Skip to content

Instantly share code, notes, and snippets.

@Cyb3rWard0g

Cyb3rWard0g/sysmon_rulename_filter.conf

Created July 6, 2018 22:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Cyb3rWard0g/aa92783eb3e59706f0fc9eb02bf74def to your computer and use it in GitHub Desktop.
Save Cyb3rWard0g/aa92783eb3e59706f0fc9eb02bf74def to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sysmon_rulename_filter.conf
filter {
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
if [event_data][RuleName] {
kv {
source => "[event_data][RuleName]"
field_split => ","
value_split => "="
prefix => "mitre_"
transform_key => "lowercase"
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment