Microsoft Sysmon

This is the mapping from Microsoft Sysmon native fields to the security schema.

Timestamp

field:UtcTime
format:%Y-%m-%d %H:%M:%S.%f

Globally provided mapping

hostname:split(ComputerName, ".", 0)
pid:number(ProcessId)
process_name:baseName(Image)
process_path:Image
unique_pid:ProcessGuid
user:User
user_domain:split(User, "\\", 0)
user_name:split(User, "\\", 1)

Event specific mappings

file

EventId in (11, 15)

fields

file_name:baseName(TargetFilename)
file_path:TargetFilename

image_load

EventId == 7

fields

image_name:baseName(ImageLoaded)
image_path:ImageLoaded

network

EventId == 3

subtype mapping

incoming:Initiated == 'false'
outgoing:Initiated == 'true'

fields

destination_address:DestinationIp
destination_port:DestinationPort
protocol:Protocol
source_address:SourceIp
source_port:SourcePort

process

EventId in (1, 5)

subtype mapping

create:EventId == 1
terminate:EventId == 5

fields

command_line:CommandLine
logon_id:number(LogonId)
parent_process_name:baseName(ParentImage)
parent_process_path:ParentImage
ppid:number(ParentProcessId)
unique_ppid:ParentProcessGuid

registry

EventId in (12, 13, 14)

hive mapping

hklm:TargetObject == "HKLM\\*"
hku:TargetObject == "HKU\\*"

fields

registry_key:dirName(TargetObject)
registry_path:TargetObject
registry_value:baseName(TargetObject)