This repository has been archived by the owner on Nov 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 22
/
Copy path0802-sysmon-supplement.xml
73 lines (62 loc) · 2.66 KB
/
0802-sysmon-supplement.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<group name="windows,sysmon,">
<rule id="254000" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^16$</field>
<description>Sysmon - Event 16: ServiceConfigurationChange by $(win.eventdata.image)</description>
<group>sysmon_event_16,</group>
</rule>
<rule id="254001" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^17$</field>
<description>Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)</description>
<group>sysmon_event_17,</group>
</rule>
<rule id="254002" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^18$</field>
<description>Sysmon - Event 18: PipeEvent (Pipe Connected) by $(win.eventdata.image)</description>
<group>sysmon_event_18,</group>
</rule>
<rule id="254003" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^19$</field>
<description>Sysmon - Event 19: WmiEvent (WmiEventFilter activity detected) by $(win.eventdata.image)</description>
<group>sysmon_event_19,</group>
</rule>
<rule id="254004" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^20$</field>
<description>Sysmon - Event 20: WmiEvent (WmiEventConsumer activity detected) by $(win.eventdata.image)</description>
<group>sysmon_event_20,</group>
</rule>
<rule id="254005" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^21$</field>
<description>Sysmon - Event 21: WmiEvent (WmiEventConsumerToFilter activity detected) by $(win.eventdata.image)</description>
<group>sysmon_event_21,</group>
</rule>
<rule id="254006" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Sysmon - Event 22: DNSEvent (DNS query) by $(win.eventdata.image)</description>
<group>sysmon_event_22,</group>
</rule>
<rule id="254007" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^23$</field>
<description>Sysmon - Event 23: FileDelete (A file delete was detected) by $(win.eventdata.image)</description>
<group>sysmon_event_23,</group>
</rule>
<rule id="254008" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^24$</field>
<description>Sysmon - Event 24: ClipboardChange (New content in the clipboard) by $(win.eventdata.image)</description>
<group>sysmon_event_24,</group>
</rule>
<rule id="254009" level="3">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^25$</field>
<description>Sysmon - Event 25: ProcessTampering (Process image change) by $(win.eventdata.image)</description>
<group>sysmon_event_25,</group>
</rule>
</group>