securityonion
securityonion copied to clipboard
Published
20 hours ago •
Security-Onion-Solutions
Security-Onion-Solutions
Sysmon logs are missing event.category and event.dataset
Discussed in https://github.com/Security-Onion-Solutions/securityonion/discussions/8189
Originally posted by sleepingbel June 26, 2022 Hello all,
After installing the new sysmon modular sysmonconfig.xml, I have seen that multiple sysmon events do not have a event.category and some event.dataset.
This results in a missing value in the default SOC dashboard
After some research I prepose the following event.category and event.dataset values for the sysmon event.code: Remark only the values in bold where missing
| event.dataset | event.code | event.category |
|---|---|---|
| process_changed_file | 2 | host, file |
| service_state_change | 4 | host |
| process_terminated | 5 | host, process |
| image_loaded | 7 | host |
| create_remote_thread | 8 | host |
| process_access | 10 | host, process |
| file_create | 11 | host, file |
| registry_create_delete | 12 | host, registry |
| registry_value_set | 13 | host, registry |
| file_create_stream_hash | 15 | host, file |
| config_change | 16 | host |
| pipe_create | 17 | host, pipe |
| pipe_connected | 18 | host, pipe |
| process_tampering | 25 | host, process |
| file_delete | 26 | host, file |
| error_report | 255 | host |
Could these be added?
Regards
Bart
