Create MITRE_TECHNIQUES_FROM_SYSMON_EVENT22.xml

2025-11-02 12:53:15 +00:00 · 2022-08-05 16:10:08 -05:00
parent e5c46b0453
commit c40a05c3aa
1 changed files with 35 additions and 0 deletions
--- a/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT22.xml
+++ b/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT22.xml
@@ -0,0 +1,35 @@
+<group name="windows,sysmon,">
+<!-- Sysmon - Event 22: DNS Request by $(win.eventdata.image) -->
+<rule id="121101" level="3">
+<if_sid>61644</if_sid>
+<description>Sysmon - Event 22: DNS Request by $(win.eventdata.image)</description>
+<mitre>
+<id>T1071</id>
+</mitre>
+<options>no_full_log</options>
+<group>sysmon_event_22,</group>
+</rule>
+<!-- Rule ID 121101 Override if Hostname = AlienVault -->
+<rule id="121102" level="1">
+<if_sid>121101</if_sid>
+<field name="win.eventdata.queryName">^otx\.alienvault\.com$</field>
+<description>Sysmon - Event 22: DNS Request by $(win.eventdata.image)</description>
+<mitre>
+<id>T1071</id>
+</mitre>
+<options>no_full_log</options>
+<group>sysmon_event_22,</group>
+</rule>
+<!-- Rule ID 121101 Override if Hostname = Local Hostnames -->
+<rule id="121103" level="1">
+<if_sid>121101</if_sid>
+<field name="win.eventdata.queryName">myorg\.org$</field>
+<description>Sysmon - Event 22: DNS Request by $(win.eventdata.image)</description>
+<mitre>
+<id>T1071</id>
+</mitre>
+<options>no_full_log</options>
+<group>sysmon_event_22,</group>
+</rule>
+
+</group>