forked from marirs/sigma-convert
-
Notifications
You must be signed in to change notification settings - Fork 0
/
example_mappings.txt
51 lines (51 loc) · 2.87 KB
/
example_mappings.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
parentCommandLine: parentcommandline,process.parent.command_line.text,ParentCommandLine,process.parent.command_line
commandLine: commandline,process.command_line.text, CommandLine
eventID: EventID,event.code, winlog.event_data.EventID
channel: Channel,winlog.channel
signature: Provider_Name,winlog.provider_name
computerName: ComputerName,winlog.computer_name
filePath: FileName,file.path, TargetFilename, process.executable.text, ScriptName
winSystemProcessGuid: ProcessGuid,process.entity_id
winSystemProcessId: ProcessId,process.pid
fileName: Image,process.executable, SourceImage,process.executable, PipeName,file.name, SourceImage, Destination, Application, ProcessName
currentDirectory: CurrentDirectory,process.working_directory
winSystemParentProcessGuid: ParentProcessGuid,process.parent.entity_id
winSystemParentProcessId: ParentProcessId,process.parent.pid
parentFileName: ParentImage,process.parent.executable
sourceAddress: SourceIp,source.ip, ClientAddress, IpAddress
sourceHost: SourceHostname,source.domain, ClientName, WorkstationName
sourcePort: SourcePort,source.port, IpPort
destinationAddress: DestinationIp,destination.ip, DestAddress
destinationHost: DestinationHostname,destination.domain, DestName
destinationPort: DestinationPort,destination.port, DestPort
transportProtocol: DestinationPortName,network.protocol
sourceProcessGuid: SourceProcessGuid,process.entity_id
sourceProcessId: SourceProcessId,process.pid
sourceThreadId: SourceThreadId,process.thread.id
targetObject: TargetObject,registry.path
dns: QueryName,dns.question.name
dnsQueryStatus: QueryStatus,sysmon.dns.status
isExecutable: IsExecutable,sysmon.file.is_executable
fileArchived: Archived,sysmon.file.archived
commandExecuted: CommandName,powershell.command.name
commandExecutedPath: CommandPath,powershell.command.path
commandType: CommandType,powershell.command.type
hostApplication: HostApplication,process.command_line
hostId: HostId,process.entity_id
hostName: HostName,process.title
powershellEngineState: NewEngineState,powershell.engine.new_state
powershellPipelineId: PipelineId,powershell.pipeline_id
powershellPreviousEngineState: PreviousEngineState,powershell.engine.previous_state
powershellRunspaceId: RunspaceId,powershell.runspace_id
externalId: SequenceNumber,event.sequence
powershellProviderNewState: NewProviderState,powershell.provider.new_state
powershellProviderName: ProviderName,powershell.provider.name
powershellSequence: MessageNumber,powershell.sequence
powershellTotal: MessageTotal,powershell.total
powershellScriptBlockText: ScriptBlockText,powershell.file.script_block_text
powershellScriptBlockId: ScriptBlockId,powershell.file.script_block_id
winSystemAccountDomain: AccountDomain,user.domain, TargetDomainName
winSystemAccountName: AccountName,user.name
winProcessId: NewProcessId,process.pid
deviceProcessName: NewProcessName,process.executable
parentProcessName: ParentProcessName,process.parent.name