Sysmon Kit: Modify Provider to a macro

gravwell / kits

A collection of open source Gravwell kits

BSD 2-Clause "Simplified" License

3 stars 15 forks source link

Sysmon Kit: Modify Provider to a macro #184

Open Lawrence-Wellman-Gravwell opened 1 month ago

Lawrence-Wellman-Gravwell commented 1 month ago

What is the feature to be added?

Modify the provider in the sysmon kit to a macro.

Why should we add this feature? (Business justification? What problem is the feature trying to solve?)

This will allow users to change the provider definition across all queries.

Any other comments?

Call out from discord user

ashnwade commented 1 month ago

Discord user: "Actually It may be good to not just convert the provider name string into a macro, but the whole use of it in the query header. Reason: a company may have more than just 1 kind of Sysmon provider and maybe they want to search across all providers (Windows and Linux) at once in one search / report all of them together in one dashboard. They could then just leave the macro value empty. Just my 2 cents"