From 785225a8ab40363fcc8f8cc47b1ed1ec5a63420c Mon Sep 17 00:00:00 2001
From: Kevin Branch <kevin@branchnetconsulting.com>
Date: Fri, 23 Jun 2023 17:52:57 -0400
Subject: [PATCH] corrected field name case in
 200150-sysmon_for_linux_rules.xml

fixed incorrect case on system.eventId to system.eventID
---
 Sysmon Linux/200150-sysmon_for_linux_rules.xml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Sysmon Linux/200150-sysmon_for_linux_rules.xml b/Sysmon Linux/200150-sysmon_for_linux_rules.xml
index 59305e2..78323ab 100644
--- a/Sysmon Linux/200150-sysmon_for_linux_rules.xml	
+++ b/Sysmon Linux/200150-sysmon_for_linux_rules.xml	
@@ -7,7 +7,7 @@
 <group name="linux,sysmon,">
     <rule id="200150" level="3">
         <decoded_as>sysmon-linux</decoded_as>
-        <field name="system.eventId">\.+</field>
+        <field name="system.eventID">\.+</field>
         <description>Sysmon For Linux Event</description>
         <mitre>
          <id>T1204</id>
@@ -17,7 +17,7 @@
 <!--EventID = 1-->
     <rule id="200151" level="3">
         <if_sid>200150</if_sid>
-        <field name="system.eventId">^1$</field>
+        <field name="system.eventID">^1$</field>
         <description>Sysmon - Event 1: Process creation $(eventdata.image)</description>
         <group>sysmon_event1</group>
         <mitre>
@@ -28,7 +28,7 @@
 <!--EventID = 3-->
     <rule id="200152" level="3">
         <if_sid>200150</if_sid>
-        <field name="system.eventId">^3$</field>
+        <field name="system.eventID">^3$</field>
         <description>Sysmon - Event 3: Network connection by $(eventdata.image)</description>
         <group>sysmon_event3</group>
         <mitre>
@@ -39,7 +39,7 @@
 <!--EventID = 5-->
     <rule id="200153" level="3">
         <if_sid>200150</if_sid>
-        <field name="system.eventId">^5$</field>
+        <field name="system.eventID">^5$</field>
         <description>Sysmon - Event 5: Process terminated $(eventdata.image)</description>
         <group>sysmon_event5</group>
         <mitre>
@@ -50,7 +50,7 @@
 <!--EventID = 9-->
     <rule id="200154" level="3">
         <if_sid>200150</if_sid>
-        <field name="system.eventId">^9$</field>
+        <field name="system.eventID">^9$</field>
         <description>Sysmon - Event 9: Raw Access Read by $(eventdata.image)</description>
         <group>sysmon_event9</group>
         <mitre>
@@ -61,7 +61,7 @@
 <!--EventID = 11-->
     <rule id="200155" level="3">
         <if_sid>200150</if_sid>
-        <field name="system.eventId">^11$</field>
+        <field name="system.eventID">^11$</field>
         <description>Sysmon - Event 11: FileCreate by $(eventdata.image)</description>
 	      <group>sysmon_event_11</group>
         <mitre>
@@ -72,7 +72,7 @@
 <!--EventID = 16-->
     <rule id="200156" level="3">
         <if_sid>200150</if_sid>
-        <field name="system.eventId">^16$</field>
+        <field name="system.eventID">^16$</field>
         <description>Sysmon - Event 16: Sysmon config state changed $(Event.EventData.Data.Configuration)</description>
         <group>sysmon_event_16</group>
         <mitre>
@@ -83,7 +83,7 @@
 <!--EventID = 23-->
     <rule id="200157" level="3">
         <if_sid>200150</if_sid>
-        <field name="system.eventId">^23$</field>
+        <field name="system.eventID">^23$</field>
         <description>Sysmon - Event 23: FileDelete (A file delete was detected) by $(eventdata.image)</description>
         <group>sysmon_event_23</group>
         <mitre>