Microsoft Sysmon¶

This is the mapping from Microsoft Sysmon native fields to the security schema.

Timestamp¶

field:	`UtcTime`
format:	`%Y-%m-%d %H:%M:%S.%f`

Globally provided mapping¶

hostname:	`split(ComputerName, ".", 0)`
pid:	`number(ProcessId)`
process_name:	`baseName(Image)`
process_path:	`Image`
unique_pid:	`ProcessGuid`
user:	`User`
user_domain:	`split(User, "\\", 0)`
user_name:	`split(User, "\\", 1)`

Event specific mappings¶

file¶

EventId in (11, 15)

fields

file_name:	`baseName(TargetFilename)`
file_path:	`TargetFilename`

image_load¶

EventId == 7

fields

image_name:	`baseName(ImageLoaded)`
image_path:	`ImageLoaded`

network¶

EventId == 3

subtype mapping

incoming:	`Initiated == 'false'`
outgoing:	`Initiated == 'true'`

fields

destination_address:	`DestinationIp`
destination_port:	`DestinationPort`
protocol:	`Protocol`
source_address:	`SourceIp`
source_port:	`SourcePort`

process¶

EventId in (1, 5)

subtype mapping

create:	`EventId == 1`
terminate:	`EventId == 5`

fields

command_line:	`CommandLine`
logon_id:	`number(LogonId)`
original_file_name:	`OriginalFileName`
parent_process_name:	`baseName(ParentImage)`
parent_process_path:	`ParentImage`
ppid:	`number(ParentProcessId)`
unique_ppid:	`ParentProcessGuid`

registry¶

EventId in (12, 13, 14)

hive mapping

hklm:	`TargetObject == "HKLM\\*"`
hku:	`TargetObject == "HKU\\*"`

fields

registry_key:	`dirName(TargetObject)`
registry_path:	`TargetObject`
registry_value:	`baseName(TargetObject)`

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.