securityonion
securityonion copied to clipboard
Sysmon logs are missing event.category and event.dataset
Discussed in https://github.com/Security-Onion-Solutions/securityonion/discussions/8189
Originally posted by sleepingbel June 26, 2022 Hello all,
After installing the new sysmon modular sysmonconfig.xml, I have seen that multiple sysmon events do not have a event.category and some event.dataset.
This results in a missing value in the default SOC dashboard
After some research I prepose the following event.category and event.dataset values for the sysmon event.code: Remark only the values in bold where missing
event.dataset | event.code | event.category |
---|---|---|
process_changed_file | 2 | host, file |
service_state_change | 4 | host |
process_terminated | 5 | host, process |
image_loaded | 7 | host |
create_remote_thread | 8 | host |
process_access | 10 | host, process |
file_create | 11 | host, file |
registry_create_delete | 12 | host, registry |
registry_value_set | 13 | host, registry |
file_create_stream_hash | 15 | host, file |
config_change | 16 | host |
pipe_create | 17 | host, pipe |
pipe_connected | 18 | host, pipe |
process_tampering | 25 | host, process |
file_delete | 26 | host, file |
error_report | 255 | host |
Could these be added?
Regards
Bart