From 13e8b6b9d58ae09fa9ee4549bdc2536a4c3e9d7b Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 5 May 2020 02:24:18 -0400 Subject: [PATCH] Add registry and code signature information --- .../module/sysmon/config/winlogbeat-sysmon.js | 107 + .../testdata/sysmon-10.2-dns.evtx.golden.json | 1872 +++++++++++++++++ .../testdata/sysmon-9.01.evtx.golden.json | 334 ++- 3 files changed, 2297 insertions(+), 16 deletions(-) diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 955e6e84d1b..21db0a40509 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -464,6 +464,82 @@ var sysmon = (function () { ignore_missing: true, }); + var setAdditionalSignatureFields = function (evt) { + var signed = evt.Get("winlog.event_data.Signed"); + if (!signed) { + return; + } + evt.Put("file.code_signature.signed", true); + var signatureStatus = evt.Get("winlog.event_data.SignatureStatus"); + evt.Put("file.code_signature.valid", signatureStatus === "Valid"); + }; + + // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives + var commonRegistryHives = { + HKEY_CLASSES_ROOT: "HKCR", + HKCR: "HKCR", + HKEY_CURRENT_CONFIG: "HKCC", + HKCC: "HKCC", + HKEY_CURRENT_USER: "HKCU", + HKCU: "HKCU", + HKEY_DYN_DATA: "HKDD", + HKDD: "HKDD", + HKEY_LOCAL_MACHINE: "HKLM", + HKLM: "HKLM", + HKEY_PERFORMANCE_DATA: "HKPD", + HKPD: "HKPD", + HKEY_USERS: "HKU", + HKU: "HKU", + }; + + var qwordRegex = new RegExp(/ab+c/, "i"); + var dwordRegex = new RegExp(/DWORD \(()\)/, "i"); + + var setRegistryFields = function (evt) { + var path = evt.Get("winlog.event_data.TargetObject"); + if (!path) { + return; + } + evt.Put("registry.path", path); + var pathTokens = path.split("\\"); + var hive = commonRegistryHives[pathTokens[0]]; + if (hive) { + evt.Put("registry.hive", hive); + pathTokens.splice(0, 1); + if (pathTokens.length > 0) { + evt.Put("registry.key", pathTokens.join("\\")); + } + } + var value = pathTokens[pathTokens.length - 1]; + evt.Put("registry.value", value); + var data = evt.Get("winlog.event_data.Details"); + if (!data) { + return; + } + // sysmon only returns details of a registry modification + // if it's a qword or dword + var dataType; + var dataValue; + var match = qwordRegex.exec(data); + if (match.length > 0) { + dataType = "SZ_QWORD"; + dataValue = match[1]; + } else { + match = dwordRegex.exec(data); + if (match.length > 0) { + dataType = "SZ_DWORD"; + dataValue = match[1]; + } + } + if (match.length > 0) { + var parsedValue = parseInt(dataValue); + if (!isNan(parsedValue)) { + evt.Put("registry.data.strings", [parsedValue]); + evt.Put("registry.data.type", dataType); + } + } + }; + // Event ID 1 - Process Create. var event1 = new processor.Chain() .Add(parseUtcTime) @@ -737,6 +813,20 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.event_data.Signature", + to: "file.code_signature.subject_name", + }, + { + from: "winlog.event_data.SignatureStatus", + to: "file.code_signature.status", + }, + ], + fail_on_error: false, + }) + .Add(setAdditionalSignatureFields) .Add(splitHashes) .Add(removeEmptyEventData) .Build(); @@ -778,6 +868,20 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.event_data.Signature", + to: "file.code_signature.subject_name", + }, + { + from: "winlog.event_data.SignatureStatus", + to: "file.code_signature.status", + }, + ], + fail_on_error: false, + }) + .Add(setAdditionalSignatureFields) .Add(setProcessNameUsingExe) .Add(splitHashes) .Add(removeEmptyEventData) @@ -959,6 +1063,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -990,6 +1095,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -1021,6 +1127,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json index 72d09fa2971..52fc0fe7f22 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json @@ -30,6 +30,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -101,6 +113,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -173,6 +197,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -249,6 +285,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -320,6 +368,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -398,6 +458,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -465,6 +537,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -541,6 +625,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -604,6 +700,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -683,6 +791,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -794,6 +914,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -861,6 +993,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -932,6 +1076,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1008,6 +1164,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1071,6 +1239,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1148,6 +1328,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1219,6 +1411,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1290,6 +1494,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1388,6 +1604,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1466,6 +1694,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1589,6 +1829,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1700,6 +1952,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1816,6 +2080,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1897,6 +2173,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2015,6 +2303,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2136,6 +2436,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2203,6 +2515,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2315,6 +2639,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2386,6 +2722,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2498,6 +2846,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2565,6 +2925,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2632,6 +3004,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2738,6 +3122,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2833,6 +3229,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2900,6 +3308,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3002,6 +3422,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3119,6 +3551,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3237,6 +3681,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3304,6 +3760,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3421,6 +3889,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3532,6 +4012,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3599,6 +4091,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3662,6 +4166,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3742,6 +4258,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3849,6 +4377,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3960,6 +4500,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4035,6 +4587,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4153,6 +4717,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4229,6 +4805,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4325,6 +4913,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4396,6 +4996,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4463,6 +5075,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4517,6 +5141,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4571,6 +5207,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4683,6 +5331,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4759,6 +5419,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4826,6 +5498,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4938,6 +5622,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5014,6 +5710,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5126,6 +5834,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5193,6 +5913,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5275,6 +6007,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5357,6 +6101,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5425,6 +6181,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5537,6 +6305,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5655,6 +6435,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5773,6 +6565,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5885,6 +6689,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5961,6 +6777,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6043,6 +6871,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6110,6 +6950,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6222,6 +7074,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6344,6 +7208,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6455,6 +7331,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6526,6 +7414,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6643,6 +7543,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6714,6 +7626,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6831,6 +7755,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6943,6 +7879,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7033,6 +7981,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7151,6 +8111,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7243,6 +8215,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7306,6 +8290,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7418,6 +8414,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7500,6 +8508,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7563,6 +8583,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7675,6 +8707,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7788,6 +8832,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7880,6 +8936,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7992,6 +9060,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8093,6 +9173,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8194,6 +9286,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8316,6 +9420,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8429,6 +9545,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8535,6 +9663,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8647,6 +9787,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8759,6 +9911,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8830,6 +9994,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8940,6 +10116,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9011,6 +10199,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9093,6 +10293,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9165,6 +10377,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9237,6 +10461,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9308,6 +10544,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9380,6 +10628,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9447,6 +10707,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9523,6 +10795,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9594,6 +10878,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9669,6 +10965,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9740,6 +11048,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9811,6 +11131,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9882,6 +11214,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10000,6 +11344,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10082,6 +11438,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10155,6 +11523,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10268,6 +11648,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10331,6 +11723,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10402,6 +11806,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10519,6 +11935,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10586,6 +12014,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10657,6 +12097,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10772,6 +12224,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10893,6 +12357,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10964,6 +12440,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11081,6 +12569,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11199,6 +12699,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11312,6 +12824,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11420,6 +12944,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11538,6 +13074,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11865,6 +13413,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11997,6 +13557,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12064,6 +13636,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12139,6 +13723,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12193,6 +13789,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12264,6 +13872,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12382,6 +14002,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12500,6 +14132,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12571,6 +14215,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12683,6 +14339,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12795,6 +14463,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12906,6 +14586,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13006,6 +14698,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13077,6 +14781,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13148,6 +14864,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13260,6 +14988,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13343,6 +15083,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13461,6 +15213,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13528,6 +15292,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13599,6 +15375,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13666,6 +15454,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13720,6 +15520,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13773,6 +15585,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13826,6 +15650,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13901,6 +15737,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13968,6 +15816,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -14069,6 +15929,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index b083f5aba41..3608a7889ed 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -44,6 +44,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "process" + ], + "type": [ + "change" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -81,12 +91,17 @@ { "@timestamp": "2019-03-18T16:57:37.949Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 1, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_start" + "type": [ + "start", + "process_start" + ] }, "hash": { "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" @@ -158,12 +173,17 @@ { "@timestamp": "2019-03-18T16:57:37.964Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 1, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_start" + "type": [ + "start", + "process_start" + ] }, "hash": { "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" @@ -238,12 +258,17 @@ { "@timestamp": "2019-03-18T16:57:38.981Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -283,12 +308,17 @@ { "@timestamp": "2019-03-18T16:57:38.981Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -328,12 +358,17 @@ { "@timestamp": "2019-03-18T16:57:39.012Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 1, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_start" + "type": [ + "start", + "process_start" + ] }, "hash": { "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" @@ -417,6 +452,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -479,6 +526,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -542,6 +601,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -605,6 +676,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -668,6 +751,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -735,6 +830,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -800,6 +907,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -863,6 +982,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -925,6 +1056,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -990,6 +1133,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1055,6 +1210,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1117,6 +1284,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1179,6 +1358,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1245,6 +1436,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1311,6 +1514,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1377,6 +1592,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1434,12 +1661,17 @@ { "@timestamp": "2019-03-18T16:57:52.35Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -1479,12 +1711,17 @@ { "@timestamp": "2019-03-18T16:57:52.364Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -1529,6 +1766,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp" }, @@ -1579,6 +1826,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp" }, @@ -1629,6 +1886,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp" }, @@ -1679,6 +1946,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp" }, @@ -1724,12 +2001,17 @@ { "@timestamp": "2019-03-18T16:57:52.433Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -1774,6 +2056,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp" }, @@ -1824,6 +2116,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp" },