diff --git a/labs/ocsf-bento/blobl_mappings/aws/cloudtrail/3_iam/v1.2.0/3002_authentication.blobl b/labs/ocsf-bento/blobl_mappings/aws/cloudtrail/3_iam/v1.2.0/3002_authentication.blobl index 47680020..bb800ba6 100644 --- a/labs/ocsf-bento/blobl_mappings/aws/cloudtrail/3_iam/v1.2.0/3002_authentication.blobl +++ b/labs/ocsf-bento/blobl_mappings/aws/cloudtrail/3_iam/v1.2.0/3002_authentication.blobl @@ -69,7 +69,7 @@ root.metadata.version = "1.2.0" root.metadata.product.feature.name = this.eventCategory root.metadata.profiles = ["cloud","datetime"] root.metadata.correlation_uid = uuid_v4() -#root.metadata.labels = this.env.re_find_all(".*") TODO: check Atlassian only enrichment +#root.metadata.labels = this.env.re_find_all(".*") TODO: check my_id_for_my_company only enrichment root.is_mfa = match this.additionalEventData.MFAUsed { "No" => false diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_11.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_11.blobl new file mode 100644 index 00000000..5be3bd4b --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_11.blobl @@ -0,0 +1,112 @@ + +root.category_uid = 1 +root.category_name = "System Activity" +root.class_uid = 1001 +root.class_name = "File System Activity" +root.activity_name = "Create" +root.activity_id = 1 +root.type_name = "File System Activity: Create" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.file.name = this.winlog.event_data.TargetFilename.split("\\").index(-1) +root.file.path = this.winlog.event_data.TargetFilename +root.file.type_id = match { + this.winlog.event_data.TargetFilename.contains(".") => 1 # Should have a "." character if it has a file extension + _=> 2 +} +root.file.type = match { + this.winlog.event_data.TargetFilename.contains(".") => "Regular File" # Should have a "." character if it has a file extension + _=> "Directory" +} + +root.actor.process.file.name = winlog.event_data.Image.split("\\").index(-1) +root.actor.process.file.path = winlog.event_data.Image +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 # Should have a "." character if it has a file extension + _=> 2 +} +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" # Should have a "." character if it has a file extension + _=> "Directory" +} +root.actor.process.name = winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = winlog.event_data.ProcessId.number() +root.actor.process.uid = winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("my_id_for_my_company") => "User" + this.contains("Administrator") => "Admin" + _=> 0 +} +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.task", + "winlog.event_id", + "winlog.record_id", + "event.created", + "winlog.channel", + "winlog.provider_name", + "winlog.computer_name", + "mitre.technique_name", + "mitre.technique_id", + "winlog.event_data.TargetFilename", + "winlog.event_data.Image", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_data.User", + "mitre" +) + +observables = root.without("unmapped").with("file.name", "actor.process.file.name", "device.hostname", "actor.process.user.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.file.exists("name") => {"name": "file.name", "type": "File Name", "type_id": 7, "value": item.file.name}}, + "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "e": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}} + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_15.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_15.blobl new file mode 100644 index 00000000..155be91e --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_15.blobl @@ -0,0 +1,116 @@ + +root.category_uid = 1 +root.category_name = "System Activity" +root.class_uid = 1001 +root.class_name = "File System Activity" +root.activity_name = "Create" +root.activity_id = 1 +root.type_name = "File System Activity: Create" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.file.name = this.winlog.event_data.TargetFilename.split("\\").index(-1) +root.file.path = this.winlog.event_data.TargetFilename +root.file.type_id = match { + this.winlog.event_data.TargetFilename.contains("Zone.Identifier") => 99 + this.winlog.event_data.TargetFilename.contains(".") => 1 # Should have a "." character if it has a file extension + _=> 2 +} +root.file.type = match { + this.winlog.event_data.TargetFilename.contains("Zone.Identifier") => "Zone Identifier" + this.winlog.event_data.TargetFilename.contains(".") => "Regular File" # Should have a "." character if it has a file extension + _=> "Other" +} + +root.actor.process.file.name = winlog.event_data.Image.split("\\").index(-1) +root.actor.process.file.path = winlog.event_data.Image +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" # Should have a "." character if it has a file extension + _=> "Other" +} +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 # Should have a "." character if it has a file extension + _=> 99 +} +root.actor.process.name = winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = winlog.event_data.ProcessId.number() +root.actor.process.uid = winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("my_id_for_my_company") => "User" + this.contains("Administrator") => "Admin" + _=> 0 +} + +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.task", + "winlog.event_id", + "winlog.record_id", + "event.created", + "winlog.channel", + "winlog.provider_name", + "winlog.computer_name", + "mitre.technique_name", + "mitre.technique_id", + "winlog.event_data.TargetFilename", + "winlog.event_data.Image", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_data.User", + "winlog.event_data.Hash", + "mitre" +) + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +observables = root.without("unmapped").with("file.name", "actor.process.file.name", "device.hostname", "actor.process.user.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.file.exists("name") => {"name": "file.name", "type": "File Name", "type_id": 7, "value": item.file.name}}, + "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "e": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}} + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_23.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_23.blobl new file mode 100644 index 00000000..99cbe5a7 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_23.blobl @@ -0,0 +1,135 @@ + +root.category_uid = 1 +root.category_name = "System Activity" +root.class_uid = 1001 +root.class_name = "File System Activity" +root.activity_name = "Create" +root.activity_id = 1 +root.type_name = "File System Activity: Create" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime + +root.device.type = "Server" +root.device.type_id = 1 # Setting as static value - Sysmon only installed on servers, but no native log data to signify workstation/server +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.file.name = this.winlog.event_data.TargetFilename.split("\\").index(-1) +root.file.path = this.winlog.event_data.TargetFilename +root.file.type_id = match { + this.winlog.event_data.TargetFilename.contains(".") => 1 # Should have a "." character if it has a file extension + _=> 2 +} +root.file.type = match { + this.winlog.event_data.TargetFilename.contains(".") => "Regular File" # Should have a "." character if it has a file extension + _=> "Directory" +} + +root.file.hashes = if this.winlog.event_data.exists("Hash") {this.winlog.event_data.Hash.key_values().map_each(item -> { + "algorithm_id": match { + item.key == "MD5" => 1, + item.key == "SHA1" => 2, + item.key == "SHA256" => 3, + item.key == "IMPHASH" => 99, + }, + "algorithm": match { + item.key == "MD5" => "MD5", + item.key == "SHA1" => "SHA-1", + item.key == "SHA256" => "SHA-256", + item.key == "IMPHASH" => "IMPHASH" + }, + "value": item.value}) } else {deleted()} + +root.actor.process.file.name = winlog.event_data.Image.split("\\").index(-1) +root.actor.process.file.path = winlog.event_data.Image +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 # Should have a "." character if it has a file extension + _=> 2 +} +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" # Should have a "." character if it has a file extension + _=> "Directory" +} +root.actor.process.name = winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = winlog.event_data.ProcessId.number() +root.actor.process.uid = winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("my_id_for_my_company") => "User" + this.contains("Administrator") => "Admin" + _=> 0 +} +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.task", + "winlog.event_id", + "winlog.record_id", + "event.created", + "winlog.channel", + "winlog.provider_name", + "winlog.computer_name", + "mitre.technique_name", + "mitre.technique_id", + "winlog.event_data.TargetFilename", + "winlog.event_data.Image", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_data.User", + "winlog.event_data.Hash", + "mitre" +) + +let myhash = root.file.hashes.map_each(hash -> hash.value).collapse() + +observables = root.without("unmapped").with("file.name", "actor.process.file.name", "device.hostname", "actor.process.user.name", "actor.process.name").merge($myhash).(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.file.exists("name") => {"name": "file.name", "type": "File Name", "type_id": 7, "value": item.file.name}}, + "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "e": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + "f": match {item.exists("0") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.0}}, + "g": match {item.exists("1") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.1}}, + "h": match {item.exists("2") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.2}}, + "i": match {item.exists("3") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.3}}, + "j": match {item.exists("4") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.4}}, + }).values() diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_26.