Microsoft Sysmon¶
This is the mapping from Microsoft Sysmon native fields to the security schema.
Timestamp¶
| field: | UtcTime |
|---|---|
| format: | %Y-%m-%d %H:%M:%S.%f |
Globally provided mapping¶
| hostname: | split(ComputerName, ".", 0) |
|---|---|
| pid: | number(ProcessId) |
| process_name: | baseName(Image) |
| process_path: | Image |
| unique_pid: | ProcessGuid |
| user: | User |
| user_domain: | split(User, "\\", 0) |
| user_name: | split(User, "\\", 1) |
Event specific mappings¶
network¶
EventId == 3
subtype mapping
| incoming: | Initiated == 'false' |
|---|---|
| outgoing: | Initiated == 'true' |
fields
| destination_address: | DestinationIp |
|---|---|
| destination_port: | DestinationPort |
| protocol: | Protocol |
| source_address: | SourceIp |
| source_port: | SourcePort |
process¶
EventId in (1, 5)
subtype mapping
| create: | EventId == 1 |
|---|---|
| terminate: | EventId == 5 |
fields
| command_line: | CommandLine |
|---|---|
| logon_id: | number(LogonId) |
| original_file_name: | OriginalFileName |
| parent_process_name: | baseName(ParentImage) |
| parent_process_path: | ParentImage |
| ppid: | number(ParentProcessId) |
| unique_ppid: | ParentProcessGuid |
registry¶
EventId in (12, 13, 14)
hive mapping
| hklm: | TargetObject == "HKLM\\*" |
|---|---|
| hku: | TargetObject == "HKU\\*" |
fields
| registry_key: | dirName(TargetObject) |
|---|---|
| registry_path: | TargetObject |
| registry_value: | baseName(TargetObject) |