search

OTRF / OSSEM

Open Source Security Events Metadata (OSSEM)
MIT License
1.22k stars 212 forks source link

KQL Sysmon Parser and Jinja Template #100

Closed Cyb3rWard0g closed 3 years ago

Cyb3rWard0g commented 3 years ago

References

https://github.com/OTRF/OSSEM/issues/99 https://github.com/Azure/Azure-Sentinel/pull/1754

Added Original Protected Fields

image

Expanded Fields to show one per line making it easier to follow and troubleshoot and improved Hashes handling

image

Added support to also handle Sysmon Event ID 15 (FileCreateStreamHash). It has a field named Hash. Jinja template and KQL parser in OSSEM now also handles the Hash field name. Same logic as Hashes field.

<event name="SYSMON_FILE_CREATE_STREAM_HASH" value="15" level="Informational" template="File stream created" rulename="FileCreateStreamHash" ruledefault="exclude" version="2">
      <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
      <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
      <data name="ProcessGuid" inType="win:GUID" />
      <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
      <data name="Image" inType="win:UnicodeString" outType="xs:string" />
      <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" />
      <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" />
      <data name="Hash" inType="win:UnicodeString" outType="xs:string" />
      <data name="Contents" inType="win:UnicodeString" outType="xs:string" />
    </event>

image