-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsigma-esf.config.yaml
More file actions
34 lines (31 loc) · 878 Bytes
/
sigma-esf.config.yaml
File metadata and controls
34 lines (31 loc) · 878 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
title: Endpoint Security Framework log source conditions
order: 20
backends:
- github.com/bradleyjkemp/sigma-go # Relies on the JSONPath extension
logsources:
esf-process-events:
category: process_creation
product: macos
index: ES_EVENT_TYPE_NOTIFY_EXEC
esf-file-events:
category: file_event
product: macos
index:
- ES_EVENT_TYPE_NOTIFY_CREATE
- ES_EVENT_TYPE_NOTIFY_OPEN
- ES_EVENT_TYPE_NOTIFY_WRITE
- ES_EVENT_TYPE_NOTIFY_CLOSE
- ES_EVENT_TYPE_NOTIFY_RENAME
- ES_EVENT_TYPE_NOTIFY_LINK
- ES_EVENT_TYPE_NOTIFY_UNLINK,
fieldmappings:
# Process events
ProcessId: pid
ProcessName: $.process.arguments[0]
Image:
- $.process.path
- $.file.process.path # for file events
CommandLine: $.process.arguments
ParentProcessId: $.process.ppid
# File events
TargetFilename: $.file.destination