paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-10-24 00:23:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

corrected field name case in 200150-sysmon_for_linux_rules.xml

Browse Source 
fixed incorrect case on system.eventId to system.eventID
This commit is contained in:
Kevin Branch
2023-06-23 17:52:57 -04:00
committed by GitHub
parent e051121c8b
commit 785225a8ab
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
Sysmon Linux/200150-sysmon_for_linux_rules.xml
View File

@@ -7,7 +7,7 @@
<group name="linux,sysmon,"> <group name="linux,sysmon,">
<rule id="200150" level="3"> <rule id="200150" level="3">
<decoded_as>sysmon-linux</decoded_as> <decoded_as>sysmon-linux</decoded_as>
<field name="system.eventId">\.+</field> <field name="system.eventID">\.+</field>
<description>Sysmon For Linux Event</description> <description>Sysmon For Linux Event</description>
<mitre> <mitre>
<id>T1204</id> <id>T1204</id>
@@ -17,7 +17,7 @@
<!--EventID = 1--> <!--EventID = 1-->
<rule id="200151" level="3"> <rule id="200151" level="3">
<if_sid>200150</if_sid> <if_sid>200150</if_sid>
<field name="system.eventId">^1$</field> <field name="system.eventID">^1$</field>
<description>Sysmon - Event 1: Process creation $(eventdata.image)</description> <description>Sysmon - Event 1: Process creation $(eventdata.image)</description>
<group>sysmon_event1</group> <group>sysmon_event1</group>
<mitre> <mitre>
@@ -28,7 +28,7 @@
<!--EventID = 3--> <!--EventID = 3-->
<rule id="200152" level="3"> <rule id="200152" level="3">
<if_sid>200150</if_sid> <if_sid>200150</if_sid>
<field name="system.eventId">^3$</field> <field name="system.eventID">^3$</field>
<description>Sysmon - Event 3: Network connection by $(eventdata.image)</description> <description>Sysmon - Event 3: Network connection by $(eventdata.image)</description>
<group>sysmon_event3</group> <group>sysmon_event3</group>
<mitre> <mitre>
@@ -39,7 +39,7 @@
<!--EventID = 5--> <!--EventID = 5-->
<rule id="200153" level="3"> <rule id="200153" level="3">
<if_sid>200150</if_sid> <if_sid>200150</if_sid>
<field name="system.eventId">^5$</field> <field name="system.eventID">^5$</field>
<description>Sysmon - Event 5: Process terminated $(eventdata.image)</description> <description>Sysmon - Event 5: Process terminated $(eventdata.image)</description>
<group>sysmon_event5</group> <group>sysmon_event5</group>
<mitre> <mitre>
@@ -50,7 +50,7 @@
<!--EventID = 9--> <!--EventID = 9-->
<rule id="200154" level="3"> <rule id="200154" level="3">
<if_sid>200150</if_sid> <if_sid>200150</if_sid>
<field name="system.eventId">^9$</field> <field name="system.eventID">^9$</field>
<description>Sysmon - Event 9: Raw Access Read by $(eventdata.image)</description> <description>Sysmon - Event 9: Raw Access Read by $(eventdata.image)</description>
<group>sysmon_event9</group> <group>sysmon_event9</group>
<mitre> <mitre>
@@ -61,7 +61,7 @@
<!--EventID = 11--> <!--EventID = 11-->
<rule id="200155" level="3"> <rule id="200155" level="3">
<if_sid>200150</if_sid> <if_sid>200150</if_sid>
<field name="system.eventId">^11$</field> <field name="system.eventID">^11$</field>
<description>Sysmon - Event 11: FileCreate by $(eventdata.image)</description> <description>Sysmon - Event 11: FileCreate by $(eventdata.image)</description>
<group>sysmon_event_11</group> <group>sysmon_event_11</group>
<mitre> <mitre>
@@ -72,7 +72,7 @@
<!--EventID = 16--> <!--EventID = 16-->
<rule id="200156" level="3"> <rule id="200156" level="3">
<if_sid>200150</if_sid> <if_sid>200150</if_sid>
<field name="system.eventId">^16$</field> <field name="system.eventID">^16$</field>
<description>Sysmon - Event 16: Sysmon config state changed $(Event.EventData.Data.Configuration)</description> <description>Sysmon - Event 16: Sysmon config state changed $(Event.EventData.Data.Configuration)</description>
<group>sysmon_event_16</group> <group>sysmon_event_16</group>
<mitre> <mitre>
@@ -83,7 +83,7 @@
<!--EventID = 23--> <!--EventID = 23-->
<rule id="200157" level="3"> <rule id="200157" level="3">
<if_sid>200150</if_sid> <if_sid>200150</if_sid>
<field name="system.eventId">^23$</field> <field name="system.eventID">^23$</field>
<description>Sysmon - Event 23: FileDelete (A file delete was detected) by $(eventdata.image)</description> <description>Sysmon - Event 23: FileDelete (A file delete was detected) by $(eventdata.image)</description>
<group>sysmon_event_23</group> <group>sysmon_event_23</group>
<mitre> <mitre>