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_26.blobl new file mode 100644 index 00000000..893971d5 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1001_file_system_activity_event_id_26.blobl @@ -0,0 +1,136 @@ + + +root.category_uid = 1 +root.category_name = "System Activity" +root.class_uid = 1001 +root.class_name = "File System Activity" +root.activity_name = "Create" +root.activity_id = 1 + +root.type_name = "File System Activity: Create" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id.string() +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime + +root.device.type = "Server" +root.device.type_id = 1 # Setting as static value - Sysmon only installed on servers, but no native log data to signify workstation/server +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.file.name = this.winlog.event_data.TargetFilename.split("\\").index(-1) +root.file.path = this.winlog.event_data.TargetFilename +root.file.type_id = match { + this.winlog.event_data.TargetFilename.contains(".") => 1 # Should have a "." character if it has a file extension + _=> 2 +} +root.file.type = match { + this.winlog.event_data.TargetFilename.contains(".") => "Regular File" # Should have a "." character if it has a file extension + _=> "Directory" +} + +root.file.hashes = if this.winlog.event_data.exists("Hash") {this.winlog.event_data.Hash.key_values().map_each(item -> { + "algorithm_id": match { + item.key == "MD5" => 1, + item.key == "SHA1" => 2, + item.key == "SHA256" => 3, + item.key == "IMPHASH" => 99, + }, + "algorithm": match { + item.key == "MD5" => "MD5", + item.key == "SHA1" => "SHA-1", + item.key == "SHA256" => "SHA-256", + item.key == "IMPHASH" => "IMPHASH" + }, + "value": item.value}) } else {deleted()} + +root.actor.process.file.name = winlog.event_data.Image.split("\\").index(-1) +root.actor.process.file.path = winlog.event_data.Image +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 # Should have a "." character if it has a file extension + _=> 2 +} +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" # Should have a "." character if it has a file extension + _=> "Directory" +} +root.actor.process.name = winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = winlog.event_data.ProcessId.number() +root.actor.process.uid = winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("my_id_for_my_company") => "User" + this.contains("Administrator") => "Admin" + _=> 0 +} + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.task", + "winlog.event_id", + "winlog.record_id", + "event.created", + "winlog.channel", + "winlog.provider_name", + "winlog.computer_name", + "winlog.event_data.TargetFilename", + "winlog.event_data.Image", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_data.User", + "winlog.event_data.Hash", + "mitre", +) + +let myhash = root.file.hashes.map_each(hash -> hash.value).collapse() + +observables = root.without("unmapped").with("file.name", "actor.process.file.name", "device.hostname", "actor.process.user.name", "actor.process.name").merge($myhash).(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.file.exists("name") => {"name": "file.name", "type": "File Name", "type_id": 7, "value": item.file.name}}, + "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "e": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + "f": match {item.exists("0") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.0}}, + "g": match {item.exists("1") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.1}}, + "h": match {item.exists("2") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.2}}, + "i": match {item.exists("3") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.3}}, + "j": match {item.exists("4") => {"name": "file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.4}}, + }).values() diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1002_kernel_extension_activity_event_id_6.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1002_kernel_extension_activity_event_id_6.blobl new file mode 100644 index 00000000..a186664e --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1002_kernel_extension_activity_event_id_6.blobl @@ -0,0 +1,100 @@ + + +root.category_uid = 1 +root.category_name = "System Activity" +root.class_uid = 1002 +root.class_name = "Kernel Extension Activity" +root.activity_name = "Load" +root.activity_id = 1 +#root.type_name = "Kernel Extension Activity: Load" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host","security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.actor.process.file.name = winlog.event_data.ImageLoaded.split("\\").index(-1) + +root.driver.file.company_name = this.winlog.event_data.Signature +root.driver.file.name = this.winlog.event_data.ImageLoaded.split("\\").index(-1) +root.driver.file.path = this.winlog.event_data.ImageLoaded +root.driver.file.type_id = match { + this.winlog.event_data.ImageLoaded.contains(".sys") => 99 + _=> 2 +} +root.driver.file.type = match { + this.winlog.event_data.ImageLoaded.contains(".sys") => "Driver" + _=> "Other" +} +root.driver.file.hashes = if this.winlog.event_data.exists("Hash") {this.winlog.event_data.Hash.key_values().map_each(item -> { + "algorithm_id": match { + item.key == "MD5" => 1, + item.key == "SHA1" => 2, + item.key == "SHA256" => 3, + item.key == "IMPHASH" => 99, + }, + "algorithm": match { + item.key == "MD5" => "MD5", + item.key == "SHA1" => "SHA-1", + item.key == "SHA256" => "SHA-256", + item.key == "IMPHASH" => "IMPHASH" + }, + "value": item.value.string()}) } else {deleted()} + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.task", + "winlog.event_id", + "winlog.record_id", + "event.created", + "winlog.channel", + "winlog.provider_name", + "winlog.computer_name", + "winlog.event_data.ImageLoaded", + "winlog.event_data.Hash", + "mitre", + "winlog.event_data.Signature" +) +let myhash = root.driver.file.hashes.map_each(hash -> hash.value).collapse() + +observables = root.without("unmapped").with("file.name", "device.hostname").merge($myhash).(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.file.exists("name") => {"name": "file.name", "type": "File Name", "type_id": 7, "value": item.file.name}}, + "c": match {item.exists("0") => {"name": "driver.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.0}}, + "d": match {item.exists("1") => {"name": "driver.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.1}}, + "e": match {item.exists("2") => {"name": "driver.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.2}}, + "f": match {item.exists("3") => {"name": "driver.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.3}}, + "g": match {item.exists("4") => {"name": "driver.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.4}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1005_module_activity_event_id_7.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1005_module_activity_event_id_7.blobl new file mode 100644 index 00000000..41446853 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1005_module_activity_event_id_7.blobl @@ -0,0 +1,155 @@ + + +# Required Fields - v1.0.0 +root.class_uid = 1005 + +root.disposition_id = 17 +root.module.load_type_id = 2 +root.metadata.version = "1.0.0" +root.metadata.profiles = ["security_control","datetime"] +root.metadata.product.vendor_name = "Sysmon" +root.device.type_id = match this.winlog.computer_name { + this.contains("WSAMZN") => 6 + this.contains("EC2AMAZ") => 1 + _=> 0 +} +root.severity_id = if this.winlog.event_data.exists("Signed") {match this.winlog.event_data.Signed { + this.contains("false") => 3 + this.contains("failed") => 3 + this.contains("true") => 2 + _=> 1 +}} else {1} +root.activity_id = 1 +root.time = this.time.ts_unix_milli() +root.time_dt = this.time + +root.category_uid = 1 + +# Recommended Fields - v1.0.0 +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] +root.message = this.winlog.task +# root.timezone_offset = Not available +root.status_id = 1 + +root.module.type = if this.winlog.event_data.exists("OriginalFileName") { this.winlog.event_data.OriginalFileName.split(".").index(-1) } +root.module.file.name = this.winlog.event_data.OriginalFileName +root.module.file.type_id = 1 + +# root.device.interface_name = Not available +# root.device.instance_uid = Not available +root.device.hostname = this.winlog.computer_name.split(".").index(0) + +root.actor.user.name = this.winlog.event_data.User.split("\\").index(-1) +root.actor.user.type_id = match this.winlog.event_data.(User | SourceUser) { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.user.type = match this.winlog.event_data.(User | SourceUser) { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> "Unknown" +} +root.actor.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.pid = this.winlog.event_data.ProcessId.number() +root.actor.process.file.type_id = 1 +root.actor.process.file.name = this.winlog.event_data.OriginalFileName +root.actor.process.file.path = this.winlog.event_data.ImageLoaded +root.actor.process.file.hashes = if this.winlog.event_data.exists("Hash") {this.winlog.event_data.Hash.key_values().map_each(item -> { + "algorithm_id": match { + item.key == "MD5" => 1, + item.key == "SHA1" => 2, + item.key == "SHA256" => 3, + item.key == "IMPHASH" => 99, + }, + "algorithm": match { + item.key == "MD5" => "MD5", + item.key == "SHA1" => "SHA-1", + item.key == "SHA256" => "SHA-256", + item.key == "IMPHASH" => "IMPHASH" + + }, + "value": item.value}) } else {deleted()} +root.actor.process.name = this.winlog.event_data.Image.split("\\").index(-1) + +# Optional Fields - v1.0.0 +# this.status_code = +# this.end_time = +# this.start_time = +# this.end_time_dt = +# this.malware = +# this.category_name = +# this.raw_data = +# this.duration = +# this.api = +# this.status_detail = +# this.disposition = +# this.count = +# this.status = +# this.severity = +# this.activity_name = +# this.type_name = +# this.enrichments = +# this.start_time_dt = +# this.time_dt = +root.class_name = "Process Activity" +root.category_name = "Module Activity" +# root.actual_permissions = +root.activity_name = "Load" + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "m", + "agent", + "@version", + "ec2", + "ecs", + "event", + "tags", + "env", + "log", + "@laas", + "micros_container", + "time", + "mitre", + "ls_pipeline_id", + "winlog.channel", + "winlog.computer_name", + "winlog.api", + "winlog.fleet_env", + "winlog.opcode", + "winlog.record_id", + "winlog.provider_name", + "winlog.task", + "winlog.event_data.signature", + "winlog.event_data.ProcessGuid", + "winlog.event_data.ProcessId", + "winlog.event_data.User", + "winlog.event_data.Hash", + "winlog.event_data.ImageLoaded", + "winlog.event_data.Image", + "winlog.event_data.OriginalFileName", + "winlog.event_data.UtcTime", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed" +) +let myhash = if root.actor.process.file.exists("hashes") { root.actor.process.file.hashes.map_each(hash -> hash.value).collapse() } else {"unknown"} + +observables = this.without("unmapped").with("device.hostname", "actor.process.file.name", "actor.user.name", "actor.process.name").merge($myhash).