Last active
December 30, 2023 11:18
-
-
Save mttaggart/efc870e02eb603943e0dae8ebd54d3dc to your computer and use it in GitHub Desktop.
Sysmon for Linux Pipeline for Elastic Agent
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { "processors": [ | |
| { | |
| "dissect": { | |
| "field": "message", | |
| "pattern": "<Event><System><Provider Name=\"Linux-Sysmon\" Guid=\"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}\"/><EventID>%{event.id}</EventID>", | |
| "description": "Extract Sysmon System Data" | |
| } | |
| }, | |
| { | |
| "dissect": { | |
| "field": "message", | |
| "pattern": "<Event><System><Provider Name=\"Linux-Sysmon\" Guid=\"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}\"/><EventID>1</EventID><Version>%{event.version}</Version><Level>%{event.level}</Level><Task>%{event.task}</Task><Opcode>%{event.opcode}</Opcode><Keywords>%{event.keywords}</Keywords><TimeCreated SystemTime=\"%{event.systemtime}\"/><EventRecordID>%{event.recordid}</EventRecordID><Correlation/><Execution ProcessID=\"%{event.corrpid}\" ThreadID=\"%{event.threadid}\"/><Channel>Linux-Sysmon/Operational</Channel><Computer>%{event.computer}</Computer><Security UserId=\"%{event.uid}\"/></System><EventData><Data Name=\"RuleName\">%{event.rulename}</Data><Data Name=\"UtcTime\">%{event.utctime}</Data><Data Name=\"ProcessGuid\">{%{event.pguid}}</Data><Data Name=\"ProcessId\">%{event.pid}</Data><Data Name=\"Image\">%{event.image}</Data><Data Name=\"FileVersion\">%{event.fileversion}</Data><Data Name=\"Description\">%{event.description}</Data><Data Name=\"Product\">%{event.product}</Data><Data Name=\"Company\">%{event.company}</Data><Data Name=\"OriginalFileName\">%{event.originalfilename}</Data><Data Name=\"CommandLine\">%{event.commandline}</Data><Data Name=\"CurrentDirectory\">%{event.currentdirectory}</Data><Data Name=\"User\">%{event.user}</Data><Data Name=\"LogonGuid\">{%{event.logonguid}}</Data><Data Name=\"LogonId\">%{event.logonid}</Data><Data Name=\"TerminalSessionId\">%{event.terminalsessionid}</Data><Data Name=\"IntegrityLevel\">%{event.integritylevel}</Data><Data Name=\"Hashes\">%{event.hashes}</Data><Data Name=\"ParentProcessGuid\">{%{event.parentguid}}</Data><Data Name=\"ParentProcessId\">%{event.parentpid}</Data><Data Name=\"ParentImage\">%{event.parentimage}</Data><Data Name=\"ParentCommandLine\">%{event.parentcommandline}</Data><Data Name=\"ParentUser\">%{event.parentuser}</Data></EventData></Event>", | |
| "if": "ctx?.event?.id == \"1\"", | |
| "description": "Sysmon Event ID 1" | |
| } | |
| }, | |
| { | |
| "dissect": { | |
| "field": "message", | |
| "pattern": "<Event><System><Provider Name=\"Linux-Sysmon\" Guid=\"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}\"/><EventID>3</EventID><Version>%{event.version}</Version><Level>%{event.level}</Level><Task>%{event.task}</Task><Opcode>%{event.opcode}</Opcode><Keywords>%{event.keywords}</Keywords><TimeCreated SystemTime=\"%{event.systemtime}\"/><EventRecordID>%{event.recordid}</EventRecordID><Correlation/><Execution ProcessID=\"%{event.corrpid}\" ThreadID=\"%{event.threadid}\"/><Channel>Linux-Sysmon/Operational</Channel><Computer>%{event.computer}</Computer><Security UserId=\"%{event.uid}\"/></System><EventData><Data Name=\"RuleName\">%{event.rulename}</Data><Data Name=\"UtcTime\">%{event.utctime}</Data><Data Name=\"ProcessGuid\">{%{event.pguid}}</Data><Data Name=\"ProcessId\">%{event.pid}</Data><Data Name=\"Image\">%{event.image}</Data><Data Name=\"User\">%{event.user}</Data><Data Name=\"Protocol\">%{event.protocol}</Data><Data Name=\"Initiated\">%{event.initiated}</Data><Data Name=\"SourceIsIpv6\">%{event.srcisipv6}</Data><Data Name=\"SourceIp\">%{event.srcip}</Data><Data Name=\"SourceHostname\">%{event.srchost}</Data><Data Name=\"SourcePort\">%{event.srcport}</Data><Data Name=\"SourcePortName\">%{event.srcportname}</Data><Data Name=\"DestinationIsIpv6\">%{event.destisipv6}</Data><Data Name=\"DestinationIp\">%{event.destip}</Data><Data Name=\"DestinationHostname\">%{event.desthost}</Data><Data Name=\"DestinationPort\">%{event.destport}</Data><Data Name=\"DestinationPortName\">%{event.destportname}</Data></EventData></Event>", | |
