Skip to content

add sysmon files to blobl mappigs #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zschmerber wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add sysmon files to blobl mappigs #109

zschmerber wants to merge 2 commits into from

Conversation

@zschmerber
Copy link
Contributor

@zschmerber zschmerber commented Apr 24, 2025

i do not have time to make sample data yet but can get to that later

mavam
mavam reviewed May 26, 2025
View reviewed changes
...Microsoft/sysmon/1_system_activity/v1.0.0/201003_windows_resource_activity_event_id_17.blobl
root.category_uid = 1
root.category_name = "System Activity"
root.class_uid = 201003
root.class_name = "Windows Resource Activity"
Copy link
Contributor

@mavam mavam May 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a custom event class. Do you have a pointer to it?

Copy link
Contributor Author

@zschmerber zschmerber May 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the windows extension is enabled it shows up
image

@mavam
Copy link
Contributor

mavam commented May 26, 2025
edited
Loading

What if we didn't have your extension, would this be reasonable summary of mapping of event IDs to classes?

Sysmon Event ID Sysmon Event Description (from Microsoft) OCSF Event Class Name
1 Process creation Process Activity
2 A process changed a file creation time File System Activity
3 Network connection Network Activity
4 Sysmon service state changed Process Activity
5 Process terminated Process Activity
6 Driver loaded Kernel Activity
7 Image loaded Process Activity
8 CreateRemoteThread Process Activity
9 RawAccessRead Process Activity
10 ProcessAccess Process Activity
11 FileCreate File System Activity
12 RegistryEvent (Object create and delete) Registry Activity
13 RegistryEvent (Value Set) Registry Activity
14 RegistryEvent (Key and Value Rename) Registry Activity
15 FileCreateStreamHash File System Activity
16 ServiceConfigurationChange Device Config State
17 PipeEvent (Pipe Created) File System Activity
18 PipeEvent (Pipe Connected) File System Activity
19 WmiEvent (WmiEventFilter activity detected) Process Activity
20 WmiEvent (WmiEventConsumer activity detected) Process Activity
21 WmiEvent (WmiEventConsumerToFilter activity detected) Process Activity
22 DNSEvent (DNS query) DNS Activity
23 FileDelete (File Delete archived) File System Activity
25 ProcessTampering (Process image change) Process Activity
26 FileDeleteDetected (File Delete logged) File System Activity
27 FileBlockExecutable File System Activity
28 FileBlockShredding File System Activity
29 FileExecutableDetected File System Activity

@zschmerber
Copy link
Contributor Author

zschmerber commented May 26, 2025 

  ## System Activity
  # File System - EventId 11
  # File System - EventId 15
  # File System - EventId 23
  # File System - EventId 26
  # Kernel Extension - EventId 6
  # Module  - EventId 7
  # Process - EventId 1
  # Process - EventId 5
  # Process - EventId 8
  # Process - EventId 10
  # Process - EventId 25
  # registry_key_activity - EventID 12
  # registry_key_activity - EventID 13
  # System Activity - EventId 17
  # Windows Resource Activity - EventId 18

  ## Network Activity
  # Network  - EventId 3
  # DNS  - EventId 22

  ## Discovery
  # Device Config state - EventID 4
  # Device Config state - EventID 16
  # Device Config state - EventID 255

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mavam mavam mavam left review comments

@JW-Corelight JW-Corelight Awaiting requested review from JW-Corelight JW-Corelight is a code owner

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

At least 3 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zschmerber @mavam @zschmerber-atlassian