(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.user.exists("name") => {"name": "actor.user.name", "type": "User Name", "type_id": 4, "value": item.actor.user.name}}, + "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "e": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + "f": match {item.exists("0") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.0}}, + "g": match {item.exists("1") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.1}}, + "h": match {item.exists("2") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.2}}, + "i": match {item.exists("3") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.3}}, + "j": match {item.exists("4") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.4}}, + "j": match {item.exists("5") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.5}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_1.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_1.blobl new file mode 100644 index 00000000..c255d55e --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_1.blobl @@ -0,0 +1,234 @@ + +# Sysmon Event ID - 1 + +## Required fields - v1.0.0 +root.severity_id = 1 + +let winlogUser = if this.winlog.event_data.exists("User") { this.winlog.event_data.User } else { this.winlog.event_data.TargetUser } + +root.process.user.type_id = match $winlogUser { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} + +root.process.user.type = match $winlogUser { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} + +let winlogProcessImage = if winlog.event_data.exists("Image") { this.winlog.event_data.Image } else { this.winlog.event_data.TargetImage } +root.process.file.type_id = match $winlogProcessImage.split("\\").index(-1) { + this.contains(".") => 1 + _=> 0 +} +root.process.file.type = match $winlogProcessImage.split("\\").index(-1) { + this.contains(".") => "Regular File" + _=> "Unknown" +} +root.process.file.name = $winlogProcessImage.split("\\").index(-1) +root.metadata.version = "1.0.0" +root.metadata.profiles = ["security_control","datetime"] +root.metadata.product.vendor_name = "Sysmon" +root.time = this.time.ts_unix_milli() +root.time_dt = this.time +root.disposition_id = 17 +root.device.type_id = match this.winlog.computer_name { + this.contains("WSAMZN") => 6 + this.contains("EC2AMAZ") => 1 + _=> 0 +} +root.device.type = match this.winlog.computer_name { + this.contains("WSAMZN") => "Virtual" + this.contains("EC2AMAZ") => "Server" + _=> 0 +} +root.class_uid = 1007 +root.category_uid = 1 +root.activity_id = 1 + +# ## Recomended fields - v1.0.0 +# root.timezone_offset = Not available +root.status_id = 1 +root.message = this.winlog.task +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.process.user.name = this.winlog.event_data.User.split("\\").index(1) | deleted() +root.process.user.domain = this.winlog.event_data.User.split("\\").index(0) | deleted() +# root.process.user.uid = Not available +root.process.uid = if this.winlog.event_data.exists("ProcessGuid") { this.winlog.event_data.ProcessGuid.trim("{}") } else { this.winlog.event_data.TargetProcessGUID.trim("{}") } +root.process.pid = if this.winlog.event_data.exists("ProcessId") { this.winlog.event_data.ProcessId.number()} else { this.winlog.event_data.TargetProcessId.number() } +# root.process.namespace_pid = "" +root.process.name = this.winlog.event_data.OriginalFileName +root.process.file.path = if this.winlog.event_data.exists("Image") { this.winlog.event_data.Image } else { this.winlog.event_data.TargetImage } +root.process.created_time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.process.created_time_dt = this.winlog.event_data.UtcTime +# root.process.container = "" +root.process.cmd_line = this.winlog.event_data.CommandLine + +let parentUserName = if this.winlog.event_data.ParentUser.type() == "array" { this.winlog.event_data.ParentUser.index(0).split("\\").index(-1) } + else if this.winlog.event_data.exists("ParentUser") { this.winlog.event_data.ParentUser.split("\\").index(-1) } + else if this.winlog.event_data.exists("SourceUser") { this.winlog.event_data.SourceUser.split("\\").index(-1) } + else { "Unknown" } + +let parentUserDomain = if this.winlog.event_data.ParentUser.type() == "array" { this.winlog.event_data.ParentUser.index(0).split("\\").index(-0) } + else if this.winlog.event_data.exists("ParentUser") { this.winlog.event_data.ParentUser.split("\\").index(-0) } + else if this.winlog.event_data.exists("SourceUser") { this.winlog.event_data.SourceUser.split("\\").index(-0) } + else { "Unknown" } + +root.actor.process.user.name = $parentUserName +root.actor.process.user.domain = $parentUserDomain +root.actor.process.user.type_id = match $parentUserDomain { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} + +root.actor.process.user.type = match $parentUserDomain { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> "Unknown" +} +root.actor.process.uid = this.winlog.event_data.ParentProcessGuid.trim("{}") | deleted() +root.actor.process.pid = this.winlog.event_data.ParentProcessId.number() | deleted() +root.actor.process.name = this.winlog.event_data.ParentImage.split("\\").index(-1) | deleted() +root.actor.process.cmd_line = this.winlog.event_data.ParentCommandLine | deleted() + +root.actor.process.file.path = this.winlog.event_data.ParentImage + +root.actor.process.file.type_id = match winlog.event_data.ParentImage.split("\\").index(-1) { + this.contains(".") => 1 + _=> 0 +} | deleted() +root.actor.process.file.type = match winlog.event_data.ParentImage.split("\\").index(-1) { + this.contains(".") => "Regular File" + _=> "Unknown" +} | deleted() +root.actor.process.file.name = this.winlog.event_data.ParentImage.split("\\").index(-1) | deleted() + +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.log_provider = this.winlog.channel.split("/").index(0) +root.metadata.log_name = this.winlog.channel.split("/").index(-1) +root.metadata.product.version = "15" #TODO: Remove hardcoded value, add field into beats agent. +root.metadata.product.uid = "NA" #TODO: Create product UID's +root.metadata.product.name = "Sysmon" +root.metadata.product.lang = "en" + +# root.device.interface_name = Not available in Sysmon +# root.device.instance_uid = Not available in Sysmon +root.device.hostname = this.winlog.computer_name.split(".").index(0) + +root.actor.user.name = $parentUserName +root.actor.user.domain = $parentUserDomain +root.actor.user.type_id = match $parentUserDomain { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.user.type = match $parentUserDomain { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> "Unknown" +} +root.actor.process.file.hashes = if this.winlog.event_data.exists("Hash") {this.winlog.event_data.Hash.key_values().map_each(item -> { + "algorithm_id": match { + item.key == "MD5" => 1, + item.key == "SHA1" => 2, + item.key == "SHA256" => 3, + item.key == "IMPHASH" => 99, + }, + "algorithm": match { + item.key == "MD5" => "MD5", + item.key == "SHA1" => "SHA-1", + item.key == "SHA256" => "SHA-256", + item.key == "IMPHASH" => "IMPHASH" + + }, + "value": item.value}) } else {deleted()} + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +# # ## Optional fields - v1.0.0 +root.unmapped = this.without( + "m", + "agent", + "@version", + "ec2", + "ecs", + "event", + "tags", + "env", + "log", + "@laas", + "micros_container", + "time", + "provider_name", + "mitre", + "ls_pipeline_id", + "winlog.api", + "winlog.task", + "winlog.computer_name", + "winlog.event_data.CommandLine", + "winlog.event_data.Hash", + "winlog.channel", + "winlog.event_data.Image", + "winlog.event_data.OriginalFileName", + "winlog.event_data.ParentCommandLine", + "winlog.event_data.ParentImage", + "winlog.event_data.ParentProcessGuid", + "winlog.event_data.ParentProcessId", + "winlog.event_data.ParentUser", + "winlog.event_data.ProcessGuid", + "winlog.event_data.ProcessId", + "winlog.event_data.User", + "winlog.event_data.UtcTime" +) +# root.status_detail = +# root.status_code = +# root.status = +# root.start_time_dt = +# root.start_time = +# root.severity = +# root.requested_permissions = +# root.raw_data = +# root.module = +# root.malware = +# root.injection_type_id = +# root.injection_type = +# root.exit_code = +# root.time_dt = +# root.enrichments = +# root.end_time_dt = +# root.end_time = +# root.duration = +# root.disposition = +# root.count = +root.class_name = "Process Activity" +root.category_name = "System Activity" +# root.actual_permissions = +root.activity_name = "Launch" +# root.api = + +let myhash = if root.actor.process.file.exists("hashes") { root.actor.process.file.hashes.map_each(hash -> hash.value).collapse() } else {"unknown"} + +observables = root.without("unmapped").with("device.hostname", "actor.user.name", "process.user.name", "actor.process.user.name", "actor.process.file.name", "actor.process.name", "process.name").merge($myhash).(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.user.exists("name") => {"name": "actor.user.name", "type": "User Name", "type_id": 4, "value": item.actor.user.name}}, + "c": match {item.process.user.exists("name") => {"name": "process.user.name", "type": "User Name", "type_id": 4, "value": item.process.user.name}}, + "d": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "e": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "f": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + "g": match {item.process.exists("name") => {"name": "process.name", "type": "Process Name", "type_id": 9, "value": item.process.name}}, + "h": match {item.exists("0") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.0}}, + "i": match {item.exists("1") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.1}}, + "j": match {item.exists("2") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.2}}, + "k": match {item.exists("3") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.3}}, + "l": match {item.exists("4") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.4}}, + "m": match {item.exists("5") => {"name": "actor.process.file.hashes.value", "type": "File Hash", "type_id": 8, "value": item.5}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_10.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_10.blobl new file mode 100644 index 00000000..c9969246 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_10.blobl @@ -0,0 +1,192 @@ + + +# Sysmon Event ID - 10 + +## Required fields - v1.0.0 +root.severity_id = 1 +root.process.user.type_id = match this.winlog.event_data.TargetUser { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.process.user.type = match this.winlog.event_data.TargetUser { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} +root.process.file.type_id = match winlog.event_data.TargetImage.split("\\").index(-1) { + this.contains(".") => 1 + _=> 0 +} +root.process.file.type = match winlog.event_data.TargetImage.split("\\").index(-1) { + this.contains(".") => "Regular File" + _=> "Unknown" +} +root.process.file.name = this.winlog.event_data.TargetImage.split("\\").index(-1) +root.metadata.version = "1.0.0" +root.metadata.profiles = ["security_control"] +root.metadata.product.vendor_name = "Sysmon" +root.time = this.time.ts_unix_milli() +root.time_dt = this.time +root.disposition_id = 17 +root.device.type_id = match this.winlog.computer_name { + this.contains("WSAMZN") => 6 + this.contains("EC2AMAZ") => 1 + _=> 0 +} +root.device.type = match this.winlog.computer_name { + this.contains("WSAMZN") => "Virtual" + this.contains("EC2AMAZ") => "Server" + _=> 0 +} +root.class_uid = 1007 +root.category_uid = 1 +root.activity_id = 3 + +# ## Recomended fields - v1.0.0 +# root.timezone_offset = Not available +root.status_id = 1 +root.message = this.winlog.task +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.process.user.name = this.winlog.event_data.TargetUser.split("\\").index(-1) +root.process.user.domain = this.winlog.event_data.TargetUser.split("\\").index(0) +# root.process.user.uid = 10-10-23 - Not available +root.process.uid = this.winlog.event_data.TargetProcessGUID.trim("{}") +root.process.pid = this.winlog.event_data.TargetProcessId.number() +# root.process.namespace_pid = "" +root.process.name = this.winlog.event_data.TargetImage.split("\\").index(-1) +root.process.file.path = this.winlog.event_data.TargetImage +root.process.created_time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.process.created_time_dt = this.winlog.event_data.UtcTime +# root.process.container = "" +# root.process.cmd_line = Event ID 8 - Does not contain cmd line. + +root.actor.process.user.name = this.winlog.event_data.SourceUser.split("\\").index(-1) +root.actor.process.user.domain = this.winlog.event_data.SourceUser.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.SourceUser { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.SourceUser { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> "Unknown" +} +root.actor.process.uid = this.winlog.event_data.SourceProcessGUID.trim("{}") +root.actor.process.pid = this.winlog.event_data.SourceProcessId.number() +root.actor.process.name = this.winlog.event_data.SourceImage.split("\\").index(-1) +# root.actor.process.cmd_line = Event ID 8 - Does not contain cmd line. + +root.actor.process.file.path = this.winlog.event_data.SourceImage +root.actor.process.file.type_id = match winlog.event_data.SourceImage.split("\\").index(-1) { + this.contains(".") => 1 + _=> 0 +} +root.actor.process.file.type = match winlog.event_data.SourceImage.split("\\").index(-1) { + this.contains(".") => "Regular File" + _=> "Unknown" +} +root.actor.process.file.name = this.winlog.event_data.SourceImage.split("\\").index(-1) + +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.log_provider = this.winlog.channel.split("/").index(0) +root.metadata.log_name = this.winlog.channel.split("/").index(-1) +root.metadata.product.version = "15" #TODO: Remove hardcoded value, add field into beats agent. +root.metadata.product.uid = "NA" #TODO: Create product UID's +root.metadata.product.name = "Sysmon" +root.metadata.product.lang = "en" + +# root.device.interface_name = Not available in Sysmon +# root.device.instance_uid = Not available in Sysmon +root.device.hostname = this.winlog.computer_name.split(".").index(0) + +root.actor.user.name = this.winlog.event_data.SourceUser.split("\\").index(-1) +root.actor.user.domain = this.winlog.event_data.SourceUser.split("\\").index(0) +root.actor.user.type_id = match this.winlog.event_data.SourceUser.split("\\").index(0) { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.user.type = match this.winlog.event_data.SourceUser.split("\\").index(0) { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> "Unknown" +} + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +# # ## Optional fields - v1.0.0 +root.unmapped = this.without( + "m", + "agent", + "@version", + "ec2", + "ecs", + "event", + "tags", + "env", + "log", + "@laas", + "micros_container", + "time", + "provider_name", + "mitre", + "ls_pipeline_id", + "winlog.api", + "winlog.task", + "winlog.computer_name", + "winlog.channel", + "winlog.event_data.GrantedAccessList", + "winlog.event_data.SourceImage", + "winlog.event_data.TargetImage", + "winlog.event_data.SourceProcessGUID", + "winlog.event_data.SourceProcessId", + "winlog.event_data.SourceUser", + "winlog.event_data.TargetProcessGUID", + "winlog.event_data.TargetProcessId", + "winlog.event_data.TargetUser", + "winlog.event_data.UtcTime" +) +# root.status_detail = +# root.status_code = +# root.status = +# root.start_time_dt = +# root.start_time = +# root.severity = +# root.requested_permissions = +# root.raw_data = +# root.module = +# root.malware = +# root.injection_type_id = +# root.injection_type = +# root.exit_code = +# root.time_dt = +# root.enrichments = +# root.end_time_dt = +# root.end_time = +# root.duration = +# root.disposition = +# root.count = +root.class_name = "Process Activity" +root.category_name = "System Activity" +# root.actual_permissions = +root.activity_name = "Open" +root.process.loaded_modules = this.winlog.event_data.GrantedAccessList | deleted() +# root.api = + +observables = root.without("unmapped").with("device.hostname", "actor.user.name", "process.user.name", "actor.process.file.name", "process.file.name", "process.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.process.user.exists("name") => {"name": "process.user.name", "type": "User Name", "type_id": 4, "value": item.process.user.name}}, + "c": match {item.actor.user.exists("name") => {"name": "actor.user.name", "type": "User Name", "type_id": 4, "value": item.actor.user.name}}, + "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "e": match {item.process.file.exists("name") => {"name": "process.file.name", "type": "File Name", "type_id": 7, "value": item.process.file.name}}, + "f": match {item.process.exists("name") => {"name": "process.name", "type": "Process Name", "type_id": 9, "value": item.process.name}}, + "g": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_25.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_25.blobl new file mode 100644 index 00000000..0f11585e --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_25.blobl @@ -0,0 +1,150 @@ + +# Sysmon Event ID - 25 + +## Required fields - v1.0.0 +root.severity_id = 1 +root.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} +root.process.file.type_id = match winlog.event_data.Image.split("\\").index(-1) { + this.contains(".") => 1 + _=> 0 +} +root.process.file.type = match winlog.event_data.Image.split("\\").index(-1) { + this.contains(".") => "Regular File" + _=> "Unknown" +} +root.process.file.name = this.winlog.event_data.Image.split("\\").index(-1) +root.metadata.version = "1.0.0" +root.metadata.profiles = ["security_control","datetime"] +root.metadata.product.vendor_name = "Sysmon" +root.time = this.time.ts_unix_milli() +root.time_dt = this.time +root.disposition_id = 17 +root.device.type_id = match this.winlog.computer_name { + this.contains("WSAMZN") => 6 + this.contains("EC2AMAZ") => 1 + _=> 0 +} +root.device.type = match this.winlog.computer_name { + this.contains("WSAMZN") => "Virtual" + this.contains("EC2AMAZ") => "Server" + _=> 0 +} +root.class_uid = 1007 +root.category_uid = 1 +root.activity_id = 4 + +# ## Recomended fields - v1.0.0 +# root.timezone_offset = Not available +root.status_id = 1 +root.message = this.winlog.task + +root.process.user.name = this.winlog.event_data.User.split("\\").index(-1) +root.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +# root.process.user.uid = 10-10-23 - Not available +root.