {\n \"gdp-version-sysmon\": 13.33,\n \"gdp-version-winlogbeat\": 2.8,\n \"gdp-indice\": \"l-desk\",\n \"gdp-sousparc\": \"prod\",\n \"gdp-config\": \"desktop\",\n \"gdp-version\": \"1.16\",\n \"gdp-parc\": \"defaut\"\n },\n \"host\": {\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"name\": \"PC01234567.company.com\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"aa:bb:cc:dd:ee:ff\",\n \"a0:b1:c2:d3:e4:f5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:ab\",\n \"ab:cd:ef:01:23:45\"\n ],\n \"os\": {\n \"platform\": \"windows\",\n \"name\": \"Windows 10 Enterprise\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3570 (WinBuild.160101.0800)\",\n \"build\": \"19044.3570\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ]\n },\n \"tags\": [\n \"beats_input_codec_plain_applied\"\n ],\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"7.17.1\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"hostname\": \"PC01234567\",\n \"type\": \"winlogbeat\"\n }\n}", "event": { "action": "Process Create (rule: ProcessCreate)", "category": [ @@ -716,7 +717,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": 7248 } }, - "provider_guid": "{a0b1c2d3-1234-abcd-e4f5-0123456789ab}", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "67177799", "task": "Process Create (rule: ProcessCreate)", @@ -738,7 +739,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\n \"winlog\": {\n \"event_data\": {\n \"TargetObject\": \"target\\\\System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\\\\\Device\\\\HarddiskVolume3\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"Details\": \"Binary Data\",\n \"User\": \"COMPANY\\\\asmithee\",\n \"EventType\": \"SetValue\"\n },\n \"task\": \"Registry value set (rule: RegistryEvent)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"api\": \"wineventlog\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"User\",\n \"domain\": \"DOMAIN\"\n },\n \"event_id\": \"13\",\n \"process\": {\n \"thread\": {\n \"id\": 7248\n },\n \"pid\": 5624\n },\n \"provider_guid\": \"{a0b1c2d3-1234-abcd-e4f5-0123456789ab}\",\n \"version\": 2,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 67193809,\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"opcode\": \"Informations\"\n },\n \"message\": \"Registry value set:\\nRuleName: technique_id=T1543,technique_name=Service Creation\\nEventType: SetValue\\nUtcTime: 2023-10-17 14:01:17.244\\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\\nProcessId: 17772\\nImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nTargetObject: target\\\\System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\\\\\Device\\\\HarddiskVolume3\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nDetails: Binary Data\\nUser: COMPANY\\\\asmithee\",\n \"event_ingest_logstash\": \"2023-10-17T14:01:18.423152Z\",\n \"fields.gdp-logstash\": \"6\",\n \"event\": {\n \"created\": \"2023-10-17T14:01:17.717Z\",\n \"kind\": \"event\",\n \"category\": [\n \"configuration\",\n \"registry\"\n ],\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"action\": \"Registry value set (rule: RegistryEvent)\",\n \"module\": \"sysmon\",\n \"code\": \"13\",\n \"type\": [\n \"change\"\n ]\n },\n \"process\": {\n \"name\": \"Teams.exe\",\n \"pid\": 17772,\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"executable\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"rule\": {\n \"name\": \"technique_id=T1543,technique_name=Service Creation\"\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"@timestamp\": \"2023-10-17T14:01:17.244Z\",\n \"fields\": {\n \"gdp-version-sysmon\": 13.33,\n \"gdp-version-winlogbeat\": 2.8,\n \"gdp-indice\": \"l-desk\",\n \"gdp-sousparc\": \"prod\",\n \"gdp-version\": \"1.16\",\n \"gdp-config\": \"desktop\",\n \"gdp-parc\": \"defaut\"\n },\n \"host\": {\n \"name\": \"PC01234567.company.com\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"aa:bb:cc:dd:ee:ff\",\n \"a0:b1:c2:d3:e4:f5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:ab\",\n \"ab:cd:ef:01:23:45\"\n ],\n \"os\": {\n \"name\": \"Windows 10 Enterprise\",\n \"platform\": \"windows\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3570 (WinBuild.160101.0800)\",\n \"build\": \"19044.3570\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ]\n },\n \"registry\": {\n \"key\": \"System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\\\\\Device\\\\HarddiskVolume3\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"path\": \"target\\\\System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\\\\\Device\\\\HarddiskVolume3\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"hive\": \"target\",\n \"value\": \"Teams.exe\"\n },\n \"tags\": [\n \"beats_input_codec_plain_applied\"\n ],\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"7.17.1\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"hostname\": \"PC01234567\",\n \"type\": \"winlogbeat\"\n }\n}", + "message": "{\n \"winlog\": {\n \"event_data\": {\n \"TargetObject\": \"target\\\\System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\\\\\Device\\\\HarddiskVolume3\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"Details\": \"Binary Data\",\n \"User\": \"COMPANY\\\\asmithee\",\n \"EventType\": \"SetValue\"\n },\n \"task\": \"Registry value set (rule: RegistryEvent)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"api\": \"wineventlog\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"User\",\n \"domain\": \"DOMAIN\"\n },\n \"event_id\": \"13\",\n \"process\": {\n \"thread\": {\n \"id\": 7248\n },\n \"pid\": 5624\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"version\": 2,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 67193809,\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"opcode\": \"Informations\"\n },\n \"message\": \"Registry value set:\\nRuleName: technique_id=T1543,technique_name=Service Creation\\nEventType: SetValue\\nUtcTime: 2023-10-17 14:01:17.244\\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\\nProcessId: 