-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preserve Sysmon ProcessGUID whenever possible #922
Comments
This will be an important-yet-practical fix for cross-observation SCO recognition/deduplication, which is critical to any reasoning/hunting that fetch multiple queries back. For most types of SCOs, such as I strongly second this ticket, which will benefit any downstream application of stix-shifter for large-scale reasoning besides one query. |
Just so I understand the ask. STIX 2.1 spec recommendation is to use a UUIDv4 for the id on the process object, since all fields are optional. The recommendation in this case is add a new |
Yes @delliott90 - that's a good summary. |
Is your feature request related to a problem? Please describe.
Sysmon events include a ProcessGUID field that's needed to correlate events from the same process. It also would give us a way to generate deterministic IDs for process objects in STIX 2.1.
Describe the solution you'd like
Modify all relevant module mappings so the ProcessGUID (or equivalent) is available in STIX output.
Could define a new extension 'process-ext' to hold this ID and other fields common to data sources but not STIX. Or simply
x_unique_id
like the Carbon Black Response module.Modules:
Process Guid
is available through Sysmon content extension but not available in the mappings yetprocess_guid
[https://docs.splunk.com/Documentation/CIM/5.0.1/User/Endpoint#Processes]process.entity_id
[https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-entity-id]process_guid
[ https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/platform-search-fields/]Describe alternatives you've considered
None
Additional context
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
@mdazam1942
The text was updated successfully, but these errors were encountered: