Create MITRE_TECHNIQUES_FROM_SYSMON_EVENT22.xml

Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT22.xml

@@ -0,0 +1,35 @@
+<group name="windows,sysmon,">
+<!-- Sysmon - Event 22: DNS Request by $(win.eventdata.image) -->
+<rule id="121101" level="3">
+<if_sid>61644</if_sid>
+<description>Sysmon - Event 22: DNS Request by $(win.eventdata.image)</description>
+<mitre>
+<id>T1071</id>
+</mitre>
+<options>no_full_log</options>
+<group>sysmon_event_22,</group>
+</rule>
+<!-- Rule ID 121101 Override if Hostname = AlienVault -->
+<rule id="121102" level="1">
+<if_sid>121101</if_sid>
+<field name="win.eventdata.queryName">^otx\.alienvault\.com$</field>
+<description>Sysmon - Event 22: DNS Request by $(win.eventdata.image)</description>
+<mitre>
+<id>T1071</id>
+</mitre>
+<options>no_full_log</options>
+<group>sysmon_event_22,</group>
+</rule>
+<!-- Rule ID 121101 Override if Hostname = Local Hostnames -->
+<rule id="121103" level="1">
+<if_sid>121101</if_sid>
+<field name="win.eventdata.queryName">myorg\.org$</field>
+<description>Sysmon - Event 22: DNS Request by $(win.eventdata.image)</description>
+<mitre>
+<id>T1071</id>
+</mitre>
+<options>no_full_log</options>
+<group>sysmon_event_22,</group>
+</rule>
+
+</group>