Sysmon observability setup for lab

This commit is contained in:
Marius Ciepluch 2024-06-13 11:21:56 +02:00 committed by GitHub
parent 0257992b8d
commit e7fb89f018
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 3933 additions and 0 deletions

2396
data_sources_new_3.json Normal file

File diff suppressed because it is too large Load Diff

337
sysmon_layer.yaml Normal file
View File

@ -0,0 +1,337 @@
version: 1.1
file_type: data-source-administration
name: new
domain: enterprise-attack
systems:
- applicable_to: Windows workstations
platform:
- Windows
data_sources:
- data_source_name: Process Termination
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '5: Process terminated.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Network Connection Creation
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '3: Network connection.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Module Load
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '7: Image loaded.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Windows Registry Key Deletion
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '12: RegistryEvent (Object create and delete).'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Command Execution
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '1: Process Creation.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: File Deletion
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '23: File Delete archived.'
- '26: File Delete logged.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Process Metadata
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '5: Process terminated.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Named Pipe Metadata
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '18: PipeEvent (Pipe Connected).'
- '17: PipeEvent (Pipe Created).'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Host Status
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '4: Sysmon service state changed.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: WMI Creation
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '19: WmiEvent (WmiEventFilter activity detected).'
- '20: WmiEvent (WmiEventConsumer activity detected).'
- '21: WmiEvent (WmiEventConsumerToFilter activity detected).'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Windows Registry Key Creation
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '12: RegistryEvent (Object create and delete).'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Service Metadata
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '4: Sysmon service state changed.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Process Access
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '10: Process Access.'
- '10: ProcessAccess'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Driver Load
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '6: Driver loaded.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Process Modification
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '8: CreateRemoteThread.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Process Creation
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '1: Process Creation.'
- '8: CreateRemoteThread.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: OS API Execution
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '8: CreateRemoteThread.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: File Modification
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '2: A process changed a file creation time.'
- '11: FileCreate.'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: Windows Registry Key Modification
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '13: RegistryEvent (Value Set).'
- '14: RegistryEvent (Key and Value Rename).'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1
- data_source_name: File Creation
data_source:
- applicable_to:
- Windows workstations
date_registered: 2024-06-13T00:00:00.000Z
date_connected: 2024-06-13T00:00:00.000Z
products:
- '11: FileCreate'
available_for_data_analytics: true
comment: 'Auto added by Dettectinator. TODO: Check data quality scores, default values used.'
data_quality:
device_completeness: 1
data_field_completeness: 1
timeliness: 1
consistency: 1
retention: 1

1200
sysmonconfig-export.xml Normal file

File diff suppressed because it is too large Load Diff