Skip to content

jsecurity101/TelemetrySource

Repository files navigation

TelemetrySource

Project created to map functions repsonsible for triggering events from various telemetry sources.

Main Mapping Sheet: Event Mapping Google Sheet

Currently mapped sources:

Sysmon

Sysmon-Overview

Window Security Events (Microsoft-Windows-Security-Auditing)

WSE-Overview

Threat Intelligence Events (Microsoft-Windows-Threat-Intelligence)

Microsoft-Windows-Threat-Intelligence

  • Each source has it's own README file with the necessary information needed to understand how the mappings work.

Blogs:

I have done a couple of write-ups on my methodology on tracking these events to APIs down, please read them if you are interested:

Feedback:

If anyone has suggestions on how this data could be exposed differently to better help defenders or any other feedback, please reach out! The goal with this project is to help defenders understand how data is generated, so that we can be more informed in our decisions when leveraging that data.

To-Dos:

  • Update Sysmon to v14
  • Expand events in Microsoft-Windows-Security-Auditing
  • Add other ETW Providers

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published