Expanded Fields to show one per line making it easier to follow and troubleshoot and improved Hashes handling
Added support to also handle Sysmon Event ID 15 (FileCreateStreamHash). It has a field named Hash. Jinja template and KQL parser in OSSEM now also handles the Hash field name. Same logic as Hashes field.
References
https://github.com/OTRF/OSSEM/issues/99 https://github.com/Azure/Azure-Sentinel/pull/1754
Added Original Protected Fields
Expanded Fields to show one per line making it easier to follow and troubleshoot and improved Hashes handling
Added support to also handle Sysmon Event ID 15 (
FileCreateStreamHash
). It has a field namedHash
. Jinja template and KQL parser in OSSEM now also handles theHash
field name. Same logic asHashes
field.