| "if": "ctx?.event?.id == \"3\"", | |
| "description": "Sysmon Event ID 3" | |
| } | |
| }, | |
| { | |
| "dissect": { | |
| "field": "message", | |
| "pattern": "<Event><System><Provider Name=\"Linux-Sysmon\" Guid=\"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}\"/><EventID>5</EventID><Version>%{event.version}</Version><Level>%{event.level}</Level><Task>%{event.task}</Task><Opcode>%{event.opcode}</Opcode><Keywords>%{event.keywords}</Keywords><TimeCreated SystemTime=\"%{event.systemtime}\"/><EventRecordID>%{event.recordid}</EventRecordID><Correlation/><Execution ProcessID=\"%{event.corrpid}\" ThreadID=\"%{event.threadid}\"/><Channel>Linux-Sysmon/Operational</Channel><Computer>%{event.computer}</Computer><Security UserId=\"%{event.uid}\"/></System><EventData><Data Name=\"RuleName\">%{event.rulename}</Data><Data Name=\"UtcTime\">%{event.utctime}</Data><Data Name=\"ProcessGuid\">{%{event.pguid}}</Data><Data Name=\"ProcessId\">%{event.pid}</Data><Data Name=\"Image\">%{event.image}</Data><Data Name=\"User\">%{event.user}</Data></EventData></Event>", | |
| "if": "ctx?.event?.id == \"5\"", | |
| "description": "Sysmon Event ID 5" | |
| } | |
| }, | |
| { | |
| "dissect": { | |
| "field": "message", | |
| "pattern": "<Event><System><Provider Name=\"Linux-Sysmon\" Guid=\"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}\"/><EventID>11</EventID><Version>%{event.version}</Version><Level>%{event.level}</Level><Task>%{event.task}</Task><Opcode>%{event.opcode}</Opcode><Keywords>%{event.keywords}</Keywords><TimeCreated SystemTime=\"%{event.systemtime}\"/><EventRecordID>%{event.recordid}</EventRecordID><Correlation/><Execution ProcessID=\"%{event.corrpid}\" ThreadID=\"%{event.threadid}\"/><Channel>Linux-Sysmon/Operational</Channel><Computer>%{event.computer}</Computer><Security UserId=\"%{event.uid}\"/></System><EventData><Data Name=\"RuleName\">%{event.rulename}</Data><Data Name=\"UtcTime\">%{event.utctime}</Data><Data Name=\"ProcessGuid\">{%{event.pguid}}</Data><Data Name=\"ProcessId\">%{event.pid}</Data><Data Name=\"Image\">%{event.image}</Data><Data Name=\"TargetFilename\">%{event.targetfilename}</Data><Data Name=\"CreationUtcTime\">%{event.creationutctime}</Data><Data Name=\"User\">%{event.user}</Data></EventData></Event>", | |
| "if": "ctx?.event?.id == \"11\"", | |
| "description": "Sysmon Event ID 11" | |
| } | |
| }, | |
| { | |
| "dissect": { | |
| "field": "message", | |
| "pattern": "<Event><System><Provider Name=\"Linux-Sysmon\" Guid=\"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}\"/><EventID>23</EventID><Version>%{event.version}</Version><Level>%{event.level}</Level><Task>%{event.task}</Task><Opcode>%{event.opcode}</Opcode><Keywords>%{event.keywords}</Keywords><TimeCreated SystemTime=\"%{event.systemtime}\"/><EventRecordID>%{event.recordid}</EventRecordID><Correlation/><Execution ProcessID=\"%{event.corrpid}\" ThreadID=\"%{event.threadid}\"/><Channel>Linux-Sysmon/Operational</Channel><Computer>%{event.computer}</Computer><Security UserId=\"%{event.uid}\"/></System><EventData><Data Name=\"RuleName\">%{event.rulename}</Data><Data Name=\"UtcTime\">%{event.utctime}</Data><Data Name=\"ProcessGuid\">{%{event.pguid}}</Data><Data Name=\"ProcessId\">%{event.pid}</Data><Data Name=\"User\">%{event.user}</Data><Data Name=\"Image\">%{event.image}</Data><Data Name=\"TargetFilename\">%{event.targetfilename}</Data><Data Name=\"Hashes\">%{event.hashes}</Data><Data Name=\"IsExecutable\">%{event.isexecutable}</Data><Data Name=\"Archived\">%{event.archived}</Data></EventData></Event>", | |
| "if": "ctx?.event?.id == \"23\"", | |
| "description": "Sysmon Event ID 23" | |
| } | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment