diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b3eaf0a08dc..5a9c6ec6b57 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -385,6 +385,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add experimental event log reader implementation that should be faster in most cases. {issue}6585[6585] {pull}16849[16849] - Set process.command_line and process.parent.command_line from Sysmon Event ID 1. {pull}17327[17327] - Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517] +- Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058] ==== Deprecated diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index b882df875fc..2e449580d87 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -4,11 +4,11 @@ // Polyfill for String startsWith. if (!String.prototype.startsWith) { - Object.defineProperty(String.prototype, 'startsWith', { - value: function(search, pos) { + Object.defineProperty(String.prototype, "startsWith", { + value: function (search, pos) { pos = !pos || pos < 0 ? 0 : +pos; return this.substring(pos, pos + search.length) === search; - } + }, }); } @@ -284,15 +284,19 @@ var sysmon = (function () { "65282": "WINSR", }; - var setProcessNameUsingExe = function(evt) { + var setProcessNameUsingExe = function (evt) { setProcessNameFromPath(evt, "process.executable", "process.name"); }; - var setParentProcessNameUsingExe = function(evt) { - setProcessNameFromPath(evt, "process.parent.executable", "process.parent.name"); + var setParentProcessNameUsingExe = function (evt) { + setProcessNameFromPath( + evt, + "process.parent.executable", + "process.parent.name" + ); }; - var setProcessNameFromPath = function(evt, pathField, nameField) { + var setProcessNameFromPath = function (evt, pathField, nameField) { var name = evt.Get(nameField); if (name) { return; @@ -301,7 +305,7 @@ var sysmon = (function () { evt.Put(nameField, path.basename(exe)); }; - var splitCommandLine = function(evt, source, target) { + var splitCommandLine = function (evt, source, target) { var commandLine = evt.Get(source); if (!commandLine) { return; @@ -309,15 +313,19 @@ var sysmon = (function () { evt.Put(target, winlogbeat.splitCommandLine(commandLine)); }; - var splitProcessArgs = function(evt) { + var splitProcessArgs = function (evt) { splitCommandLine(evt, "process.command_line", "process.args"); }; - var splitParentProcessArgs = function(evt) { - splitCommandLine(evt, "process.parent.command_line", "process.parent.args"); + var splitParentProcessArgs = function (evt) { + splitCommandLine( + evt, + "process.parent.command_line", + "process.parent.args" + ); }; - var addUser = function(evt) { + var addUser = function (evt) { var userParts = evt.Get("winlog.event_data.User").split("\\"); if (userParts.length === 2) { evt.Delete("user"); @@ -327,7 +335,7 @@ var sysmon = (function () { } }; - var addNetworkDirection = function(evt) { + var addNetworkDirection = function (evt) { switch (evt.Get("winlog.event_data.Initiated")) { case "true": evt.Put("network.direction", "outbound"); @@ -339,7 +347,7 @@ var sysmon = (function () { evt.Delete("winlog.event_data.Initiated"); }; - var addNetworkType = function(evt) { + var addNetworkType = function (evt) { switch (evt.Get("winlog.event_data.SourceIsIpv6")) { case "true": evt.Put("network.type", "ipv6"); @@ -352,10 +360,10 @@ var sysmon = (function () { evt.Delete("winlog.event_data.DestinationIsIpv6"); }; - var addHashes = function(evt, hashField) { + var addHashes = function (evt, hashField) { var hashes = evt.Get(hashField); evt.Delete(hashField); - hashes.split(",").forEach(function(hash){ + hashes.split(",").forEach(function (hash) { var parts = hash.split("="); if (parts.length !== 2) { return; @@ -363,26 +371,26 @@ var sysmon = (function () { var key = parts[0].toLowerCase(); var value = parts[1].toLowerCase(); - evt.Put("hash."+key, value); + evt.Put("hash." + key, value); }); }; - var splitHashes = function(evt) { + var splitHashes = function (evt) { addHashes(evt, "winlog.event_data.Hashes"); }; - var splitHash = function(evt) { + var splitHash = function (evt) { addHashes(evt, "winlog.event_data.Hash"); }; - var removeEmptyEventData = function(evt) { + var removeEmptyEventData = function (evt) { var eventData = evt.Get("winlog.event_data"); if (eventData && Object.keys(eventData).length === 0) { evt.Delete("winlog.event_data"); } }; - var translateDnsQueryStatus = function(evt) { + var translateDnsQueryStatus = function (evt) { var statusCode = evt.Get("sysmon.dns.status"); if (!statusCode) { return; @@ -396,12 +404,12 @@ var sysmon = (function () { // Splits the QueryResults field that contains the DNS responses. // Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" - var splitDnsQueryResults = function(evt) { + var splitDnsQueryResults = function (evt) { var results = evt.Get("winlog.event_data.QueryResults"); if (!results) { return; } - results = results.split(';'); + results = results.split(";"); var answers = []; var ips = []; @@ -411,7 +419,7 @@ var sysmon = (function () { continue; } - if (answer.startsWith('type:')) { + if (answer.startsWith("type:")) { var parts = answer.split(/\s+/); if (parts.length !== 3) { throw "unexpected QueryResult format"; @@ -431,7 +439,10 @@ var sysmon = (function () { if (answer.indexOf(":") !