17772\\nImage: C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nTargetObject: target\\\\System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\\\\\Device\\\\HarddiskVolume3\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\nDetails: Binary Data\\nUser: COMPANY\\\\asmithee\",\n \"event_ingest_logstash\": \"2023-10-17T14:01:18.423152Z\",\n \"fields.gdp-logstash\": \"6\",\n \"event\": {\n \"created\": \"2023-10-17T14:01:17.717Z\",\n \"kind\": \"event\",\n \"category\": [\n \"configuration\",\n \"registry\"\n ],\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"action\": \"Registry value set (rule: RegistryEvent)\",\n \"module\": \"sysmon\",\n \"code\": \"13\",\n \"type\": [\n \"change\"\n ]\n },\n \"process\": {\n \"name\": \"Teams.exe\",\n \"pid\": 17772,\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"executable\": \"C:\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"rule\": {\n \"name\": \"technique_id=T1543,technique_name=Service Creation\"\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"@timestamp\": \"2023-10-17T14:01:17.244Z\",\n \"fields\": {\n \"gdp-version-sysmon\": 13.33,\n \"gdp-version-winlogbeat\": 2.8,\n \"gdp-indice\": \"l-desk\",\n \"gdp-sousparc\": \"prod\",\n \"gdp-version\": \"1.16\",\n \"gdp-config\": \"desktop\",\n \"gdp-parc\": \"defaut\"\n },\n \"host\": {\n \"name\": \"PC01234567.company.com\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"aa:bb:cc:dd:ee:ff\",\n \"a0:b1:c2:d3:e4:f5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:ab\",\n \"ab:cd:ef:01:23:45\"\n ],\n \"os\": {\n \"name\": \"Windows 10 Enterprise\",\n \"platform\": \"windows\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3570 (WinBuild.160101.0800)\",\n \"build\": \"19044.3570\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ]\n },\n \"registry\": {\n \"key\": \"System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\\\\\Device\\\\HarddiskVolume3\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"path\": \"target\\\\System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\\\\\Device\\\\HarddiskVolume3\\\\Users\\\\asmithee\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"hive\": \"target\",\n \"value\": \"Teams.exe\"\n },\n \"tags\": [\n \"beats_input_codec_plain_applied\"\n ],\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"7.17.1\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"hostname\": \"PC01234567\",\n \"type\": \"winlogbeat\"\n }\n}", "event": { "action": "Registry value set (rule: RegistryEvent)", "category": [ @@ -847,8 +848,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "a123::b234:c345:d456:e567", "aabb::ccdd:eeff:11:2233", "abcd::ef01:2345:6789:abcd" + ], + "user": [ + "asmithee" ] }, + "user": { + "domain": "COMPANY", + "id": "S-1-2-3", + "name": "asmithee" + }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", @@ -861,7 +870,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": 7248 } }, - "provider_guid": "{a0b1c2d3-1234-abcd-e4f5-0123456789ab}", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "67193809", "task": "Registry value set (rule: RegistryEvent)", @@ -883,7 +892,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\n \"winlog\": {\n \"event_data\": {\n \"Details\": \"WORD (0x00000000-0x12345678)\",\n \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"User\": \"DOMAIN\\\\Syst\u00e8me\",\n \"EventType\": \"SetValue\"\n },\n \"task\": \"Registry value set (rule: RegistryEvent)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"api\": \"wineventlog\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"User\",\n \"domain\": \"DOMAIN\"\n },\n \"provider_guid\": \"{a0b1c2d3-1234-abcd-e4f5-0123456789ab}\",\n \"process\": {\n \"thread\": {\n \"id\": 7248\n },\n \"pid\": 5624\n },\n \"event_id\": \"13\",\n \"version\": 2,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 67193778,\n \"opcode\": \"Informations\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\"\n },\n \"message\": \"Registry value set:\\nRuleName: technique_id=T1089,technique_name=Disabling Security Tools\\nEventType: SetValue\\nUtcTime: 2023-10-17 14:00:56.524\\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\\nProcessId: 5500\\nImage: C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\\nTargetObject: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\\nDetails: WORD (0x00000000-0x12345678)\\nUser: DOMAIN\\\\Syst\u00e8me\",\n \"event_ingest_logstash\": \"2023-10-17T14:00:59.207219Z\",\n \"fields.gdp-logstash\": \"6\",\n \"event\": {\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"created\": \"2023-10-17T14:00:58.520Z\",\n \"category\": [\n \"configuration\",\n \"registry\"\n ],\n \"kind\": \"event\",\n \"action\": \"Registry value set (rule: RegistryEvent)\",\n \"module\": \"sysmon\",\n \"code\": \"13\",\n \"type\": [\n \"change\"\n ]\n },\n \"process\": {\n \"name\": \"MsSense.exe\",\n \"pid\": 5500,\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"executable\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"rule\": {\n \"name\": \"technique_id=T1089,technique_name=Disabling Security Tools\"\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"@timestamp\": \"2023-10-17T14:00:56.524Z\",\n \"fields\": {\n \"gdp-parc\": \"defaut\",\n \"gdp-version-winlogbeat\": 2.8,\n \"gdp-indice\": \"l-desk\",\n \"gdp-sousparc\": \"prod\",\n \"gdp-config\": \"desktop\",\n \"gdp-version\": \"1.16\",\n \"gdp-version-sysmon\": 13.33\n },\n \"host\": {\n \"os\": {\n \"platform\": \"windows\",\n \"name\": \"Windows 10 Enterprise\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3570 (WinBuild.160101.0800)\",\n \"build\": \"19044.3570\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"name\": \"PC01234567.company.com\",\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"aa:bb:cc:dd:ee:ff\",\n \"a0:b1:c2:d3:e4:f5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:ab\",\n \"ab:cd:ef:01:23:45\"\n ],\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ]\n },\n \"registry\": {\n \"key\": \"SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"path\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"hive\": \"HKLM\",\n \"value\": \"LastSuccessfulUploadTime\"\n },\n \"tags\": [\n \"beats_input_codec_plain_applied\"\n ],\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"7.17.1\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"hostname\": \"PC01234567\",\n \"type\": \"winlogbeat\"\n }\n}", + "message": "{\n \"winlog\": {\n \"event_data\": {\n \"Details\": \"WORD (0x00000000-0x12345678)\",\n \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"User\": \"DOMAIN\\\\Syst\u00e8me\",\n \"EventType\": \"SetValue\"\n },\n \"task\": \"Registry value set (rule: RegistryEvent)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"api\": \"wineventlog\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"User\",\n \"domain\": \"DOMAIN\"\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"process\": {\n \"thread\": {\n \"id\": 7248\n },\n \"pid\": 5624\n },\n \"event_id\": \"13\",\n \"version\": 2,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 67193778,\n \"opcode\": \"Informations\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\"\n },\n \"message\": \"Registry value set:\\nRuleName: technique_id=T1089,technique_name=Disabling Security Tools\\nEventType: SetValue\\nUtcTime: 2023-10-17 14:00:56.524\\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\\nProcessId: 5500\\nImage: C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\\nTargetObject: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\\nDetails: WORD (0x00000000-0x12345678)\\nUser: DOMAIN\\\\Syst\u00e8me\",\n \"event_ingest_logstash\": \"2023-10-17T14:00:59.207219Z\",\n \"fields.gdp-logstash\": \"6\",\n \"event\": {\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"created\": \"2023-10-17T14:00:58.520Z\",\n \"category\": [\n \"configuration\",\n \"registry\"\n ],\n \"kind\": \"event\",\n \"action\": \"Registry value set (rule: RegistryEvent)\",\n \"module\": \"sysmon\",\n \"code\": \"13\",\n \"type\": [\n \"change\"\n ]\n },\n \"process\": {\n \"name\": \"MsSense.exe\",\n \"pid\": 5500,\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"executable\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"rule\": {\n \"name\": \"technique_id=T1089,technique_name=Disabling Security Tools\"\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"@timestamp\": \"2023-10-17T14:00:56.524Z\",\n \"fields\": {\n \"gdp-parc\": \"defaut\",\n \"gdp-version-winlogbeat\": 2.8,\n \"gdp-indice\": \"l-desk\",\n \"gdp-sousparc\": \"prod\",\n \"gdp-config\": \"desktop\",\n \"gdp-version\": \"1.16\",\n \"gdp-version-sysmon\": 13.33\n },\n \"host\": {\n \"os\": {\n \"platform\": \"windows\",\n \"name\": \"Windows 10 Enterprise\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3570 (WinBuild.160101.0800)\",\n \"build\": \"19044.3570\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"name\": \"PC01234567.company.com\",\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"aa:bb:cc:dd:ee:ff\",\n \"a0:b1:c2:d3:e4:f5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:ab\",\n \"ab:cd:ef:01:23:45\"\n ],\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ]\n },\n \"registry\": {\n \"key\": \"SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"path\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"hive\": \"HKLM\",\n \"value\": \"LastSuccessfulUploadTime\"\n },\n \"tags\": [\n \"beats_input_codec_plain_applied\"\n ],\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"7.17.1\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"hostname\": \"PC01234567\",\n \"type\": \"winlogbeat\"\n }\n}", "event": { "action": "Registry value set (rule: RegistryEvent)", "category": [ @@ -992,8 +1001,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "a123::b234:c345:d456:e567", "aabb::ccdd:eeff:11:2233", "abcd::ef01:2345:6789:abcd" + ], + "user": [ + "Syst\u00e8me" ] }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "Syst\u00e8me" + }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1006,7 +1023,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": 7248 } }, - "provider_guid": "{a0b1c2d3-1234-abcd-e4f5-0123456789ab}", + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "67193778", "task": "Registry value set (rule: RegistryEvent)", @@ -1023,6 +1040,1092 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "sysmon09_1.json" + + ```json + + { + "message": "{\n \"@timestamp\": \"2019-03-18T16:57:37.933Z\",\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"event\": {\n \"category\": [\n \"configuration\"\n ],\n \"code\": \"16\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"type\": [\n \"change\"\n ]\n },\n \"host\": {\n \"name\": \"vagrant-2012-r2\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"user\": {\n \"id\": \"S-1-5-21-3541430928-2051711210-1391384369-1001\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"vagrant-2012-r2\",\n \"event_data\": {\n \"Configuration\": \"C:\\\\Users\\\\vagrant\\\\Downloads\\\\\\\"C:\\\\Users\\\\vagrant\\\\Downloads\\\\Sysmon.exe\\\" -i -n\"\n },\n \"event_id\": \"16\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 4616,\n \"thread\": {\n \"id\": 4724\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": \"1\",\n \"user\": {\n \"identifier\": \"S-1-5-21-3541430928-2051711210-1391384369-1001\"\n },\n \"version\": 3\n }\n }", + "event": { + "category": [ + "configuration" + ], + "code": "16", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "@timestamp": "2019-03-18T16:57:37.933000Z", + "action": { + "id": 16, + "properties": { + "Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n" + } + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "user": { + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "16", + "opcode": "Info", + "process": { + "pid": 4616, + "thread": { + "id": 4724 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "1", + "user": { + "identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001" + }, + "version": 3 + } + } + + ``` + + +=== "sysmon09_2.json" + + ```json + + { + "message": "{\n \"@timestamp\": \"2019-03-18T16:57:37.949Z\",\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"event\": {\n \"category\": [\n \"process\"\n ],\n \"code\": \"1\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"type\": [\n \"start\"\n ]\n },\n \"host\": {\n \"name\": \"vagrant-2012-r2\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"process\": {\n \"args\": [\n \"C:\\\\Windows\\\\Sysmon.exe\"\n ],\n \"args_count\": 1,\n \"command_line\": \"C:\\\\Windows\\\\Sysmon.exe\",\n \"entity_id\": \"{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\",\n \"executable\": \"C:\\\\Windows\\\\Sysmon.exe\",\n \"hash\": {\n \"sha1\": \"ac93c3b38e57a2715572933dbcb2a1c2892dbc5e\"\n },\n \"name\": \"Sysmon.exe\",\n \"parent\": {\n \"args\": [\n \"C:\\\\Windows\\\\system32\\\\services.exe\"\n ],\n \"args_count\": 1,\n \"command_line\": \"C:\\\\Windows\\\\system32\\\\services.exe\",\n \"entity_id\": \"{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\",\n \"executable\": \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"name\": \"services.exe\",\n \"pid\": 488\n },\n \"pe\": {\n \"company\": \"Sysinternals - www.sysinternals.com\",\n \"description\": \"System activity monitor\",\n \"file_version\": \"9.01\",\n \"product\": \"Sysinternals Sysmon\"\n },\n \"pid\": 4860,\n \"working_directory\": \"C:\\\\Windows\\\\system32\\\\\"\n },\n \"related\": {\n \"hash\": [\n \"ac93c3b38e57a2715572933dbcb2a1c2892dbc5e\"\n ],\n \"user\": [\n \"SYSTEM\"\n ]\n },\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"id\": \"S-1-5-18\",\n \"name\": \"SYSTEM\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"vagrant-2012-r2\",\n \"event_data\": {\n \"Company\": \"Sysinternals - www.sysinternals.com\",\n \"Description\": \"System activity monitor\",\n \"FileVersion\": \"9.01\",\n \"IntegrityLevel\": \"System\",\n \"LogonGuid\": \"{42f11c3b-6e1a-5c8c-0000-0020e7030000}\",\n \"LogonId\": \"0x3e7\",\n \"Product\": \"Sysinternals Sysmon\",\n \"TerminalSessionId\": \"0\"\n },\n \"event_id\": \"1\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 4860,\n \"thread\": {\n \"id\": 4516\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": \"3\",\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"identifier\": \"S-1-5-18\",\n \"name\": \"SYSTEM\",\n \"type\": \"Well Known Group\"\n },\n \"version\": 5\n }\n }", + "event": { + "category": [ + "process" + ], + "code": "1", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "@timestamp": "2019-03-18T16:57:37.949000Z", + "action": { + "id": 1, + "properties": { + "Company": "Sysinternals - www.sysinternals.com", + "Description": "System activity monitor", + "FileVersion": "9.01", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", + "Product": "Sysinternals Sysmon", + "TerminalSessionId": "0" + } + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "args": [ + "C:\\Windows\\Sysmon.exe" + ], + "args_count": 1, + "command_line": "C:\\Windows\\Sysmon.exe", + "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", + "executable": "C:\\Windows\\Sysmon.exe", + "hash": { + "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + }, + "name": "Sysmon.exe", + "parent": { + "args": [ + "C:\\Windows\\system32\\services.exe" + ], + "args_count": 1, + "command_line": "C:\\Windows\\system32\\services.exe", + "entity_id": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}", + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 488 + }, + "pe": { + "company": "Sysinternals - www.sysinternals.com", + "description": "System activity monitor", + "file_version": "9.01", + "product": "Sysinternals Sysmon" + }, + "pid": 4860, + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "1", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "3", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } + + ``` + + +=== "sysmon10_1.json" + + ```json + + { + "message": " {\n \"@timestamp\": \"2019-07-18T03:34:01.239Z\",\n \"dns\": {\n \"answers\": [\n {\n \"data\": \"go.microsoft.com.edgekey.net\",\n \"type\": \"CNAME\"\n },\n {\n \"data\": \"e11290.dspg.akamaiedge.net\",\n \"type\": \"CNAME\"\n },\n {\n \"data\": \"23.223.14.67\",\n \"type\": \"A\"\n }\n ],\n \"question\": {\n \"name\": \"go.microsoft.com\",\n \"registered_domain\": \"microsoft.com\",\n \"subdomain\": \"go\",\n \"top_level_domain\": \"com\"\n },\n \"resolved_ip\": [\n \"23.223.14.67\"\n ]\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"event\": {\n \"category\": [\n \"network\"\n ],\n \"code\": \"22\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"type\": [\n \"connection\",\n \"protocol\",\n \"info\"\n ]\n },\n \"host\": {\n \"name\": \"vagrant-2016\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"network\": {\n \"protocol\": \"dns\"\n },\n \"process\": {\n \"entity_id\": \"{fa4a0de6-e8a8-5d2f-0000-001094619900}\",\n \"executable\": \"C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"name\": \"iexplore.exe\",\n \"pid\": 356\n },\n \"related\": {\n \"hosts\": [\n \"go.microsoft.com.edgekey.net\",\n \"e11290.dspg.akamaiedge.net\",\n \"go.microsoft.com\"\n ],\n \"ip\": [\n \"23.223.14.67\"\n ]\n },\n \"sysmon\": {\n \"dns\": {\n \"status\": \"SUCCESS\"\n }\n },\n \"user\": {\n \"id\": \"S-1-5-18\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"vagrant-2016\",\n \"event_id\": \"22\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 2828,\n \"thread\": {\n \"id\": 1684\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": \"66\",\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"identifier\": \"S-1-5-18\",\n \"name\": \"SYSTEM\",\n \"type\": \"Well Known Group\"\n },\n \"version\": 5\n }\n }", + "event": { + "category": [ + "network" + ], + "code": "22", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "info", + "protocol" + ] + }, + "@timestamp": "2019-07-18T03:34:01.239000Z", + "action": { + "id": 22 + }, + "dns": { + "answers": [ + { + "data": "go.microsoft.