sysmon-logs Log Parser

Installation

cscli parsers install crowdsecurity/sysmon-logs

Description

A parser for sysmon events.

Example acquisition config:

source: wineventlog
pretty_name: sysmon
event_channel: "Microsoft-Windows-Sysmon/Operational"
labels:
 type: sysmon

YAML Configuration

1onsuccess: next_stage
2filter: "evt.Parsed.Channel == 'Microsoft-Windows-Sysmon/Operational'"
3name: crowdsecurity/sysmon
4description: "Parse sysmon events"
5nodes:
6  - filter: evt.Parsed.EventID == '1'
7    statics:
8      - parsed: ProcessGuid
9        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
10      - parsed: Image
11        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
12      - parsed: ProcessId
13        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
14      - parsed: FileVersion
15        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='FileVersion']")
16      - parsed: Description
17        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Description']")
18      - parsed: Company
19        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Company']")
20      - parsed: OriginalFileName
21        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='OriginalFileName']")
22      - parsed: CommandLine
23        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='CommandLine']")
24      - parsed: CurrentDirectory
25        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='CurrentDirectory']")
26      - parsed: User
27        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='User']")
28      - parsed: LogonGuid
29        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='LogonGuid']")
30      - parsed: LogonId
31        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='LogonId']")
32      - parsed: TerminalSessionId
33        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TerminalSessionId']")
34      - parsed: IntegrityLevel
35        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='IntegrityLevel']")
36      - parsed: Hashes
37        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Hashes']")
38      - parsed: ParentProcessGuid
39        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ParentProcessGuid']")
40      - parsed: ParentProcessId
41        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ParentProcessId']")
42      - parsed: ParentImage
43        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ParentImage']")
44      - parsed: ParentCommandLine
45        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ParentCommandLine']")
46      - parsed: ParentUser
47        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ParentUser']")
48      - meta: SysmonEventType
49        value: ProcessCreation
50      - meta: CommandLine
51        expression: evt.Parsed.CommandLine
52      - meta: CurrentDirectory
53        expression: evt.Parsed.CurrentDirectory
54      - meta: User
55        expression: evt.Parsed.User
56      - meta: Hashes
57        expression: evt.Parsed.Hashes
58      - meta: ParentImage
59        expression: evt.Parsed.ParentImage
60  - filter: evt.Parsed.EventID == '2'
61    statics:
62      - parsed: ProcessGuid
63        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
64      - parsed: Image
65        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
66      - parsed: ProcessId
67        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
68      - parsed: TargetFilename
69        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetFilename']")
70      - parsed: CreationUtcTime
71        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='CreationUtcTime']")
72      - parsed: CreationUtcTime
73        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='CreationUtcTime']")
74      - meta: SysmonEventType
75        value: CreationTimeChanged
76  - filter: evt.Parsed.EventID == '3'
77    statics:
78      - parsed: ProcessGuid
79        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
80      - parsed: Image
81        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
82      - parsed: ProcessId
83        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
84      - parsed: User
85        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='User']")
86      - parsed: Protocol
87        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Protocol']")
88      - parsed: Initiated
89        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Initiated']")
90      - parsed: SourceIsIpv6
91        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceIsIpv6']")
92      - parsed: SourceIp
93        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceIp']")
94      - parsed: SourceHostname
95        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceHostname']")
96      - parsed: SourcePort
97        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourcePort']")
98      - parsed: SourcePortName
99        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourcePortName']")
100      - parsed: DestinationIsIpv6
101        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='DestinationIsIpv6']")
102      - parsed: DestinationIp
103        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='DestinationIp']")
104      - parsed: DestinationHostname
105        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='DestinationHostname']")
106      - parsed: DestinationPort
107        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='DestinationPort']")
108      - parsed: DestinationPortName
109        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='DestinationPortName']")
110      - meta: SysmonEventType
111        value: NetworkConnection
112  - filter: evt.Parsed.EventID == '4'
113    statics:
114      - parsed: State
115        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='State']")
116      - parsed: Version
117        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Version']")
118      - parsed: SchemaVersion
119        expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SchemaVersion']")
120      - meta: SysmonEventType
121        value: SysmonServiceStateChanged
122  - filter: evt.Parsed.EventID == '5'
123    statics:
124      - parsed: ProcessGuid
125        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
126      - parsed: Image
127        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
128      - parsed: ProcessId
129        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
130      - meta: SysmonEventType
131        value: ProcessTerminated
132  - filter: evt.Parsed.EventID == '6'
133    statics:
134      - parsed: ImageLoaded
135        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ImageLoaded']")
136      - parsed: Hashes
137        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Hashes']")
138      - parsed: Signed
139        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Signed']")
140      - parsed: Signature
141        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Signature']")
142      - parsed: SignatureStatus