== -1) { type = "AAAA"; } - answers.push({type: type, data: answer}); + answers.push({ + type: type, + data: answer, + }); } } @@ -453,27 +464,140 @@ var sysmon = (function () { ignore_missing: true, }); + var setAdditionalSignatureFields = function (evt) { + var signed = evt.Get("winlog.event_data.Signed"); + if (!signed) { + return; + } + evt.Put("file.code_signature.signed", true); + var signatureStatus = evt.Get("winlog.event_data.SignatureStatus"); + evt.Put("file.code_signature.valid", signatureStatus === "Valid"); + }; + + // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives + var commonRegistryHives = { + HKEY_CLASSES_ROOT: "HKCR", + HKCR: "HKCR", + HKEY_CURRENT_CONFIG: "HKCC", + HKCC: "HKCC", + HKEY_CURRENT_USER: "HKCU", + HKCU: "HKCU", + HKEY_DYN_DATA: "HKDD", + HKDD: "HKDD", + HKEY_LOCAL_MACHINE: "HKLM", + HKLM: "HKLM", + HKEY_PERFORMANCE_DATA: "HKPD", + HKPD: "HKPD", + HKEY_USERS: "HKU", + HKU: "HKU", + }; + + var qwordRegex = new RegExp(/QWORD \(((0x\d{8})-(0x\d{8}))\)/, "i"); + var dwordRegex = new RegExp(/DWORD \((0x\d{8})\)/, "i"); + + var setRegistryFields = function (evt) { + var path = evt.Get("winlog.event_data.TargetObject"); + if (!path) { + return; + } + evt.Put("registry.path", path); + var pathTokens = path.split("\\"); + var hive = commonRegistryHives[pathTokens[0]]; + if (hive) { + evt.Put("registry.hive", hive); + pathTokens.splice(0, 1); + if (pathTokens.length > 0) { + evt.Put("registry.key", pathTokens.join("\\")); + } + } + var value = pathTokens[pathTokens.length - 1]; + evt.Put("registry.value", value); + var data = evt.Get("winlog.event_data.Details"); + if (!data) { + return; + } + // sysmon only returns details of a registry modification + // if it's a qword or dword + var dataType; + var dataValue; + var match = qwordRegex.exec(data); + if (match && match.length > 0) { + var parsedHighByte = parseInt(match[2]); + var parsedLowByte = parseInt(match[3]); + if (!isNaN(parsedHighByte) && !isNaN(parsedLowByte)) { + dataValue = "" + ((parsedHighByte << 8) + parsedLowByte); + dataType = "SZ_QWORD"; + } + } else { + match = dwordRegex.exec(data); + if (match && match.length > 0) { + var parsedValue = parseInt(match[1]); + if (!isNaN(parsedValue)) { + dataType = "SZ_DWORD"; + dataValue = "" + parsedValue; + } + } + } + if (dataType) { + evt.Put("registry.data.strings", [dataValue]); + evt.Put("registry.data.type", dataType); + } + }; + + // Event ID 1 - Process Create. var event1 = new processor.Chain() .Add(parseUtcTime) .AddFields({ - "fields": { - "event.category": "process", - "event.type": "process_start", + fields: { + "event.category": ["process"], + "event.type": ["start", "process_start"], }, - "target": "", + target: "", }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.CommandLine", to: "process.command_line"}, - {from: "winlog.event_data.CurrentDirectory", to: "process.working_directory"}, - {from: "winlog.event_data.ParentProcessGuid", to: "process.parent.entity_id"}, - {from: "winlog.event_data.ParentProcessId", to: "process.parent.pid", type: "long"}, - {from: "winlog.event_data.ParentImage", to: "process.parent.executable"}, - {from: "winlog.event_data.ParentCommandLine", to: "process.parent.command_line"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.CommandLine", + to: "process.command_line", + }, + { + from: "winlog.event_data.CurrentDirectory", + to: "process.working_directory", + }, + { + from: "winlog.event_data.ParentProcessGuid", + to: "process.parent.entity_id", + }, + { + from: "winlog.event_data.ParentProcessId", + to: "process.parent.pid", + type: "long", + }, + { + from: "winlog.event_data.ParentImage", + to: "process.parent.executable", + }, + { + from: "winlog.event_data.ParentCommandLine", + to: "process.parent.command_line", + }, ], mode: "rename", ignore_missing: true, @@ -488,15 +612,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 2 - File creation time changed. var event2 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], + "event.type": ["change"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.TargetFilename", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.TargetFilename", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -506,22 +653,72 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 3 - Network connection detected. var event3 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["network"], + "event.type": ["connection", "start", "protocol"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.Protocol", to: "network.transport"}, - {from: "winlog.event_data.SourceIp", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.SourceHostname", to: "source.domain", type: "string"}, - {from: "winlog.event_data.SourcePort", to: "source.port", type: "long"}, - {from: "winlog.event_data.DestinationIp", to: "destination.ip", type: "ip"}, - {from: "winlog.event_data.DestinationHostname", to: "destination.domain", type: "string"}, - {from: "winlog.event_data.DestinationPort", to: "destination.port", type: "long"}, - {from: "winlog.event_data.DestinationPortName", to: "network.protocol"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Protocol", + to: "network.transport", + }, + { + from: "winlog.event_data.SourceIp", + to: "source.ip", + type: "ip", + }, + { + from: "winlog.event_data.SourceHostname", + to: "source.domain", + type: "string", + }, + { + from: "winlog.event_data.SourcePort", + to: "source.port", + type: "long", + }, + { + from: "winlog.event_data.DestinationIp", + to: "destination.ip", + type: "ip", + }, + { + from: "winlog.event_data.DestinationHostname", + to: "destination.domain", + type: "string", + }, + { + from: "winlog.event_data.DestinationPort", + to: "destination.port", + type: "long", + }, + { + from: "winlog.event_data.DestinationPortName", + to: "network.protocol", + }, ], mode: "rename", ignore_missing: true, @@ -535,11 +732,21 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 4 - Sysmon service state changed. var event4 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["process"], + "event.type": ["change"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, ], mode: "rename", ignore_missing: true, @@ -548,21 +755,35 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 5 - Process terminated. var event5 = new processor.Chain() .Add(parseUtcTime) .AddFields({ - "fields": { - "event.category": "process", - "event.type": "process_end", + fields: { + "event.category": ["process"], + "event.type": ["end", "process_end"], }, - "target": "", + target: "", }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -572,48 +793,126 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 6 - Driver loaded. var event6 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["driver"], + "event.type": ["start"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ImageLoaded", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ImageLoaded", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.event_data.Signature", + to: "file.code_signature.subject_name", + }, + { + from: "winlog.event_data.SignatureStatus", + to: "file.code_signature.status", + }, + ], + fail_on_error: false, + }) + .Add(setAdditionalSignatureFields) .Add(splitHashes) .Add(removeEmptyEventData) .Build(); + // Event ID 7 - Image loaded. var event7 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["process"], + "event.type": ["change"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.ImageLoaded", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.ImageLoaded", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.event_data.Signature", + to: "file.code_signature.subject_name", + }, + { + from: "winlog.event_data.SignatureStatus", + to: "file.code_signature.status", + }, + ], + fail_on_error: false, + }) + .Add(setAdditionalSignatureFields) .Add(setProcessNameUsingExe) .Add(splitHashes) .Add(removeEmptyEventData) .Build(); + // Event ID 8 - CreateRemoteThread detected. var event8 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.SourceProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.SourceProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.SourceImage", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.SourceProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.SourceProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.SourceImage", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -623,15 +922,32 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 9 - RawAccessRead detected. var event9 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.Device", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Device", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -641,15 +957,39 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 10 - Process accessed. var event10 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["process"], + "event.type": ["access"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.SourceProcessGUID", to: "process.entity_id"}, - {from: "winlog.event_data.SourceProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.SourceThreadId", to: "process.thread.id", type: "long"}, - {from: "winlog.event_data.SourceImage", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.SourceProcessGUID", + to: "process.entity_id", + }, + { + from: "winlog.event_data.SourceProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.SourceThreadId", + to: "process.thread.id", + type: "long", + }, + { + from: "winlog.event_data.SourceImage", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -659,15 +999,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 11 - File created. var event11 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], + "event.type": ["creation"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.TargetFilename", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.TargetFilename", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -677,66 +1040,134 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 12 - Registry object added or deleted. var event12 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, fail_on_error: false, }) + .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); + // Event ID 13 - Registry value set. var event13 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, fail_on_error: false, }) + .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); + // Event ID 14 - Registry object renamed. var event14 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, fail_on_error: false, }) + .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); + // Event ID 15 - File stream created. var event15 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], + "event.type": ["access"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.TargetFilename", to: "file.path"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.TargetFilename", + to: "file.path", + }, ], mode: "rename", ignore_missing: true, @@ -747,11 +1178,15 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 16 - Sysmon config state changed. var event16 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, ], mode: "rename", ignore_missing: true, @@ -760,15 +1195,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 17 - Pipe Created. var event17 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], // pipes are files + "event.type": ["creation"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.PipeName", to: "file.name"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.PipeName", + to: "file.name", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -778,15 +1236,38 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 18 - Pipe Connected. var event18 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], // pipes are files + "event.type": ["access"], + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.PipeName", to: "file.name"}, - {from: "winlog.event_data.Image", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.PipeName", + to: "file.name", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -796,11 +1277,15 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 19 - WmiEventFilter activity detected. var event19 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, ], mode: "rename", ignore_missing: true, @@ -810,12 +1295,19 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 20 - WmiEventConsumer activity detected. var event20 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.Destination", to: "process.executable"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.Destination", + to: "process.executable", + }, ], mode: "rename", ignore_missing: true, @@ -826,11 +1318,15 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 21 - WmiEventConsumerToFilter activity detected. var event21 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, ], mode: "rename", ignore_missing: true, @@ -840,16 +1336,45 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 22 - DNSEvent (DNS query). var event22 = new processor.Chain() .