Project created to map functions repsonsible for triggering events from various telemetry sources.
Main Mapping Sheet: Event Mapping Google Sheet
- Each source has it's own README file with the necessary information needed to understand how the mappings work.
I have done a couple of write-ups on my methodology on tracking these events to APIs down, please read them if you are interested:
- Uncovering Windows Events - Part 1: TelemetrySource
- Uncovering Windows Events - Part 2: The Methodology
- Uncovering Windows Events - Part 3: Threat Intelligence ETW
If anyone has suggestions on how this data could be exposed differently to better help defenders or any other feedback, please reach out! The goal with this project is to help defenders understand how data is generated, so that we can be more informed in our decisions when leveraging that data.
- Update Sysmon to v14
- Expand events in Microsoft-Windows-Security-Auditing
- Add other ETW Providers