143        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SignatureStatus']")
144      - meta: SysmonEventType
145        value: DriverLoaded
146  - filter: evt.Parsed.EventID == '7'
147    statics:
148      - parsed: ProcessGuid
149        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
150      - parsed: ProcessId
151        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
152      - parsed: Image
153        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
154      - parsed: ImageLoaded
155        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ImageLoaded']")
156      - parsed: Hashes
157        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Hashes']")
158      - parsed: Signed
159        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Signed']")
160      - parsed: Signature
161        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Signature']")
162      - parsed: SignatureStatus
163        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SignatureStatus']")
164      - meta: SysmonEventType
165        value: ImageLoaded
166  - filter: evt.Parsed.EventID == '8'
167    statics:
168      - parsed: SourceProcessGuid
169        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceProcessGuid']")
170      - parsed: SourceProcessId
171        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceProcessId']")
172      - parsed: SourceImage
173        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceImage']")
174      - parsed: TargetProcessGuid
175        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetProcessGuid']")
176      - parsed: TargetProcessId
177        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetProcessId']")
178      - parsed: TargetImage
179        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetImage']")
180      - parsed: NewThreadId
181        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='NewThreadId']")
182      - parsed: StartAddress
183        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='StartAddress']")
184      - parsed: StartModule
185        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='StartModule']")
186      - parsed: StartFunction
187        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='StartFunction']")
188      - meta: SysmonEventType
189        value: CreateRemoteThread
190  - filter: evt.Parsed.EventID == '9'
191    statics:
192      - parsed: ProcessGuid
193        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
194      - parsed: ProcessId
195        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
196      - parsed: Image
197        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
198      - parsed: Device
199        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Device']")
200      - meta: SysmonEventType
201        value: RawAccessRead
202  - filter: evt.Parsed.EventID == '10'
203    statics:
204      - parsed: SourceProcessGUID
205        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceProcessGUID']")
206      - parsed: SourceProcessId
207        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceProcessId']")
208      - parsed: SourceThreadId
209        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceThreadId']")
210      - parsed: SourceImage
211        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SourceImage']")
212      - parsed: TargetProcessGUID
213        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetProcessGUID']")
214      - parsed: TargetProcessId
215        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetProcessId']")
216      - parsed: TargetImage
217        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetImage']")
218      - parsed: GrantedAccess
219        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='GrantedAccess']")
220      - parsed: CallTrace
221        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='CallTrace']")
222      - meta: SysmonEventType
223        value: ProcessAccess
224  - filter: evt.Parsed.EventID == '11'
225    statics:
226      - parsed: ProcessGuid
227        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
228      - parsed: ProcessId
229        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
230      - parsed: Image
231        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
232      - parsed: TargetFilename
233        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetFilename']")
234      - parsed: CreationUtcTime
235        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='CreationUtcTime']")
236      - meta: SysmonEventType
237        value: FileCreate
238  - filter: evt.Parsed.EventID == '12'
239    statics:
240      - parsed: EventType
241        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='EventType']")
242      - parsed: ProcessGuid
243        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
244      - parsed: ProcessId
245        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
246      - parsed: Image
247        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
248      - parsed: TargetObject
249        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetObject']")
250      - meta: SysmonEventType
251        value: RegistryCreateOrDel
252  - filter: evt.Parsed.EventID == '13'
253    statics:
254      - parsed: EventType
255        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='EventType']")
256      - parsed: ProcessGuid
257        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
258      - parsed: ProcessId
259        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
260      - parsed: Image
261        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
262      - parsed: TargetObject
263        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetObject']")
264      - parsed: Details
265        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Details']")
266      - meta: SysmonEventType
267        value: RegistrySetValue
268  - filter: evt.Parsed.EventID == '14'
269    statics:
270      - parsed: EventType
271        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='EventType']")
272      - parsed: ProcessGuid
273        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
274      - parsed: ProcessId
275        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
276      - parsed: Image
277        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
278      - parsed: TargetObject
279        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetObject']")
280      - parsed: NewName
281        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='NewName']")
282      - meta: SysmonEventType
283        value: RegistryRename
284  - filter: evt.Parsed.EventID == '15'
285    statics:
286      - parsed: ProcessGuid
287        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
288      - parsed: ProcessId
289        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
290      - parsed: Image
291        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