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e11290.dspg.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.223.14.67", + "type": "A" + } + ], + "question": { + "name": "go.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "go", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.223.14.67" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 + }, + "related": { + "hosts": [ + "go.microsoft.com" + ], + "ip": [ + "23.223.14.67" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "66", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } + + ``` + + +=== "sysmon10_2.json" + + ```json + + { + "message": "{\n \"@timestamp\": \"2019-07-18T03:34:02.0252842Z\",\n \"event\": {\n \"code\": \"22\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\"\n },\n \"host\": {\n \"name\": \"vagrant-2016\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"vagrant-2016\",\n \"event_data\": {\n \"Image\": \"C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"ProcessGuid\": \"{fa4a0de6-e8a9-5d2f-0000-001053699900}\",\n \"ProcessId\": \"2736\",\n \"QueryName\": \"linkmaker.itunes.apple.com\",\n \"QueryResults\": \"type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\",\n \"QueryStatus\": \"0\",\n \"UtcTime\": \"2019-07-18 03:34:01.494\"\n },\n \"event_id\": \"22\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 2828,\n \"thread\": {\n \"id\": 1684\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": 70,\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"identifier\": \"S-1-5-18\",\n \"name\": \"SYSTEM\",\n \"type\": \"Well Known Group\"\n },\n \"version\": 5\n }\n }", + "event": { + "code": "22", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "@timestamp": "2019-07-18T03:34:02.025284Z", + "action": { + "id": 22, + "properties": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "linkmaker.itunes.apple.com", + "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.494" + } + }, + "dns": { + "answers": [ + { + "data": "linkmaker.itunes.apple.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e4541.dsce9.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.64.104.249", + "type": "AAAA" + } + ], + "question": { + "name": "linkmaker.itunes.apple.com", + "registered_domain": "apple.com", + "subdomain": "linkmaker.itunes", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.64.104.249" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "linkmaker.itunes.apple.com" + ], + "ip": [ + "23.64.104.249" + ] + }, + "sysmon": { + "dns": { + "status": "0" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "70", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } + + ``` + + +=== "sysmon11_file_deleted.json" + + ```json + + { + "message": "{\n \"@timestamp\": \"2019-07-18T03:34:02.0252842Z\",\n \"event\": {\n \"code\": \"22\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\"\n },\n \"host\": {\n \"name\": \"vagrant-2016\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"vagrant-2016\",\n \"event_data\": {\n \"Image\": \"C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"ProcessGuid\": \"{fa4a0de6-e8a9-5d2f-0000-001053699900}\",\n \"ProcessId\": \"2736\",\n \"QueryName\": \"linkmaker.itunes.apple.com\",\n \"QueryResults\": \"type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\",\n \"QueryStatus\": \"0\",\n \"UtcTime\": \"2019-07-18 03:34:01.494\"\n },\n \"event_id\": \"22\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 2828,\n \"thread\": {\n \"id\": 1684\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": 70,\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"identifier\": \"S-1-5-18\",\n \"name\": \"SYSTEM\",\n \"type\": \"Well Known Group\"\n },\n \"version\": 5\n }\n }", + "event": { + "code": "22", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "@timestamp": "2019-07-18T03:34:02.025284Z", + "action": { + "id": 22, + "properties": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "linkmaker.itunes.apple.com", + "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.494" + } + }, + "dns": { + "answers": [ + { + "data": "linkmaker.itunes.apple.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e4541.dsce9.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.64.104.249", + "type": "AAAA" + } + ], + "question": { + "name": "linkmaker.itunes.apple.com", + "registered_domain": "apple.com", + "subdomain": "linkmaker.itunes", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.64.104.249" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "linkmaker.itunes.apple.com" + ], + "ip": [ + "23.64.104.249" + ] + }, + "sysmon": { + "dns": { + "status": "0" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "70", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } + + ``` + + +=== "sysmon11_registry.json" + + ```json + + { + "message": "{\n \"@timestamp\": \"2020-05-05T14:57:40.589Z\",\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"event\": {\n \"category\": [\n \"configuration\",\n \"registry\"\n ],\n \"code\": \"13\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"type\": [\n \"change\"\n ]\n },\n \"host\": {\n \"name\": \"vagrant\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"process\": {\n \"entity_id\": \"{5b522f6e-77ae-5eb1-2c03-000000000800}\",\n \"executable\": \"C:\\\\Windows\\\\regedit.exe\",\n \"name\": \"regedit.exe\",\n \"pid\": 6072\n },\n \"registry\": {\n \"data\": {\n \"strings\": [\n \"4\"\n ],\n \"type\": \"SZ_DWORD\"\n },\n \"hive\": \"HKU\",\n \"key\": \"S-1-5-21-1067164964-2079179834-2367582738-1000\\\\Software\\\\Key 1\",\n \"path\": \"HKU\\\\S-1-5-21-1067164964-2079179834-2367582738-1000\\\\Software\\\\Key 1\",\n \"value\": \"Key 1\"\n },\n \"user\": {\n \"id\": \"S-1-5-18\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"vagrant\",\n \"event_data\": {\n \"EventType\": \"SetValue\"\n },\n \"event_id\": \"13\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 5496,\n \"thread\": {\n \"id\": 876\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": \"2682\",\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"identifier\": \"S-1-5-18\",\n \"name\": \"SYSTEM\",\n \"type\": \"Well Known Group\"\n },\n \"version\": 2\n }\n }", + "event": { + "category": [ + "configuration", + "registry" + ], + "code": "13", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "@timestamp": "2020-05-05T14:57:40.589000Z", + "action": { + "id": 13, + "properties": { + "EventType": "SetValue" + } + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, + "registry": { + "data": { + "strings": [ + "4" + ], + "type": "SZ_DWORD" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "value": "Key 1" + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "2682", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + } + + ``` + + +=== "sysmon13.json" + + ```json + + { + "message": "{\n \"@timestamp\": \"2021-02-25T14:43:23.550Z\",\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"event\": {\n \"category\": [\n \"process\"\n ],\n \"code\": \"25\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"type\": [\n \"change\"\n ]\n },\n \"host\": {\n \"name\": \"DESKTOP-I9CQVAQ\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"message\": \"Image is replaced\",\n \"process\": {\n \"entity_id\": \"{9497d8d9-b78b-6037-6f13-000000001000}\",\n \"executable\": \"C:\\\\Program Files\\\\Git\\\\mingw64\\\\libexec\\\\git-core\\\\git.exe\",\n \"name\": \"git.exe\",\n \"pid\": 2628\n },\n \"user\": {\n \"id\": \"S-1-5-18\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"DESKTOP-I9CQVAQ\",\n \"event_id\": \"25\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 3800,\n \"thread\": {\n \"id\": 5080\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": \"10737797\",\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"identifier\": \"S-1-5-18\",\n \"name\": \"SYSTEM\",\n \"type\": \"Well Known Group\"\n },\n \"version\": 5\n }\n }", + "event": { + "category": [ + "process" + ], + "code": "25", + "hash": "23477322eb22ba55003ec41147b13c0787f2f4a7", + "kind": "event", + "module": "sysmon", + "original": "Image is replaced", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "@timestamp": "2021-02-25T14:43:23.550000Z", + "action": { + "id": 25 + }, + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}", + "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", + "name": "git.exe", + "pid": 2628 + }, + "related": { + "hash": [ + "23477322eb22ba55003ec41147b13c0787f2f4a7" + ] + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "DESKTOP-I9CQVAQ", + "event_id": "25", + "opcode": "Info", + "process": { + "pid": 3800, + "thread": { + "id": 5080 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "10737797", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } + + ``` + + +=== "sysmon_10_1.json" + + ```json + + { + "message": " {\n \"@timestamp\": \"2019-07-18T03:34:01.239Z\",\n \"dns\": {\n \"answers\": [\n {\n \"data\": \"go.microsoft.com.edgekey.net\",\n \"type\": \"CNAME\"\n },\n {\n \"data\": \"e11290.dspg.akamaiedge.net\",\n \"type\": \"CNAME\"\n },\n {\n \"data\": \"23.223.14.67\",\n \"type\": \"A\"\n }\n ],\n \"question\": {\n \"name\": \"go.microsoft.com\",\n \"registered_domain\": \"microsoft.com\",\n \"subdomain\": \"go\",\n \"top_level_domain\": \"com\"\n },\n \"resolved_ip\": [\n \"23.223.14.67\"\n ]\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"event\": {\n \"category\": [\n \"network\"\n ],\n \"code\": \"22\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"type\": [\n \"connection\",\n \"protocol\",\n \"info\"\n ]\n },\n \"host\": {\n \"name\": \"vagrant-2016\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"network\": {\n \"protocol\": \"dns\"\n },\n \"process\": {\n \"entity_id\": \"{fa4a0de6-e8a8-5d2f-0000-001094619900}\",\n \"executable\": \"C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"name\": \"iexplore.exe\",\n \"pid\": 356\n },\n \"related\": {\n \"hosts\": [\n \"go.microsoft.com.edgekey.net\",\n \"e11290.dspg.akamaiedge.net\",\n \"go.microsoft.com\"\n ],\n \"ip\": [\n \"23.223.14.67\"\n ]\n },\n \"sysmon\": {\n \"dns\": {\n \"status\": \"SUCCESS\"\n }\n },\n \"user\": {\n \"id\": \"S-1-5-18\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"vagrant-2016\",\n \"event_id\": \"22\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 2828,\n \"thread\": {\n \"id\": 1684\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": \"66\",\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"identifier\": \"S-1-5-18\",\n \"name\": \"SYSTEM\",\n \"type\": \"Well Known Group\"\n },\n \"version\": 5\n }\n }", + "event": { + "category": [ + "network" + ], + "code": "22", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "info", + "protocol" + ] + }, + "@timestamp": "2019-07-18T03:34:01.239000Z", + "action": { + "id": 22 + }, + "dns": { + "answers": [ + { + "data": "go.microsoft.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e11290.dspg.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.223.14.67", + "type": "A" + } + ], + "question": { + "name": "go.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "go", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.223.14.67" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 + }, + "related": { + "hosts": [ + "go.microsoft.com" + ], + "ip": [ + "23.223.14.67" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "66", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } + + ``` + + +=== "sysmon_10_2.json" + + ```json + + { + "message": "{\n \"@timestamp\": \"2019-07-18T03:34:02.0252842Z\",\n \"event\": {\n \"code\": \"22\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\"\n },\n \"host\": {\n \"name\": \"vagrant-2016\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"vagrant-2016\",\n \"event_data\": {\n \"Image\": \"C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"ProcessGuid\": \"{fa4a0de6-e8a9-5d2f-0000-001053699900}\",\n \"ProcessId\": \"2736\",\n \"QueryName\": \"linkmaker.itunes.apple.com\",\n \"QueryResults\": \"type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\",\n \"QueryStatus\": \"0\",\n \"UtcTime\": \"2019-07-18 03:34:01.494\"\n },\n \"event_id\": \"22\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 2828,\n \"thread\": {\n \"id\": 1684\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": 70,\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"identifier\": \"S-1-5-18\",\n \"name\": \"SYSTEM\",\n \"type\": \"Well Known Group\"\n },\n \"version\": 5\n }\n }", + "event": { + "code": "22", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "@timestamp": "2019-07-18T03:34:02.025284Z", + "action": { + "id": 22, + "properties": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "linkmaker.itunes.apple.com", + "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.494" + } + }, + "dns": { + "answers": [ + { + "data": "linkmaker.itunes.apple.