Create 109100-win_sysmon_new_events.xml

2025-11-03 05:13:16 +00:00 · 2022-08-08 16:14:48 -05:00
parent ac8f892305
commit 3a450b5a22
1 changed files with 97 additions and 0 deletions
--- a/Events/109100-win_sysmon_new_events.xml
+++ b/Events/109100-win_sysmon_new_events.xml
@@ -0,0 +1,97 @@
+<group name="windows,sysmon,">
+  <rule id="61646" level="3">
+    <if_sid>61600</if_sid>
+    <field name="win.system.eventID">^17$</field>
+    <description>Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)</description>
+    <options>no_full_log</options>
+    <group>sysmon_event_17,</group>
+  </rule>
+
+  <rule id="61647" level="3">
+    <if_sid>61600</if_sid>
+    <field name="win.system.eventID">^18$</field>
+    <description>Sysmon - Event 18: PipeEvent (Pipe Connected) by $(win.eventdata.image)</description>
+    <options>no_full_log</options>
+    <group>sysmon_event_18,</group>
+  </rule>
+
+  <rule id="61644" level="1">
+    <if_sid>61600</if_sid>
+    <field name="win.system.eventID">^22$</field>
+    <description>Sysmon - Event 22: DNS Request by $(win.eventdata.image)</description>
+    <options>no_full_log</options>
+    <group>sysmon_event_22,</group>
+  </rule>
+
+  <rule id="10003" level="3">
+    <if_sid>61600</if_sid>
+    <field name="win.system.eventID">^19$</field>
+    <description>Sysmon - Event 19:  WmiEvent (WmiEventFilter activity detected) by $(win.eventdata.image)</description>
+    <mitre>
+      <id>T047</id>
+    </mitre>
+    <group>sysmon_event_19,</group>
+  </rule>
+
+  <rule id="10004" level="3">
+    <if_sid>61600</if_sid>
+    <field name="win.system.eventID">^20$</field>
+    <description>Sysmon - Event 20:  WmiEvent (WmiEventConsumer activity detected) by $(win.eventdata.image)</description>
+    <mitre>
+      <id>T047</id>
+    </mitre>
+    <group>sysmon_event_20,</group>
+  </rule>
+
+  <rule id="10005" level="3">
+    <if_sid>61600</if_sid>
+    <field name="win.system.eventID">^21$</field>
+    <description>Sysmon - Event 21: WmiEvent (WmiEventConsumerToFilter activity detected) by $(win.eventdata.image)</description>
+    <mitre>
+      <id>T047</id>
+    </mitre>
+    <group>sysmon_event_21,</group>
+  </rule>
+
+  <rule id="10006" level="3">
+    <if_sid>61600</if_sid>
+    <field name="win.system.eventID">^23$</field>
+    <description>Sysmon - Event 23: FileDelete (A file delete was detected) by $(win.eventdata.image)</description>
+    <mitre>
+      <id>T1107</id>
+      <id>T1485</id>
+    </mitre>
+    <group>sysmon_event_23,</group>
+  </rule>
+
+  <rule id="10007" level="3">
+    <if_sid>61600</if_sid>
+    <field name="win.system.eventID">^24$</field>
+    <description>Sysmon - Event 24: ClipboardChange (New content in the clipboard) by $(win.eventdata.image)</description>
+    <mitre>
+      <id>T1115</id>
+    </mitre>
+    <group>sysmon_event_24,</group>
+  </rule>
+
+  <rule id="10008" level="3">
+    <if_sid>61600</if_sid>
+    <field name="win.system.eventID">^25$</field>
+    <description>Sysmon - Event 25: ProcessTampering (Process image change) by $(win.eventdata.image)</description>
+    <mitre>
+      <id>T1055</id>
+    </mitre>
+    <group>sysmon_event_25,</group>
+  </rule>
+  
+  <rule id="10009" level="12">
+    <if_sid>63103</if_sid>
+    <field name="win.system.channel">Security</field>
+    <description>Windows Security log was cleared.</description>
+    <mitre>
+      <id>T1070</id>
+      <id>T1107</id>
+    </mitre>
+    <group>logs_cleared,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
+  </rule>
+</group>