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["network"], + "event.type": ["connection", "protocol", "info"], + }, + network: { + protocol: "dns", + }, + }) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.Image", to: "process.executable"}, - {from: "winlog.event_data.QueryName", to: "dns.question.name"}, - {from: "winlog.event_data.QueryStatus", to: "sysmon.dns.status"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.QueryName", + to: "dns.question.name", + }, + { + from: "winlog.event_data.QueryStatus", + to: "sysmon.dns.status", + }, ], mode: "rename", ignore_missing: true, @@ -867,12 +1392,19 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 255 - Error report. var event255 = new processor.Chain() .Add(parseUtcTime) .Convert({ fields: [ - {from: "winlog.event_data.UtcTime", to: "@timestamp"}, - {from: "winlog.event_data.ID", to: "error.code"}, + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ID", + to: "error.code", + }, ], mode: "rename", ignore_missing: true, @@ -882,76 +1414,31 @@ var sysmon = (function () { .Build(); return { - // Event ID 1 - Process Create. 1: event1.Run, - - // Event ID 2 - File creation time changed. 2: event2.Run, - - // Event ID 3 - Network connection detected. 3: event3.Run, - - // Event ID 4 - Sysmon service state changed. 4: event4.Run, - - // Event ID 5 - Process terminated. 5: event5.Run, - - // Event ID 6 - Driver loaded. 6: event6.Run, - - // Event ID 7 - Image loaded. 7: event7.Run, - - // Event ID 8 - CreateRemoteThread detected. 8: event8.Run, - - // Event ID 9 - RawAccessRead detected. 9: event9.Run, - - // Event ID 10 - Process accessed. 10: event10.Run, - - // Event ID 11 - File created. 11: event11.Run, - - // Event ID 12 - Registry object added or deleted. 12: event12.Run, - - // Event ID 13 - Registry value set. 13: event13.Run, - - // Event ID 14 - Registry object renamed. 14: event14.Run, - - // Event ID 15 - File stream created. 15: event15.Run, - - // Event ID 16 - Sysmon config state changed. 16: event16.Run, - - // Event ID 17 - Pipe Created. 17: event17.Run, - - // Event ID 18 - Pipe Connected. 18: event18.Run, - - // Event ID 19 - WmiEventFilter activity detected. 19: event19.Run, - - // Event ID 20 - WmiEventConsumer activity detected. 20: event20.Run, - - // Event ID 21 - WmiEventConsumerToFilter activity detected. 21: event21.Run, - - // Event ID 22 - DNSEvent (DNS query). 22: event22.Run, - - // Event ID 255 - Error report. 255: event255.Run, - process: function(evt) { + process: function (evt) { var event_id = evt.Get("winlog.event_id"); var processor = this[event_id]; if (processor === undefined) { diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json index 72d09fa2971..52fc0fe7f22 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json @@ -30,6 +30,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -101,6 +113,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -173,6 +197,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -249,6 +285,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -320,6 +368,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -398,6 +458,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -465,6 +537,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -541,6 +625,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -604,6 +700,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -683,6 +791,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -794,6 +914,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -861,6 +993,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -932,6 +1076,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1008,6 +1164,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1071,6 +1239,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1148,6 +1328,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1219,6 +1411,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1290,6 +1494,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1388,6 +1604,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1466,6 +1694,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1589,6 +1829,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1700,6 +1952,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1816,6 +2080,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -1897,6 +2173,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2015,6 +2303,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2136,6 +2436,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2203,6 +2515,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2315,6 +2639,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2386,6 +2722,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2498,6 +2846,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2565,6 +2925,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2632,6 +3004,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2738,6 +3122,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2833,6 +3229,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -2900,6 +3308,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3002,6 +3422,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3119,6 +3551,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3237,6 +3681,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3304,6 +3760,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3421,6 +3889,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3532,6 +4012,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3599,6 +4091,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3662,6 +4166,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3742,6 +4258,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3849,6 +4377,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -3960,6 +4500,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4035,6 +4587,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4153,6 +4717,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4229,6 +4805,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4325,6 +4913,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4396,6 +4996,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4463,6 +5075,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4517,6 +5141,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4571,6 +5207,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4683,6 +5331,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4759,6 +5419,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4826,6 +5498,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -4938,6 +5622,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5014,6 +5710,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5126,6 +5834,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5193,6 +5913,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5275,6 +6007,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5357,6 +6101,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5425,6 +6181,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5537,6 +6305,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5655,6 +6435,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5773,6 +6565,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5885,6 +6689,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -5961,6 +6777,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6043,6 +6871,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6110,6 +6950,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6222,6 +7074,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6344,6 +7208,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6455,6 +7331,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6526,6 +7414,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6643,6 +7543,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6714,6 +7626,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6831,6 +7755,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -6943,6 +7879,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7033,6 +7981,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7151,6 +8111,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7243,6 +8215,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7306,6 +8290,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7418,6 +8414,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7500,6 +8508,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7563,6 +8583,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7675,6 +8707,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7788,6 +8832,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7880,6 +8936,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -7992,6 +9060,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8093,6 +9173,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8194,6 +9286,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8316,6 +9420,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8429,6 +9545,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8535,6 +9663,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8647,6 +9787,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8759,6 +9911,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8830,6 +9994,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -8940,6 +10116,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9011,6 +10199,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9093,6 +10293,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9165,6 +10377,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9237,6 +10461,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9308,6 +10544,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9380,6 +10628,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9447,6 +10707,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9523,6 +10795,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9594,6 +10878,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9669,6 +10965,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9740,6 +11048,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9811,6 +11131,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -9882,6 +11214,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10000,6 +11344,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10082,6 +11438,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10155,6 +11523,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10268,6 +11648,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10331,6 +11723,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10402,6 +11806,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10519,6 +11935,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10586,6 +12014,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10657,6 +12097,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10772,6 +12224,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10893,6 +12357,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -10964,6 +12440,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11081,6 +12569,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11199,6 +12699,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11312,6 +12824,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11420,6 +12944,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11538,6 +13074,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11865,6 +13413,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -11997,6 +13557,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12064,6 +13636,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12139,6 +13723,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12193,6 +13789,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12264,6 +13872,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12382,6 +14002,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12500,6 +14132,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12571,6 +14215,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12683,6 +14339,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12795,6 +14463,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -12906,6 +14586,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13006,6 +14698,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13077,6 +14781,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13148,6 +14864,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13260,6 +14988,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13343,6 +15083,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13461,6 +15213,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13528,6 +15292,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13599,6 +15375,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13666,6 +15454,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13720,6 +15520,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13773,6 +15585,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13826,6 +15650,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13901,6 +15737,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -13968,6 +15816,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, @@ -14069,6 +15929,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ] + } + }, "host": { "name": "vagrant-2016" }, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx new file mode 100644 index 00000000000..6e17bee603d Binary files /dev/null and b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx differ diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json new file mode 100644 index 00000000000..8fc9f23662e --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json @@ -0,0 +1,289 @@ +[ + { + "@timestamp": "2020-05-05T14:57:40.589Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, + "registry": { + "data": { + "strings": [ + "4" + ], + "type": "SZ_DWORD" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "value": "Key 1" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "DWORD (0x00000004)", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2682, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "Binary Data", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2686, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, + "registry": { + "data": { + "strings": [ + "5" + ], + "type": "SZ_QWORD" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "value": "Key 2" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "QWORD (0x00000000-0x00000005)", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2687, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "value": "ertrqvg.rkr" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "Binary Data", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2690, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", + "event": { + "code": 13, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Details": "Binary Data", + "EventType": "SetValue", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" + }, + "event_id": 13, + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2691, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index b083f5aba41..3608a7889ed 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -44,6 +44,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "process" + ], + "type": [ + "change" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -81,12 +91,17 @@ { "@timestamp": "2019-03-18T16:57:37.949Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 1, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_start" + "type": [ + "start", + "process_start" + ] }, "hash": { "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" @@ -158,12 +173,17 @@ { "@timestamp": "2019-03-18T16:57:37.964Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 1, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_start" + "type": [ + "start", + "process_start" + ] }, "hash": { "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" @@ -238,12 +258,17 @@ { "@timestamp": "2019-03-18T16:57:38.981Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -283,12 +308,17 @@ { "@timestamp": "2019-03-18T16:57:38.981Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -328,12 +358,17 @@ { "@timestamp": "2019-03-18T16:57:39.012Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 1, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_start" + "type": [ + "start", + "process_start" + ] }, "hash": { "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" @@ -417,6 +452,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -479,6 +526,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -542,6 +601,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -605,6 +676,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -668,6 +751,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -735,6 +830,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -800,6 +907,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -863,6 +982,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -925,6 +1056,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -990,6 +1133,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1055,6 +1210,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1117,6 +1284,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1179,6 +1358,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1245,6 +1436,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1311,6 +1514,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1377,6 +1592,18 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "start", + "protocol" + ] + } + }, "host": { "name": "vagrant-2012-r2" }, @@ -1434,12 +1661,17 @@ { "@timestamp": "2019-03-18T16:57:52.35Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -1479,12 +1711,17 @@ { "@timestamp": "2019-03-18T16:57:52.364Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -1529,6 +1766,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp" }, @@ -1579,6 +1826,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp" }, @@ -1629,6 +1886,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp" }, @@ -1679,6 +1946,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp" }, @@ -1724,12 +2001,17 @@ { "@timestamp": "2019-03-18T16:57:52.433Z", "event": { - "category": "process", + "category": [ + "process" + ], "code": 5, "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", - "type": "process_end" + "type": [ + "end", + "process_end" + ] }, "host": { "name": "vagrant-2012-r2" @@ -1774,6 +2056,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp" }, @@ -1824,6 +2116,16 @@ "module": "sysmon", "provider": "Microsoft-Windows-Sysmon" }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "change" + ] + } + }, "file": { "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp" },