292      - parsed: TargetFilename
293        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetFilename']")
294      - parsed: CreationUtcTime
295        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='CreationUtcTime']")
296      - meta: SysmonEventType
297        value: FileCreateStreamHash
298  - filter: evt.Parsed.EventID == '16'
299    statics:
300      - parsed: ConfigurationFileHash
301        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ConfigurationFileHash']")
302      - parsed: Configuration
303        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Configuration']")
304      - meta: SysmonEventType
305        value: SysmonConfigChange
306  - filter: evt.Parsed.EventID == '17'
307    statics:
308      - parsed: ProcessGuid
309        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
310      - parsed: ProcessId
311        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
312      - parsed: Image
313        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
314      - parsed: PipeName
315        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='PipeName']")
316      - meta: SysmonEventType
317        value: PipeCreated
318  - filter: evt.Parsed.EventID == '18'
319    statics:
320      - parsed: ProcessGuid
321        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
322      - parsed: ProcessId
323        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
324      - parsed: Image
325        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
326      - parsed: PipeName
327        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='PipeName']")
328      - meta: SysmonEventType
329        value: PipeConnected
330  - filter: evt.Parsed.EventID == '19'
331    statics:
332      - parsed: EventType
333        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='EventType']")
334      - parsed: Operation
335        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Operation']")
336      - parsed: User
337        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='User']")
338      - parsed: EventNamespace
339        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='EventNamespace']")
340      - parsed: Name
341        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Name']")
342      - parsed: Query
343        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Query']")
344      - meta: SysmonEventType
345        value: WmiEventFilter
346  - filter: evt.Parsed.EventID == '20'
347    statics:
348      - parsed: EventType
349        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='EventType']")
350      - parsed: Operation
351        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Operation']")
352      - parsed: User
353        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='User']")
354      - parsed: Type
355        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Type']")
356      - parsed: Name
357        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Name']")
358      - parsed: Destination
359        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Destination']")
360      - meta: SysmonEventType
361        value: WmiEventConsumer
362  - filter: evt.Parsed.EventID == '21'
363    statics:
364      - parsed: EventType
365        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='EventType']")
366      - parsed: Operation
367        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Operation']")
368      - parsed: User
369        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='User']")
370      - parsed: Consumer
371        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Consumer']")
372      - parsed: Filter
373        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Filter']")
374      - meta: SysmonEventType
375        value: WmiEventConsumerToFilter
376  - filter: evt.Parsed.EventID == '22'
377    statics:
378      - parsed: ProcessGuid
379        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
380      - parsed: ProcessId
381        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
382      - parsed: QueryName
383        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='QueryName']")
384      - parsed: QueryStatus
385        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='QueryStatus']")
386      - parsed: QueryResults
387        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='QueryResults']")
388      - parsed: Image
389        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
390      - meta: SysmonEventType
391        value: DNSEvent
392  - filter: evt.Parsed.EventID == '23'
393    statics:
394      - parsed: ProcessGuid
395        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
396      - parsed: ProcessId
397        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
398      - parsed: User
399        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='User']")
400      - parsed: Image
401        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
402      - parsed: TargetFilename
403        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetFilename']")
404      - parsed: Hashes
405        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Hashes']")
406      - parsed: IsExecutable
407        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='IsExecutable']")
408      - parsed: Archived
409        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Archived']")
410      - meta: SysmonEventType
411        value: FileDelete
412  - filter: evt.Parsed.EventID == '24'
413    statics:
414      - parsed: ProcessGuid
415        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessGuid']")
416      - parsed: ProcessId
417        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ProcessId']")
418      - parsed: User
419        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='User']")
420      - parsed: Image
421        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Image']")
422      - parsed: Session
423        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Session']")
424      - parsed: ClientInfo
425        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ClientInfo']")
426      - parsed: Hashes
427        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Hashes']")
428      - parsed: IsExecutable
429        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='IsExecutable']")
430      - parsed: Archived
431        expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Archived']")
432      - meta: SysmonEventType
433        value: ClipboardChange
434  - filter: evt.Parsed.EventID == '225'
435    statics:
436      - meta: SysmonEventType
437        value: SysmonInternalError
438
439statics:
440  - meta: service
441    value: sysmon
442  - meta: RuleName
443    expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='RuleName']")

Hub configuration

« sysmon-logs »
v0.2 by crowdsecurity
Log parser

Hub configuration

« sysmon-logs »v0.2 by crowdsecurityLog parser

« sysmon-logs »
v0.2 by crowdsecurity
Log parser