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e4541.dsce9.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.64.104.249", + "type": "AAAA" + } + ], + "question": { + "name": "linkmaker.itunes.apple.com", + "registered_domain": "apple.com", + "subdomain": "linkmaker.itunes", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.64.104.249" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "linkmaker.itunes.apple.com" + ], + "ip": [ + "23.64.104.249" + ] + }, + "sysmon": { + "dns": { + "status": "0" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "70", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } + + ``` + + +=== "sysmon_11_file_deleted.json" + + ```json + + { + "message": "{\n \"@timestamp\": \"2019-07-18T03:34:02.0252842Z\",\n \"event\": {\n \"code\": \"22\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\"\n },\n \"host\": {\n \"name\": \"vagrant-2016\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"winlog\": {\n \"api\": \"wineventlog\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"vagrant-2016\",\n \"event_data\": {\n \"Image\": \"C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"ProcessGuid\": \"{fa4a0de6-e8a9-5d2f-0000-001053699900}\",\n \"ProcessId\": \"2736\",\n \"QueryName\": \"linkmaker.itunes.apple.com\",\n \"QueryResults\": \"type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\",\n \"QueryStatus\": \"0\",\n \"UtcTime\": \"2019-07-18 03:34:01.494\"\n },\n \"event_id\": \"22\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 2828,\n \"thread\": {\n \"id\": 1684\n }\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": 70,\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"identifier\": \"S-1-5-18\",\n \"name\": \"SYSTEM\",\n \"type\": \"Well Known Group\"\n },\n \"version\": 5\n }\n }", + "event": { + "code": "22", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "@timestamp": "2019-07-18T03:34:02.025284Z", + "action": { + "id": 22, + "properties": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "linkmaker.itunes.apple.com", + "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.494" + } + }, + "dns": { + "answers": [ + { + "data": "linkmaker.itunes.apple.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e4541.dsce9.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.64.104.249", + "type": "AAAA" + } + ], + "question": { + "name": "linkmaker.itunes.apple.com", + "registered_domain": "apple.com", + "subdomain": "linkmaker.itunes", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.64.104.249" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "linkmaker.itunes.apple.com" + ], + "ip": [ + "23.64.104.249" + ] + }, + "sysmon": { + "dns": { + "status": "0" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "70", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } + + ``` + + +=== "sysmon_no_event.json" + + ```json + + { + "message": "{\n \"dns\": {\n \"answers\": [\n {\n \"type\": \"SRV\"\n },\n {\n \"type\": \"SRV\"\n },\n {\n \"data\": \"1:2:3::3\",\n \"type\": \"AAAA\"\n },\n {\n \"data\": \"1.2.3.3\",\n \"type\": \"A\"\n }\n ],\n \"question\": {\n \"name\": \"some.other.domain.com\",\n \"registered_domain\": \"domain.com\",\n \"subdomain\": \"some.other\",\n \"top_level_domain\": \"com\"\n },\n \"resolved_ip\": [\n \"1:2:3::3\",\n \"1.2.3.3\"\n ]\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"event\": {\n \"category\": [\n \"network\"\n ],\n \"code\": \"22\",\n \"kind\": \"event\",\n \"module\": \"sysmon\",\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"type\": [\n \"connection\",\n \"protocol\",\n \"info\"\n ]\n },\n \"host\": {\n \"name\": \"internal.network.org\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"network\": {\n \"protocol\": \"dns\"\n },\n \"process\": {\n \"executable\": \"C:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"name\": \"lsass.exe\",\n \"pid\": 500\n },\n \"related\": {\n \"hosts\": [\n \"some.other.domain.com\"\n ],\n \"ip\": [\n \"1:2:3::3\",\n \"1.2.3.3\"\n ],\n \"user\": [\n \"SYSTEM\"\n ]\n },\n \"sysmon\": {\n \"dns\": {\n \"status\": \"SUCCESS\"\n }\n },\n \"user\": {\n \"domain\": \"NT AUTHORITY\",\n \"id\": \"A-0-0-00\",\n \"name\": \"SYSTEM\"\n },\n \"winlog\": {\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"computer_name\": \"internal.network.org\",\n \"event_id\": \"22\",\n \"opcode\": \"Info\",\n \"process\": {\n \"pid\": 1000,\n \"thread\": {\n \"id\": 2000\n }\n },\n \"provider_guid\": \"{00000000-0000-0000-0000-000000000000}\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\",\n \"record_id\": \"1111\",\n \"user\": {\n \"identifier\": \"A-0-0-00\"\n },\n \"version\": 5\n }\n }", + "event": { + "category": [ + "network" + ], + "code": "22", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "info", + "protocol" + ] + }, + "action": { + "id": 22 + }, + "dns": { + "answers": [ + { + "type": "SRV" + }, + { + "type": "SRV" + }, + { + "data": "1:2:3::3", + "type": "AAAA" + }, + { + "data": "1.2.3.3", + "type": "A" + } + ], + "question": { + "name": "some.other.domain.com", + "registered_domain": "domain.com", + "subdomain": "some.other", + "top_level_domain": "com" + }, + "resolved_ip": [ + "1.2.3.3", + "1:2:3::3" + ] + }, + "host": { + "name": "internal.network.org" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe", + "pid": 500 + }, + "related": { + "hosts": [ + "some.other.domain.com" + ], + "ip": [ + "1.2.3.3", + "1:2:3::3" + ], + "user": [ + "SYSTEM" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "A-0-0-00", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "internal.network.org", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 1000, + "thread": { + "id": 2000 + } + }, + "provider_guid": "{00000000-0000-0000-0000-000000000000}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "1111", + "user": { + "identifier": "A-0-0-00" + }, + "version": 5 + } + } + + ``` + + === "test_filtering.json" ```json @@ -1206,6 +2309,13 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`action.properties` | `object` | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | +|`destination.domain` | `keyword` | The domain name of the destination. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`dns.answers` | `object` | Array of DNS answers. | +|`dns.question.name` | `keyword` | The name being queried. | +|`dns.resolved_ip` | `ip` | Array containing all IPs seen in answers.data | +|`error.code` | `keyword` | Error code describing the error. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | @@ -1215,12 +2325,33 @@ The following table lists the fields that are extracted, normalized under the EC |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.code_signature.status` | `keyword` | Additional information about the certificate status. | +|`file.code_signature.subject_name` | `keyword` | Subject name of the code signer | +|`file.code_signature.valid` | `boolean` | Boolean to capture if the digital signature is verified against the binary content. | |`file.directory` | `keyword` | Directory where the file is located. | |`file.drive_letter` | `keyword` | Drive letter where the file is located. | |`file.extension` | `keyword` | File extension, excluding the leading dot. | +|`file.hash.md5` | `keyword` | MD5 hash. | +|`file.hash.sha1` | `keyword` | SHA1 hash. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | +|`file.hash.sha384` | `keyword` | SHA384 hash. | +|`file.hash.sha512` | `keyword` | SHA512 hash. | +|`file.hash.ssdeep` | `keyword` | SSDEEP hash. | +|`file.hash.tlsh` | `keyword` | TLSH hash. | |`file.name` | `keyword` | Name of the file including the extension, without the directory. | |`file.path` | `keyword` | Full path to the file, including the file name. | +|`file.pe.company` | `keyword` | Internal company name of the file, provided at compile-time. | +|`file.pe.description` | `keyword` | Internal description of the file, provided at compile-time. | +|`file.pe.file_version` | `keyword` | Process name. | +|`file.pe.imphash` | `keyword` | A hash of the imports in a PE file. | +|`file.pe.original_file_name` | `keyword` | Internal name of the file, provided at compile-time. | +|`file.pe.product` | `keyword` | Internal product name of the file, provided at compile-time. | +|`network.direction` | `keyword` | Direction of the network traffic. | +|`network.protocol` | `keyword` | Application protocol name. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`network.type` | `keyword` | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | |`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.entity_id` | `keyword` | Unique identifier for the process. | |`process.executable` | `keyword` | Absolute path to the process executable. | |`process.hash.md5` | `keyword` | MD5 hash. | |`process.hash.sha1` | `keyword` | SHA1 hash. | @@ -1230,15 +2361,35 @@ The following table lists the fields that are extracted, normalized under the EC |`process.hash.ssdeep` | `keyword` | SSDEEP hash. | |`process.hash.tlsh` | `keyword` | TLSH hash. | |`process.name` | `keyword` | Process name. | +|`process.parent.command_line` | `wildcard` | Full command line that started the process. | +|`process.parent.entity_id` | `keyword` | Unique identifier for the process. | |`process.parent.executable` | `keyword` | Absolute path to the process executable. | |`process.parent.name` | `keyword` | Process name. | +|`process.parent.pid` | `long` | Process id. | +|`process.pe.company` | `keyword` | Internal company name of the file, provided at compile-time. | +|`process.pe.description` | `keyword` | Internal description of the file, provided at compile-time. | +|`process.pe.file_version` | `keyword` | Process name. | +|`process.pe.imphash` | `keyword` | A hash of the imports in a PE file. | |`process.pe.original_file_name` | `keyword` | Internal name of the file, provided at compile-time. | +|`process.pe.product` | `keyword` | Internal product name of the file, provided at compile-time. | +|`process.pid` | `long` | Process id. | +|`process.thread.id` | `long` | Thread ID. | |`process.working_directory` | `keyword` | The working directory of the process. | |`registry.data.strings` | `wildcard` | List of strings representing what was written to the registry. | |`registry.hive` | `keyword` | Abbreviated name for the hive. | |`registry.key` | `keyword` | Hive-relative path of keys. | |`registry.path` | `keyword` | Full path, including hive, key and value | |`registry.value` | `keyword` | Name of the value written. | +|`rule.name` | `keyword` | Rule name | +|`source.domain` | `keyword` | The domain name of the source. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`sysmon.dns.status` | `keyword` | Windows status code returned for the DNS query | +|`sysmon.file.archived` | `boolean` | Indicates if the deleted file was archived | +|`sysmon.file.is_executable` | `boolean` | Indicates if the deleted file was an executable | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | |`user.target.domain` | `keyword` | Name of the directory the user is a member of. | |`user.target.name` | `keyword` | Short name or login of the user. | |`winlog.activity_id` | `keyword` | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. |