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") +root.process.pid = this.winlog.event_data.ProcessId.number() +# root.process.namespace_pid = "" +root.process.name = this.winlog.event_data.Image.split("\\").index(-1) +root.process.file.path = this.winlog.event_data.Image +root.process.created_time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.process.created_time_dt = this.winlog.event_data.UtcTime +# root.process.container = "" +# root.process.cmd_line = Event ID 25 - Does not contain cmd line. + +root.actor.process.user.type_id = 0 +root.actor.process.user.type = "Unknown" +# root.actor.process.uid = Event ID 25 - Does not contain the actor.process +# root.actor.process.pid = Event ID 25 - Does not contain the actor.process +# root.actor.process.name = Event ID 25 - Does not contain the actor.process +# root.actor.process.cmd_line = Event ID 25 - Does not contain cmd line. +# root.actor.process.file.path = Event ID 25 - Does not contain the actor.process +# root.actor.process.file.type_id = Event ID 25 - Does not contain the actor.process +# root.actor.process.file.type = Event ID 25 - Does not contain the actor.process +# root.actor.process.file.name = Event ID 25 - Does not contain the actor.process + +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.log_provider = this.winlog.channel.split("/").index(0) +root.metadata.log_name = this.winlog.channel.split("/").index(-1) +root.metadata.product.version = "15" #TODO: Remove hardcoded value, add field into beats agent. +root.metadata.product.uid = "NA" #TODO: Create product UID's +root.metadata.product.name = "Sysmon" +root.metadata.product.lang = "en" + +# root.device.interface_name = Not available in Sysmon +# root.device.instance_uid = Not available in Sysmon +root.device.hostname = this.winlog.computer_name.split(".").index(0) + +# root.actor.user.name = Event ID 25 - Does not contain the actor.process +# root.actor.user.domain = Event ID 25 - Does not contain the actor.process +# root.actor.user.type_id = Event ID 25 - Does not contain the actor.process +# root.actor.user.type = Event ID 25 - Does not contain the actor.process + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +# # ## Optional fields - v1.0.0 +root.unmapped = this.without( + "m", + "agent", + "@version", + "ec2", + "ecs", + "event", + "tags", + "env", + "log", + "@laas", + "micros_container", + "time", + "provider_name", + "mitre", + "ls_pipeline_id", + "winlog.api", + "winlog.task", + "winlog.computer_name", + "winlog.channel", + "winlog.event_data.Image", + "winlog.event_data.ProcessGuid", + "winlog.event_data.ProcessId", + "winlog.event_data.User", + "winlog.event_data.UtcTime" +) +# root.status_detail = +# root.status_code = +# root.status = +# root.start_time_dt = +# root.start_time = +# root.severity = +# root.requested_permissions = +# root.raw_data = +# root.module = +# root.malware = +# root.injection_type_id = +# root.injection_type = +# root.exit_code = +# root.time_dt = +# root.enrichments = +# root.end_time_dt = +# root.end_time = +# root.duration = +# root.disposition = +# root.count = +root.class_name = "Process Activity" +root.category_name = "System Activity" +# root.actual_permissions = +root.activity_name = "Inject" +# root.api = + +observables = root.without("unmapped").with("device.hostname", "process.user.name", "process.file.name", "process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.process.user.exists("name") => {"name": "process.user.name", "type": "User Name", "type_id": 4, "value": item.process.user.name}}, + "c": match {item.process.file.exists("name") => {"name": "process.file.name", "type": "File Name", "type_id": 7, "value": item.process.file.name}}, + "d": match {item.process.exists("name") => {"name": "process.name", "type": "Process Name", "type_id": 9, "value": item.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_5.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_5.blobl new file mode 100644 index 00000000..7e8aa5dc --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_5.blobl @@ -0,0 +1,151 @@ + +# Sysmon Event ID - 5 + +## Required fields - v1.0.0 +root.severity_id = 1 + +let eventUser = if this.winlog.event_data.exists("User") {this.winlog.event_data.User} else { "Unknown" } +root.process.user.type_id = match $eventUser { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.process.user.type = match $eventUser { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} +root.process.file.type_id = match winlog.event_data.Image.split("\\").index(-1) { + this.contains(".") => 1 + _=> 0 +} | deleted() +root.process.file.type = match winlog.event_data.Image.split("\\").index(-1) { + this.contains(".") => "Regular File" + _=> "Unknown" +} | deleted() +root.process.file.name = this.winlog.event_data.Image.split("\\").index(-1) | deleted() +root.metadata.version = "1.0.0" +root.metadata.profiles = ["security_control"] +root.metadata.product.vendor_name = "Sysmon" +root.time = this.time.ts_unix_milli() +root.time_dt = this.time +root.disposition_id = 17 +root.device.type_id = match this.winlog.computer_name { + this.contains("WSAMZN") => 6 + this.contains("EC2AMAZ") => 1 + _=> 0 +} +root.device.type = match this.winlog.computer_name { + this.contains("WSAMZN") => "Virtual" + this.contains("EC2AMAZ") => "Server" + _=> 0 +} +root.class_uid = 1007 +root.category_uid = 1 +root.activity_id = 2 + +# ## Recomended fields - v1.0.0 +# root.timezone_offset = Not available +root.status_id = 1 +root.message = this.winlog.task + +root.process.user.name = $eventUser.split("\\").index(1) | deleted() +root.process.user.domain = $eventUser.split("\\").index(0) +# root.process.user.uid = Not available +root.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") | deleted() +root.process.pid = this.winlog.event_data.ProcessId.number() | deleted() +# root.process.namespace_pid = "" +root.process.name = this.winlog.event_data.OriginalFileName +root.process.file.path = this.winlog.event_data.Image +root.process.created_time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.process.created_time_dt = this.winlog.event_data.UtcTime +# root.process.container = "" +# root.process.cmd_line = Event ID 5 - Does not have a cmd line. + +root.actor.process.user.name = "Unknown" +root.actor.process.user.type_id = 0 +root.actor.process.user.type = "Unknown" + +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.log_provider = this.winlog.channel.split("/").index(0) +root.metadata.log_name = this.winlog.channel.split("/").index(-1) +root.metadata.product.version = "15" #TODO: Remove hardcoded value, add field into beats agent. +root.metadata.product.uid = "NA" #TODO: Create product UID's +root.metadata.product.name = "Sysmon" +root.metadata.product.lang = "en" + +# root.device.interface_name = Not available in Sysmon +# root.device.instance_uid = Not available in Sysmon +root.device.hostname = this.winlog.computer_name.split(".").index(0) + +root.actor.user.type_id = 0 +root.actor.user.type = "Unknown" + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +# # ## Optional fields - v1.0.0 +root.unmapped = this.without( + "m", + "agent", + "@version", + "ec2", + "ecs", + "event", + "tags", + "env", + "log", + "@laas", + "micros_container", + "time", + "provider_name", + "mitre", + "ls_pipeline_id", + "winlog.api", + "winlog.task", + "winlog.computer_name", + "winlog.event_data.CommandLine", + "winlog.event_data.Hash", + "winlog.channel", + "winlog.event_data.Image", + "winlog.event_data.OriginalFileName", + "winlog.event_data.ParentCommandLine", + "winlog.event_data.ParentImage", + "winlog.event_data.ParentProcessGuid", + "winlog.event_data.ParentProcessId", + "winlog.event_data.ParentUser", + "winlog.event_data.ProcessGuid", + "winlog.event_data.ProcessId", + "winlog.event_data.User", + "winlog.event_data.UtcTime" +) +# root.status_detail = +# root.status_code = +# root.status = +# root.start_time_dt = +# root.start_time = +# root.severity = +# root.requested_permissions = +# root.raw_data = +# root.module = +# root.malware = +# root.injection_type_id = +# root.injection_type = +# root.exit_code = +# root.time_dt = +# root.enrichments = +# root.end_time_dt = +# root.end_time = +# root.duration = +# root.disposition = +# root.count = +root.class_name = "Process Activity" +root.category_name = "System Activity" +# root.actual_permissions = +root.activity_name = "Terminate" +# root.api = + +observables = root.without("unmapped").with("device.hostname", "process.user.name", "process.file.name", "process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.process.user.exists("name") => {"name": "process.user.name", "type": "User Name", "type_id": 4, "value": item.process.user.name}}, + "c": match {item.process.file.exists("name") => {"name": "process.file.name", "type": "File Name", "type_id": 7, "value": item.process.file.name}}, + "d": match {item.process.exists("name") => {"name": "process.name", "type": "Process Name", "type_id": 9, "value": item.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_8.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_8.blobl new file mode 100644 index 00000000..d34ca335 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/1007_process_activity_event_id_8.blobl @@ -0,0 +1,189 @@ + +# Sysmon Event ID - 8 + +## Required fields - v1.0.0 +root.severity_id = 1 +root.process.user.type_id = match this.winlog.event_data.TargetUser { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.process.user.type = match this.winlog.event_data.TargetUser { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} +root.process.file.type_id = match winlog.event_data.TargetImage.split("\\").index(-1) { + this.contains(".") => 1 + _=> 0 +} +root.process.file.type = match winlog.event_data.TargetImage.split("\\").index(-1) { + this.contains(".") => "Regular File" + _=> "Unknown" +} +root.process.file.name = this.winlog.event_data.TargetImage.split("\\").index(-1) +root.metadata.version = "1.0.0" +root.metadata.profiles = ["security_control","datetime"] +root.metadata.product.vendor_name = "Sysmon" +root.time = this.time.ts_unix_milli() +root.time_dt = this.time +root.disposition_id = 17 +root.device.type_id = match this.winlog.computer_name { + this.contains("WSAMZN") => 6 + this.contains("EC2AMAZ") => 1 + _=> 0 +} +root.device.type = match this.winlog.computer_name { + this.contains("WSAMZN") => "Virtual" + this.contains("EC2AMAZ") => "Server" + _=> 0 +} +root.class_uid = 1007 +root.category_uid = 1 +root.activity_id = 4 + +# ## Recomended fields - v1.0.0 +# root.timezone_offset = Not available +root.status_id = 1 +root.message = this.winlog.task +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.process.user.name = this.winlog.event_data.TargetUser.split("\\").index(-1) +root.process.user.domain = this.winlog.event_data.TargetUser.split("\\").index(0) +# root.process.user.uid = 10-10-23 - Not available +root.process.uid = this.winlog.event_data.TargetProcessGuid.trim("{}") +root.process.pid = this.winlog.event_data.TargetProcessId.number() +# root.process.namespace_pid = "" +root.process.name = this.winlog.event_data.TargetImage.split("\\").index(-1) +root.process.file.path = this.winlog.event_data.TargetImage +root.process.created_time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.process.created_time_dt = this.winlog.event_data.UtcTime +# root.process.container = "" +# root.process.cmd_line = Event ID 8 - Does not contain cmd line. + +root.actor.process.user.name = this.winlog.event_data.SourceUser.split("\\").index(-1) +root.actor.process.user.domain = this.winlog.event_data.SourceUser.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.SourceUser { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.SourceUser { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> "Unknown" +} +root.actor.process.uid = this.winlog.event_data.SourceProcessGuid.trim("{}") +root.actor.process.pid = this.winlog.event_data.SourceProcessId.number() +root.actor.process.name = this.winlog.event_data.SourceImage.split("\\").index(-1) +# root.actor.process.cmd_line = Event ID 8 - Does not contain cmd line. + +root.actor.process.file.path = this.winlog.event_data.SourceImage +root.actor.process.file.type_id = match winlog.event_data.SourceImage.split("\\").index(-1) { + this.contains(".") => 1 + _=> 0 +} +root.actor.process.file.type = match winlog.event_data.SourceImage.split("\\").index(-1) { + this.contains(".") => "Regular File" + _=> "Unknown" +} +root.actor.process.file.name = this.winlog.event_data.SourceImage.split("\\").index(-1) + +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.log_provider = this.winlog.channel.split("/").index(0) +root.metadata.log_name = this.winlog.channel.split("/").index(-1) +root.metadata.product.version = "15" #TODO: Remove hardcoded value, add field into beats agent. +root.metadata.product.uid = "NA" #TODO: Create product UID's +root.metadata.product.name = "Sysmon" +root.metadata.product.lang = "en" + +# root.device.interface_name = Not available in Sysmon +# root.device.instance_uid = Not available in Sysmon +root.device.hostname = this.winlog.computer_name.split(".").index(0) + +root.actor.user.name = this.winlog.event_data.SourceUser.split("\\").index(-1) +root.actor.user.domain = this.winlog.event_data.SourceUser.split("\\").index(0) +root.actor.user.type_id = match this.winlog.event_data.SourceUser.split("\\").index(0) { + this.contains("NT AUTHORITY") => 3 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.user.type = match this.winlog.event_data.SourceUser.split("\\").index(0) { + this.contains("NT AUTHORITY") => "System" + this.contains("my_id_for_my_company") => "User" + _=> "Unknown" +} + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +# # ## Optional fields - v1.0.0 +root.unmapped = this.without( + "m", + "agent", + "@version", + "ec2", + "ecs", + "event", + "tags", + "env", + "log", + "@laas", + "micros_container", + "time", + "provider_name", + "mitre", + "ls_pipeline_id", + "winlog.api", + "winlog.task", + "winlog.computer_name", + "winlog.channel", + "winlog.event_data.SourceImage", + "winlog.event_data.TargetImage", + "winlog.event_data.SourceProcessGuid", + "winlog.event_data.SourceProcessId", + "winlog.event_data.SourceUser", + "winlog.event_data.TargetProcessGuid", + "winlog.event_data.TargetProcessId", + "winlog.event_data.TargetUser", + "winlog.event_data.UtcTime" +) +# root.status_detail = +# root.status_code = +# root.status = +# root.start_time_dt = +# root.start_time = +# root.severity = +# root.requested_permissions = +# root.raw_data = +# root.module = +# root.malware = +# root.injection_type_id = +# root.injection_type = +# root.exit_code = +# root.time_dt = +# root.enrichments = +# root.end_time_dt = +# root.end_time = +# root.duration = +# root.disposition = +# root.count = +root.class_name = "Process Activity" +root.category_name = "System Activity" +# root.actual_permissions = +root.activity_name = "Inject" +# root.api = + +observables = root.without("unmapped").with("device.hostname", "actor.user.name", "process.user.name", "actor.process.user.name", "actor.process.file.name", "process.file.name", "process.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.process.user.exists("name") => {"name": "process.user.name", "type": "User Name", "type_id": 4, "value": item.process.user.name}}, + "d": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "e": match {item.process.file.exists("name") => {"name": "process.file.name", "type": "File Name", "type_id": 7, "value": item.process.file.name}}, + "f": match {item.process.exists("name") => {"name": "process.name", "type": "Process Name", "type_id": 9, "value": item.process.name}}, + "g": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201001_registry_key_activity_event_id_12_createkey_deletekey.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201001_registry_key_activity_event_id_12_createkey_deletekey.blobl new file mode 100644 index 00000000..150a52d4 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201001_registry_key_activity_event_id_12_createkey_deletekey.blobl @@ -0,0 +1,149 @@ + + +root.category_name = "System Activity" +root.category_uid = 1 +root.class_uid = 201001 +root.class_name = "Registry Key Activity" +root.activity_id = match { + winlog.event_data.EventType.contains("CreateKey") => 1 + winlog.event_data.EventType.contains("DeleteKey") => 4 +} +root.activity_name = match { + winlog.event_data.EventType.contains("CreateKey") => "Create" + winlog.event_data.EventType.contains("DeleteKey") => "Delete" +} +root.type_uid = 400301 +root.type_name = match { + winlog.event_data.EventType.contains("CreateKey") => "Registry Key Activity: Create" + winlog.event_data.EventType.contains("DeleteKey") => "Registry Key Activity: Delete" +} +root.type_uid = match { + winlog.event_data.EventType.contains("CreateKey") => 20100101 + winlog.event_data.EventType.contains("DeleteKey") => 20100104 +} +root.message = winlog.task +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime + +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.logged_time = this.time.ts_unix_milli() +root.metadata.logged_time_dt = this.time +root.metadata.original_time = this.time +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.uid = this.winlog.record_id.string() +root.metadata.extension.name = "win" +root.metadata.extension.version = "1.0.0" +root.metadata.extension.uid = "2" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.actor.process.file.path = this.winlog.event_data.Image +root.actor.process.file.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 + _=> 99 +} +root.actor.process.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = this.winlog.event_data.ProcessId.number() +root.actor.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(-1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) + +root.reg_key.path = this.winlog.event_data.TargetObject + +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("my_id_for_my_company") => "User" + this.contains("Administrator") => "Admin" + _=> 0 +} + +root.observables = [ + { + "type_id" : 1, + "type" : "Hostname", + "name" : "device.hostname", + "value" : root.device.hostname1 + }, + { + "type_id" : 4, + "type" : "User", + "name" : "actor.process.user.name", + "value" : root.actor.process.user.name1 + }, + { + "type_id" : 7, + "type" : "File Name", + "name" : "actor.process.file.name", + "value" : root.actor.process.file.name + }, + { + "type_id" : 28, + "type" : "Registry Key", + "name" : "reg_key.path", + "value" : root.reg_key.path + }, + { + "type_id" : 9, + "type" : "Process Name", + "name" : "actor.process.file.name", + "value" : root.actor.process.file.name + }, +] +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.task", + "time", + "winlog.event_id", + "winlog.channel", + "winlog.provider_name", + "winlog.event_data.Image", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_data.User", + "winlog.event_data.TargetObject", + "winlog.computer_name", + "winlog.record_id", + "mitre", + "winlog.event_data.UtcTime" + ) + +observables = root.without("unmapped").with("device.hostname", "actor.process.user.name", "actor.process.file.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "d": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201002_registry_value_activity_event_id_12_deletevalue.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201002_registry_value_activity_event_id_12_deletevalue.blobl new file mode 100644 index 00000000..e50db8d7 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201002_registry_value_activity_event_id_12_deletevalue.blobl @@ -0,0 +1,105 @@ + + +root.activity_id = 4 +root.activity_name = "Delete" +root.category_name = "System Activity" +root.category_uid = 1 +root.class_uid = 201002 +root.class_name = "Registry Value Activity" +#root.type_uid = 20100204 +#root.type_name = "Registry Value Activity: Delete" +root.message = winlog.task +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.extension.name = "win" +root.metadata.extension.version = "1.0.0" +root.metadata.extension.uid = "2" + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.actor.process.file.path = this.winlog.event_data.Image +root.actor.process.file.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 + _=> 99 +} +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" # Should have a "." character if it has a file extension + _=> "Directory" +} +root.actor.process.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = this.winlog.event_data.ProcessId.number() +root.actor.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(-1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("Administrator") => "Admin" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} + +root.reg_value.path = this.winlog.event_data.TargetObject +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.task", + "time", + "winlog.event_id", + "winlog.channel", + "winlog.provider_name", + "winlog.event_data.Image", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_data.User", + "winlog.event_data.TargetObject", + "winlog.computer_name", + "mitre", + "winlog.record_id", + "winlog.event_data.UtcTime", + ) + +observables = root.without("unmapped").with("device.hostname", "actor.process.user.name", "actor.process.file.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "d": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201002_registry_value_activity_event_id_13_setvalue.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201002_registry_value_activity_event_id_13_setvalue.blobl new file mode 100644 index 00000000..028108b0 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201002_registry_value_activity_event_id_13_setvalue.blobl @@ -0,0 +1,121 @@ + + +root.category_name = "System Activity" +root.category_uid = 1 +root.class_uid = 201002 +root.class_name = "Registry Value Activity" +root.activity_id = 2 +root.activity_name = "Set" +#root.type_uid = 20100204 +#root.type_name = "Registry Value Activity: Delete" +root.message = winlog.task +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.extension.name = "win" +root.metadata.extension.version = "1.0.0" +root.metadata.extension.uid = "2" + + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.actor.process.file.path = this.winlog.event_data.Image +root.actor.process.file.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 + _=> 99 +} +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" + _=> "Directory" +} +root.actor.process.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = this.winlog.event_data.ProcessId.number() +root.actor.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(-1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) + +root.reg_value.path = this.winlog.event_data.TargetObject +root.reg_value.name = this.winlog.event_data.TargetObject +root.reg_value.type_id = match { + this.winlog.event_data.Details.contains("Binary") => 1 + this.winlog.event_data.Details.contains("DWORD") => 2 + this.winlog.event_data.Details.contains("QWORD") => 8 + _ => 99 +} +root.reg_value.type = match { + this.winlog.event_data.Details.contains("Binary") => "REG_BINARY" + this.winlog.event_data.Details.contains("DWORD") => "REG_DWORD" + this.winlog.event_data.Details.contains("QWORD") => "REG_QWORD" + _ => "Other" +} + +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("Administrator") => "Admin" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.task", + "time", + "winlog.event_id", + "winlog.channel", + "winlog.provider_name", + "winlog.event_data.Image", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_data.User", + "winlog.event_data.TargetObject", + "winlog.computer_name", + "mitre", + "winlog.record_id", + "winlog.event_data.UtcTime", + "winlog.event_data.Details", + ) + +observables = root.without("unmapped").with("device.hostname", "actor.process.user.name", "actor.process.file.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "d": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201003_windows_resource_activity_event_id_17.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201003_windows_resource_activity_event_id_17.blobl new file mode 100644 index 00000000..4373fb67 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201003_windows_resource_activity_event_id_17.blobl @@ -0,0 +1,106 @@ + +root.category_uid = 1 +root.category_name = "System Activity" +root.class_uid = 201003 +root.class_name = "Windows Resource Activity" +root.activity_name = "PipeCreated" +root.activity_id = 99 +root.type_uid = 20100399 +root.type_name = "Windows Resource Activity: PipeCreated" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.extension.name = "win" +root.metadata.extension.version = "1.0.0" +root.metadata.extension.uid = "2" + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.actor.process.file.path = this.winlog.event_data.Image +root.actor.process.file.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = this.winlog.event_data.ProcessId.number() +root.actor.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("Administrator") => "Admin" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 + _=> 2 +} +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" + _=> "Directory" +} +root.actor.process.name = this.winlog.event_data.Image.split("\\").index(-1) +root.win_resource.type_id = 99 +root.win_resource.type = "NamedPipe" +root.win_resource.name = this.winlog.event_data.PipeName + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_data.User", + "winlog.event_data.Image", + "winlog.event_data.PipeName", + "winlog.provider_name", + "winlog.task", + "winlog.record_id", + "winlog.event_id", + "winlog.computer_name", + "mitre", + "winlog.event_data.EventType", + "winlog.channel", +) + +observables = root.without("unmapped").with("device.hostname", "actor.process.user.name", "actor.process.file.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "d": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201003_windows_resource_activity_event_id_18.blobl b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201003_windows_resource_activity_event_id_18.blobl new file mode 100644 index 00000000..5e12f6d2 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/1_system_activity/v1.0.0/201003_windows_resource_activity_event_id_18.blobl @@ -0,0 +1,108 @@ + + +root.category_uid = 1 +root.category_name = "System Activity" +root.class_uid = 201003 +root.class_name = "Windows Resource Activity" +root.activity_name = "PipeConnected" +root.activity_id = 99 +root.type_uid = 20100399 +root.type_name = "Windows Resource Activity: PipeConnected" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host","security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.extension.name = "win" +root.metadata.extension.version = "1.0.0" +root.metadata.extension.uid = "2" + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.actor.process.file.path = this.winlog.event_data.Image +root.actor.process.file.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = this.winlog.event_data.ProcessId.number() +root.actor.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("Administrator") => "Admin" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 + _=> 2 +} +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" + _=> "Directory" +} + +root.win_resource.type_id = 99 +root.win_resource.type = "NamedPipe" +root.win_resource.name = this.winlog.event_data.PipeName + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_data.User", + "winlog.event_data.Image", + "winlog.event_data.PipeName", + "winlog.provider_name", + "winlog.task", + "winlog.record_id", + "winlog.event_id", + "winlog.computer_name", + "mitre", + "winlog.event_data.EventType", + "winlog.channel", +) + +observables = root.without("unmapped").with("device.hostname", "actor.process.user.name", "actor.process.file.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "d": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/4_network_activity/v1.0.0/4001_network_activity_event_id_3.blobl b/mappings/bloblang/Microsoft/sysmon/4_network_activity/v1.0.0/4001_network_activity_event_id_3.blobl new file mode 100644 index 00000000..da33603b --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/4_network_activity/v1.0.0/4001_network_activity_event_id_3.blobl @@ -0,0 +1,136 @@ + +root.activity_id = 6 +root.activity_name = "Traffic" +root.category_uid = 4 +root.category_name = "Network Activity" +root.class_uid = 4001 +root.class_name = "Network Activity" +#root.type_uid = 400106 +#root.type_name = "Network Activity: Traffic" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 +root.message = this.winlog.task +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.actor.process.file.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.file.path = this.winlog.event_data.Image +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 + _=> 99 +} +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" + _=> "Other" +} +root.actor.process.pid = this.winlog.event_data.ProcessId.number() +root.actor.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(-1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +root.actor.process.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("Administrator") => "Admin" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} + +root.src_endpoint.hostname = this.winlog.computer_name +root.src_endpoint.ip = this.winlog.event_data.SourceIp +root.src_endpoint.port = this.winlog.event_data.SourcePort.number() +root.src_endpoint.domain = this.winlog.event_data.User.split("\\").index(0) + +root.dst_endpoint.hostname = this.winlog.event_data.DestinationHostname +root.dst_endpoint.ip = this.winlog.event_data.DestinationIp +root.dst_endpoint.port = this.winlog.event_data.DestinationPort.number() + +root.connection_info.protocol_ver = match { + this.winlog.event_data.SourceIsIpv6.contains("true") => "IPv6" + this.winlog.event_data.SourceIsIpv6.contains("false") => "IPv4" +} +root.connection_info.direction_id = 0 +root.connection_info.direction = "Unknown" +root.connection_info.protocol_num = match { + this.winlog.event_data.Protocol.contains("tcp") => 6 + this.winlog.event_data.Protocol.contains("udp") => 17 + this.winlog.event_data.Protocol.contains("icmp") => 1 +} +root.connection_info.protocol_name = match { + this.winlog.event_data.Protocol.contains("tcp") => "TCP" + this.winlog.event_data.Protocol.contains("udp") => "UDP" + this.winlog.event_data.Protocol.contains("icmp") => "ICMP" +} + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.record_id", + "winlog.event_data.Image", + "winlog.event_data.SourceIsIpv6", + "winlog.event_data.Protocol", + "winlog.event_data.DestinationHostname", + "winlog.event_data.DestinationIp", + "winlog.event_data.DestinationPort", + "winlog.channel", + "winlog.provider_name", + "winlog.computer_name", + "winlog.event_data.SourceIp", + "winlog.event_data.SourcePort", + "winlog.event_data.User", + "winlog.event_data.UtcTime", + "winlog.task", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessGuid", + "winlog.event_id", + "mitre.technique_id", + "mitre.technique_name", + "event.created" +) + + +observables = root.without("unmapped").with("device.hostname", "dst_endpoint.ip", "src_endpoint.ip", "actor.process.user.name", "actor.process.file.name", "actor.process.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.dst_endpoint.exists("ip") => {"name": "dst_endpoint.ip", "type": "IP Address", "type_id": 2, "value": item.dst_endpoint.ip}}, + "c": match {item.src_endpoint.exists("ip") => {"name": "src_endpoint.ip", "type": "IP Address", "type_id": 2, "value": item.src_endpoint.ip}}, + "d": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "e": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "f": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/4_network_activity/v1.0.0/4003_dns_activity_event_id_22.blobl b/mappings/bloblang/Microsoft/sysmon/4_network_activity/v1.0.0/4003_dns_activity_event_id_22.blobl new file mode 100644 index 00000000..fdb104ee --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/4_network_activity/v1.0.0/4003_dns_activity_event_id_22.blobl @@ -0,0 +1,148 @@ + + +root.category_name = "Network Activity" +root.category_uid = 4 +root.activity_id = 1 +root.activity_name = "Query" +root.class_name = "DNS Activity" +root.class_uid = 4003 +#root.type_uid = 400301 +#root.type_name = "DNS Activity: Query" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.severity_id = 1 +root.severity = "Informational" +root.message = winlog.task +root.status_id = match { + this.winlog.event_data.QueryStatus.contains(0) => 1 + _=> 0 +} +root.disposition_id = 17 +root.disposition = "Logged" + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.logged_time = this.time.ts_unix_milli() +root.metadata.logged_time_dt = this.time +root.metadata.original_time = this.winlog.event_data.UtcTime +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.uid = this.winlog.record_id.string() + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.attacks = [{ + "version": "v13", + "technique": { + "name" : this.mitre.technique_name, + "uid" : this.mitre.technique_id}, + "tactics" : [], +}] + +root.actor.process.created_time = this.time.ts_unix_milli() +root.actor.process.created_time_dt = this.time +root.actor.process.file.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.file.path = this.winlog.event_data.Image +root.actor.process.file.type_id = match { + this.winlog.event_data.Image.contains(".") => 1 + _=> 99 +} +root.actor.process.file.type = match { + this.winlog.event_data.Image.contains(".") => "Regular File" + _=> "Other" +} +root.actor.process.name = this.winlog.event_data.Image.split("\\").index(-1) +root.actor.process.pid = this.winlog.event_data.ProcessId.number() +root.actor.process.uid = this.winlog.event_data.ProcessGuid.trim("{}") +root.actor.process.user.name = this.winlog.event_data.User.split("\\").index(-1) +root.actor.process.user.domain = this.winlog.event_data.User.split("\\").index(0) +root.actor.process.user.type_id = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => 3 + this.contains("S-1-5-18") => 3 + this.contains("Administrator") => 2 + this.contains("my_id_for_my_company") => 1 + _=> 0 +} +root.actor.process.user.type = match this.winlog.event_data.User { + this.contains("NT AUTHORITY") => "System" + this.contains("S-1-5-18") => "System" + this.contains("Administrator") => "Admin" + this.contains("my_id_for_my_company") => "User" + _=> 0 +} + +root.query_time = this.time.ts_unix_milli() +root.query_time_dt = this.time + +root.query.opcode_id = 0 +root.query.opcode = "Query" +root.query.hostname = winlog.event_data.QueryName +root.query.class = "IN" +root.query.type = match { + this.winlog.event_data.QueryResults.contains("[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:") => "AAAA" + this.winlog.event_data.QueryResults.contains("[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}") =>"A" + this.winlog.event_data.QueryResults.contains("type: 2") => "NS Record" + this.winlog.event_data.QueryResults.contains("type: 5") => "CNAME" + this.winlog.event_data.QueryResults.contains("type: 6") => "SOA" + this.winlog.event_data.QueryResults.contains("type: 33") => "SRV" + this.winlog.event_data.QueryResults.contains("type: 14") => "MX" + this.winlog.event_data.QueryResults.contains("type: 16") => "TXT" + this.winlog.event_data.QueryResults.contains("type: 12") => "PTR" + this.winlog.event_data.QueryResults.contains("type: 257") => "CAA" + _=> "Other" +} + +root.src_endpoint.hostname = this.winlog.computer_name +root.src_endpoint.domain = this.winlog.event_data.User.split("\\").index(0) + +root.dst_endpoint.domain = this.winlog.event_data.User.split("\\").index(0) + + +root.answers = this.winlog.event_data.QueryResults.re_replace_all("::ffff:","").split(";").filter(item -> item.re_match("[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}" | item.re_match("[0-9a-fA-F]{1,4}:{7,7}[0-9a-fA-F]{1,4}")) ).map_each(item -> { + "type": match { + item.re_match("[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:") => "AAAA" + item.re_match("[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}") => "A", + + }, + "class": match { + item.length() > 0 => "IN", + }, + "rdata": item}) + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() + +root.unmapped = this.without( + "winlog.event_data.User", + "time", + "winlog.provider_name", + "winlog.event_data.channel", + "winlog.computer_name", + "winlog.event_data.QueryStatus", + "winlog.event_data.QueryName", + "winlog.task", + "winlog.event_data.ProcessGuid", + "winlog.event_data.ProcessId", + "winlog.event_data.Image", + "winlog.event_data.QueryResults", + "winlog.channel", + "winlog.event_id", + "mitre", + "winlog.event_data.UtcTime", + "winlog.record_id", +) + +observables = root.without("unmapped").with("device.hostname", "actor.process.user.name", "actor.process.name", "actor.process.file.name").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + "b": match {item.actor.process.user.exists("name") => {"name": "actor.process.user.name", "type": "User Name", "type_id": 4, "value": item.actor.process.user.name}}, + "c": match {item.actor.process.file.exists("name") => {"name": "actor.process.file.name", "type": "File Name", "type_id": 7, "value": item.actor.process.file.name}}, + "d": match {item.actor.process.exists("name") => {"name": "actor.process.name", "type": "Process Name", "type_id": 9, "value": item.actor.process.name}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/5_discovery/v1.0.0/5002_device_config_state_event_id_16.blobl b/mappings/bloblang/Microsoft/sysmon/5_discovery/v1.0.0/5002_device_config_state_event_id_16.blobl new file mode 100644 index 00000000..788bd378 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/5_discovery/v1.0.0/5002_device_config_state_event_id_16.blobl @@ -0,0 +1,51 @@ + +root.category_uid = 5 +root.category_name = "Discovery" +root.class_uid = 5002 +root.class_name = "Device Config State" +root.activity_name = "Log" +root.activity_id = 1 +root.type_name = "Device Config State: Log" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.task", + "winlog.event_id", + "winlog.record_id", + "event.created", + "winlog.channel", + "winlog.provider_name", + "mitre", + "winlog.computer_name", +) + +observables = root.without("unmapped").with("device.hostname").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/5_discovery/v1.0.0/5002_device_config_state_event_id_255.blobl b/mappings/bloblang/Microsoft/sysmon/5_discovery/v1.0.0/5002_device_config_state_event_id_255.blobl new file mode 100644 index 00000000..788bd378 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/5_discovery/v1.0.0/5002_device_config_state_event_id_255.blobl @@ -0,0 +1,51 @@ + +root.category_uid = 5 +root.category_name = "Discovery" +root.class_uid = 5002 +root.class_name = "Device Config State" +root.activity_name = "Log" +root.activity_id = 1 +root.type_name = "Device Config State: Log" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.task", + "winlog.event_id", + "winlog.record_id", + "event.created", + "winlog.channel", + "winlog.provider_name", + "mitre", + "winlog.computer_name", +) + +observables = root.without("unmapped").with("device.hostname").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + }).values() \ No newline at end of file diff --git a/mappings/bloblang/Microsoft/sysmon/5_discovery/v1.0.0/5002_device_config_state_event_id_4.blobl b/mappings/bloblang/Microsoft/sysmon/5_discovery/v1.0.0/5002_device_config_state_event_id_4.blobl new file mode 100644 index 00000000..5a0b4d85 --- /dev/null +++ b/mappings/bloblang/Microsoft/sysmon/5_discovery/v1.0.0/5002_device_config_state_event_id_4.blobl @@ -0,0 +1,52 @@ + +root.category_uid = 5 +root.category_name = "Discovery" +root.class_uid = 5002 +root.class_name = "Device Config State" +root.activity_name = "Log" +root.activity_id = 1 + +root.type_name = "Device Config State: Log" +root.time = this.winlog.event_data.UtcTime.ts_strptime("%Y-%m-%d %H:%M:%S.%f").ts_unix_milli() +root.time_dt = this.winlog.event_data.UtcTime +root.message = this.winlog.task +root.severity_id = 1 +root.severity = "Informational" +root.status_id = 1 + +root.metadata.profiles = ["host", "security_control","datetime"] +root.metadata.event_code = this.winlog.event_id +root.metadata.uid = this.winlog.record_id.string() +root.metadata.logged_time = this.event.created.ts_unix_milli() +root.metadata.logged_time_dt = this.event.created +root.metadata.log_name = this.winlog.channel +root.metadata.log_provider = this.winlog.provider_name +root.metadata.product.lang = "EN" +root.metadata.product.name = "Sysmon" +root.metadata.product.vendor_name = "Sysmon" +root.metadata.version = "1.0.0" +root.metadata.original_time = this.winlog.event_data.UtcTime + +root.device.type = "Server" +root.device.type_id = 1 +root.device.hostname = this.winlog.computer_name.split(".").index(0) +root.device.os.type_id = 100 +root.device.os.type = "Windows" +root.device.os.name = "Microsoft Windows" + +root.type_uid = root.class_uid.number() * 100 + root.activity_id.number() +root.unmapped = this.without( + "winlog.event_data.UtcTime", + "winlog.task", + "winlog.event_id", + "winlog.record_id", + "event.created", + "winlog.channel", + "winlog.provider_name", + "mitre", + "winlog.computer_name", +) + +observables = root.without("unmapped").with("device.hostname").(item -> { + "a": match {item.device.exists("hostname") => {"name": "device.hostname", "type": "Hostname", "type_id": 1, "value": item.device.hostname}}, + }).values() \ No newline at end of file