Merge pull request #2744 from Azure/dev/normalization/SysmonProcess
Updaed JSON as well for Process Sysmon Linux parser
This commit is contained in:
Ofer Shezaf
GitHub
Коммит
f795da43e4
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "ASIM Sysmon/Linux Process Creation Event Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimProcessCreateLinuxSysmon",
|
||||
"query": "let ParsedProcessEvent=(){\n// Create the raw table from the raw XML file structure\nSyslog \n//| project-rename EventData = SyslogMessage \n| where SyslogMessage has_all ('<Provider Name=\"Linux-Sysmon\"', '<EventID>1</EventID>')\n| parse SyslogMessage with \n *\n '<EventRecordID>' EventRecordId:int '</EventRecordID>'\n *\n '<Computer>' Computer:string '</Computer>'\n *\n '<Data Name=\"RuleName\">'RuleName // parsing the XML using the original fields name - for readability \n '</Data><Data Name=\"UtcTime\">'UtcTime\n '</Data><Data Name=\"ProcessGuid\">{'ProcessGuid\n '}</Data><Data Name=\"ProcessId\">'ProcessId\n '</Data><Data Name=\"Image\">'Image\n '</Data><Data Name=\"FileVersion\">'FileVersion\n '</Data><Data Name=\"Description\">'Description\n '</Data><Data Name=\"Product\">'Product\n '</Data><Data Name=\"Company\">'Company'</Data>' *\n|extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n| parse SyslogMessage with *\n '<Data Name=\"CommandLine\">'CommandLine'</Data>'\n '<Data Name=\"CurrentDirectory\">'CurrentDirectory\n '</Data><Data Name=\"User\">'User\n '</Data><Data Name=\"LogonGuid\">{'LogonGuid\n '}</Data><Data Name=\"LogonId\">'LogonId\n '</Data><Data Name=\"TerminalSessionId\">'TerminalSessionId\n '</Data><Data Name=\"IntegrityLevel\">'IntegrityLevel\n '</Data><Data Name=\"Hashes\">'Hashes\n '</Data><Data Name=\"ParentProcessGuid\">{'ParentProcessGuid\n '}</Data><Data Name=\"ParentProcessId\">'ParentProcessId\n '</Data><Data Name=\"ParentImage\">'ParentImage\n '</Data><Data Name=\"ParentCommandLine\">'ParentCommandLine\n '</Data>' *\n| extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n| extend \n EventType = \"ProcessCreated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventProduct = \"Event\",\n DvcOs = \"Linux\", // Changed\n TargetUserSessionId = toint(LogonId) , \n TargetUsernameType = \"Simple\",\n // ActorUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n EventOriginalId = '1' // Set with a constant value to avoid parsing\n\n| project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = Computer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n EventOriginalUid = EventRecordId,\n\n TargetUserSessionGuid = LogonGuid, \n\n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n \n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n\n // ActorUsername = UserName // Not provided in Linux\n\n| extend // aliases\n // User = TargetUserName,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n\n| project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent",
|
||||
"query": "let ParsedProcessEvent=(){\n// Create the raw table from the raw XML file structure\nSyslog \n| where SyslogMessage has_all ('<Provider Name=\"Linux-Sysmon\"', '<EventID>1</EventID>')\n| parse SyslogMessage with \n *\n '<EventRecordID>' EventRecordId:int '</EventRecordID>'\n *\n '<Computer>' SysmonComputer:string '</Computer>'\n *\n '<Data Name=\"RuleName\">'RuleName // parsing the XML using the original fields name - for readability \n '</Data><Data Name=\"UtcTime\">'UtcTime\n '</Data><Data Name=\"ProcessGuid\">{'ProcessGuid\n '}</Data><Data Name=\"ProcessId\">'ProcessId\n '</Data><Data Name=\"Image\">'Image\n '</Data><Data Name=\"FileVersion\">'FileVersion\n '</Data><Data Name=\"Description\">'Description\n '</Data><Data Name=\"Product\">'Product\n '</Data><Data Name=\"Company\">'Company'</Data>' *\n|extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n| parse SyslogMessage with *\n '<Data Name=\"CommandLine\">'CommandLine'</Data>'\n '<Data Name=\"CurrentDirectory\">'CurrentDirectory\n '</Data><Data Name=\"User\">'User\n '</Data><Data Name=\"LogonGuid\">{'LogonGuid\n '}</Data><Data Name=\"LogonId\">'LogonId\n '</Data><Data Name=\"TerminalSessionId\">'TerminalSessionId\n '</Data><Data Name=\"IntegrityLevel\">'IntegrityLevel\n '</Data><Data Name=\"Hashes\">'Hashes\n '</Data><Data Name=\"ParentProcessGuid\">{'ParentProcessGuid\n '}</Data><Data Name=\"ParentProcessId\">'ParentProcessId\n '</Data><Data Name=\"ParentImage\">'ParentImage\n '</Data><Data Name=\"ParentCommandLine\">'ParentCommandLine\n '</Data>' *\n| extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n| extend \n EventType = \"ProcessCreated\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventProduct = \"Sysmon For Linux\",\n DvcOs = \"Linux\",\n TargetUserSessionId = toint(LogonId) , \n TargetUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n EventOriginalId = '1' // Set with a constant value to avoid parsing\n\n| project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n EventOriginalUid = EventRecordId,\n\n TargetUserSessionGuid = LogonGuid, \n\n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n \n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n\n // ActorUsername = UserName // Not provided in Linux\n\n| extend // aliases\n // User = TargetUserName,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n\n| project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче