Created
June 22, 2023 10:47
-
-
Save olafhartong/328474bf273842c20a162c015f09bd61 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <manifest schemaversion="4.90" binaryversion="18"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
| <option switch="btf" name="BTF" argument="optional" noconfig="true" /> | |
| <option switch="service" name="Service" argument="none" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="nologo" name="NoLogo" argument="none" noconfig="true" /> | |
| <option switch="accepteula" name="AcceptEula" argument="none" noconfig="true" /> | |
| <option switch="-" name="ConfigDefault" argument="none" noconfig="true" /> | |
| <!-- Configuration file --> | |
| <option switch="a" name="ArchiveDirectory" argument="required" /> | |
| <option name="CaptureClipboard" argument="none" /> | |
| <option switch="d" name="DriverName" argument="required" /> | |
| <option switch="dns" name="DnsQuery" argument="optional" rule="true" /> | |
| <option switch="g" name="PipeMonitoring" argument="required" rule="true" forceconfig="true" /> | |
| <option switch="h" name="HashAlgorithms" argument="required" /> | |
| <option name="DnsLookup" argument="required" /> | |
| <option switch="k" name="ProcessAccess" argument="required" rule="true" forceconfig="true" /> | |
| <option switch="l" name="ImageLoad" argument="optional" rule="true" /> | |
| <option switch="n" name="NetworkConnect" argument="optional" rule="true" /> | |
| <option switch="r" name="CheckRevocation" argument="optional" /> | |
| <option name="FieldSizes" argument="required" /> | |
| </options> | |
| <filters default="is">is,is not,contains,contains any,is any,contains all,excludes,excludes any,excludes all,begin with,not begin with,end with,not end with,less than,more than,image</filters> | |
| </configuration> | |
| <events> | |
| <event name="SYSMONEVENT_ERROR" value="255" level="Error" template="Error report" version="3"> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ID" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Description" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CREATE_PROCESS" value="1" level="Informational" template="Process Create" rulename="ProcessCreate" ruledefault="include" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Description" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Product" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Company" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CommandLine" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CurrentDirectory" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="LogonGuid" inType="win:GUID" /> | |
| <data name="LogonId" inType="win:HexInt64" /> | |
| <data name="TerminalSessionId" inType="win:UInt32" /> | |
| <data name="IntegrityLevel" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ParentProcessGuid" inType="win:GUID" /> | |
| <data name="ParentProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="ParentImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ParentCommandLine" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ParentUser" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_TIME" value="2" level="Informational" template="File creation time changed" rulename="FileCreateTime" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="PreviousCreationUtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_NETWORK_CONNECT" value="3" level="Informational" template="Network connection detected" rulename="NetworkConnect" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Protocol" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Initiated" inType="win:Boolean" /> | |
| <data name="SourceIsIpv6" inType="win:Boolean" /> | |
| <data name="SourceIp" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourceHostname" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourcePort" inType="win:UInt16" /> | |
| <data name="SourcePortName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="DestinationIsIpv6" inType="win:Boolean" /> | |
| <data name="DestinationIp" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="DestinationHostname" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="DestinationPort" inType="win:UInt16" /> | |
| <data name="DestinationPortName" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_SERVICE_STATE_CHANGE" value="4" level="Informational" template="Sysmon service state changed" version="3"> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="State" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Version" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SchemaVersion" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_PROCESS_TERMINATE" value="5" level="Informational" template="Process terminated" rulename="ProcessTerminate" ruledefault="include" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_DRIVER_LOAD" value="6" level="Informational" template="Driver loaded" rulename="DriverLoad" version="4"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ImageLoaded" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Signed" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Signature" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SignatureStatus" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_IMAGE_LOAD" value="7" level="Informational" template="Image loaded" rulename="ImageLoad" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ImageLoaded" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Description" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Product" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Company" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Signed" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Signature" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SignatureStatus" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CREATE_REMOTE_THREAD" value="8" level="Informational" template="CreateRemoteThread detected" rulename="CreateRemoteThread" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourceProcessGuid" inType="win:GUID" /> | |
| <data name="SourceProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="SourceImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetProcessGuid" inType="win:GUID" /> | |
| <data name="TargetProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="TargetImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="NewThreadId" inType="win:UInt32" /> | |
| <data name="StartAddress" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="StartModule" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="StartFunction" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourceUser" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetUser" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_RAWACCESS_READ" value="9" level="Informational" template="RawAccessRead detected" rulename="RawAccessRead" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Device" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_ACCESS_PROCESS" value="10" level="Informational" template="Process accessed" rulename="ProcessAccess" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourceProcessGUID" inType="win:GUID" /> | |
| <data name="SourceProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="SourceThreadId" inType="win:UInt32" /> | |
| <data name="SourceImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetProcessGUID" inType="win:GUID" /> | |
| <data name="TargetProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="TargetImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="GrantedAccess" inType="win:HexInt32" /> | |
| <data name="CallTrace" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourceUser" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetUser" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_CREATE" value="11" level="Informational" template="File created" rulename="FileCreate" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_REG_KEY" value="12" level="Informational" template="Registry object added or deleted" rulename="RegistryEvent" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_REG_SETVALUE" value="13" level="Informational" template="Registry value set" rulename="RegistryEvent" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Details" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_REG_NAME" value="14" level="Informational" template="Registry object renamed" rulename="RegistryEvent" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="NewName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_CREATE_STREAM_HASH" value="15" level="Informational" template="File stream created" rulename="FileCreateStreamHash" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hash" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Contents" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE" value="16" level="Informational" template="Sysmon config state changed" version="3"> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Configuration" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ConfigurationFileHash" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CREATE_NAMEDPIPE" value="17" level="Informational" template="Pipe Created" rulename="PipeEvent" ruledefault="exclude" version="1"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="PipeName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CONNECT_NAMEDPIPE" value="18" level="Informational" template="Pipe Connected" rulename="PipeEvent" ruledefault="exclude" version="1"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="PipeName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_WMI_FILTER" value="19" level="Informational" template="WmiEventFilter activity detected" rulename="WmiEvent" ruledefault="exclude" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Operation" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventNamespace" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Name" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Query" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_WMI_CONSUMER" value="20" level="Informational" template="WmiEventConsumer activity detected" rulename="WmiEvent" ruledefault="exclude" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Operation" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Name" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Type" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Destination" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_WMI_BINDING" value="21" level="Informational" template="WmiEventConsumerToFilter activity detected" rulename="WmiEvent" ruledefault="exclude" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Operation" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Consumer" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Filter" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_DNS_QUERY" value="22" level="Informational" template="Dns query" rulename="DnsQuery" ruledefault="exclude" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="QueryName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="QueryStatus" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="QueryResults" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_DELETE" value="23" level="Informational" template="File Delete archived" rulename="FileDelete" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="IsExecutable" inType="win:Boolean" /> | |
| <data name="Archived" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CLIPBOARD" value="24" level="Informational" template="Clipboard changed" rulename="ClipboardChange" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Session" inType="win:UInt32" /> | |
| <data name="ClientInfo" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Archived" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_PROCESS_IMAGE_TAMPERING" value="25" level="Informational" template="Process Tampering" rulename="ProcessTampering" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Type" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_DELETE_DETECTED" value="26" level="Informational" template="File Delete logged" rulename="FileDeleteDetected" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="IsExecutable" inType="win:Boolean" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_BLOCK_EXE" value="27" level="Informational" template="File Block Executable" rulename="FileBlockExecutable" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_BLOCK_SHREDDING" value="28" level="Informational" template="File Block Shredding" rulename="FileBlockShredding" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="IsExecutable" inType="win:Boolean" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_EXE_DETECTED" value="29" level="Informational" template="File Executable Detected" rulename="FileExecutableDetected" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| </events> | |
| </manifest> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment