-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsecuronix_ems.yml
68 lines (68 loc) · 1.63 KB
/
securonix_ems.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
title: Securonix
order: 20
backends:
- securonix
logsources:
win-sysmon:
product: windows
service: sysmon
conditions:
rg_functionality: Endpoint Management Systems
win-defender:
product: windows_defender
conditions:
rg_functionality: Endpoint Management Systems
win-windefend:
product: windows
service: windefend
conditions:
rg_functionality: Endpoint Management Systems
win-def:
category: windows
product: windef
conditions:
rg_functionality: Endpoint Management Systems
win-antivirus:
product: antivirus
conditions:
rg_functionality: Endpoint Management Systems
fieldmappings:
SourceImage:
- '@filepath'
- '@filename'
TargetImage:
- '@filename'
- '@filepath'
StartModule: '@customstring58'
StartFunction: '@customstring55'
TargetFilename: '@filename'
Image:
- '@deviceprocessname'
- '@sourceprocessname'
- '@destinationprocessname'
- '@resourcecustomfield4'
- '@customstring54'
- '@customstring57'
QueryResult: '@customstring53'
QueryName: '@destinationhostname'
QueryStatus: '@eventoutcome'
Imphash:
- '@customstring3'
- '@filehash'
IntegrityLevel: '@customstring7'
ParentProcessCommandLine: '@resourcecustomfield2'
PipeName: '@filename'
ProcessID:
- '@destinationprocessid'
- '@sourceprocessid'
Device:
- '@devicehostname'
- '@devicemacaddress'
- '@devicentdomain'
Destination: '@filename'
ParentImage: '@customstring59'
CommandLine: '@resourcecustomfield1'
OiginalFileName: '@oldfilename'
#ImageLoaded: '@'
#TargetProcessAddress: '@'
#Details: '@'