here is the beginning of the props.conf (default>props.conf) from the TA-microsoft-sysmon
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
#SEDCMD-pwd_rule1 = s/ -pw ([^\s\<])+/ -pw ***MASK***/g
REPORT-sysmon = sysmon-eventid,sysmon-version,sysmon-level,sysmon-task,sysmon-opcode,sysmon-keywords,sysmon-created,sysmon-record,sysmon-correlation,sysmon-channel,sysmon-computer,sysmon-sid,sysmon-data,sysmon-md5,sysmon-sha1,sysmon-sha256,sysmon-imphash,sysmon-hashes,sysmon-filename,sysmon-registry
EVAL-src_ip = SourceIp
EVAL-src_host = SourceHostname
EVAL-src = if(isnotnull(SourceHostname),SourceHostname,SourceIp)
EVAL-src_port = SourcePort
EVAL-action = "allowed"
EVAL-app = Image
EVAL-dest_ip = DestinationIp
should this be as follows?
[winsysmon://XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
but I am not sure where else the winsysmon index needs defining....
... View more