Created
April 2, 2021 11:20
-
-
Save olafhartong/42b93050b6e0f49742cc3ea151d97f12 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <manifest schemaversion="4.60" binaryversion="14.0"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="nologo" name="NoLogo" argument="none" noconfig="true" /> | |
| <option switch="accepteula" name="AcceptEula" argument="none" noconfig="true" /> | |
| <option switch="-" name="ConfigDefault" argument="none" noconfig="true" /> | |
| <!-- Configuration file --> | |
| <option switch="a" name="ArchiveDirectory" argument="required" /> | |
| <option name="CaptureClipboard" argument="none" /> | |
| <option switch="d" name="DriverName" argument="required" /> | |
| <option switch="dns" name="DnsQuery" argument="optional" rule="true" /> | |
| <option switch="g" name="PipeMonitoring" argument="required" rule="true" forceconfig="true" /> | |
| <option switch="h" name="HashAlgorithms" argument="required" /> | |
| <option name="DnsLookup" argument="required" /> | |
| <option switch="k" name="ProcessAccess" argument="required" rule="true" forceconfig="true" /> | |
| <option switch="l" name="ImageLoad" argument="optional" rule="true" /> | |
| <option switch="n" name="NetworkConnect" argument="optional" rule="true" /> | |
| <option switch="r" name="CheckRevocation" argument="optional" /> | |
| </options> | |
| <filters default="is">is,is not,contains,contains any,is any,contains all,excludes,excludes any,excludes all,begin with,end with,less than,more than,image</filters> | |
| </configuration> | |
| <events> | |
| <event name="SYSMONEVENT_ERROR" value="255" level="Error" template="Error report" version="3"> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ID" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Description" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CREATE_PROCESS" value="1" level="Informational" template="Process Create" rulename="ProcessCreate" ruledefault="include" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Description" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Product" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Company" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CommandLine" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CurrentDirectory" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="LogonGuid" inType="win:GUID" /> | |
| <data name="LogonId" inType="win:HexInt64" /> | |
| <data name="TerminalSessionId" inType="win:UInt32" /> | |
| <data name="IntegrityLevel" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ParentProcessGuid" inType="win:GUID" /> | |
| <data name="ParentProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="ParentImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ParentCommandLine" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_TIME" value="2" level="Informational" template="File creation time changed" rulename="FileCreateTime" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="PreviousCreationUtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_NETWORK_CONNECT" value="3" level="Informational" template="Network connection detected" rulename="NetworkConnect" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Protocol" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Initiated" inType="win:Boolean" /> | |
| <data name="SourceIsIpv6" inType="win:Boolean" /> | |
| <data name="SourceIp" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourceHostname" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourcePort" inType="win:UInt16" /> | |
| <data name="SourcePortName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="DestinationIsIpv6" inType="win:Boolean" /> | |
| <data name="DestinationIp" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="DestinationHostname" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="DestinationPort" inType="win:UInt16" /> | |
| <data name="DestinationPortName" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_SERVICE_STATE_CHANGE" value="4" level="Informational" template="Sysmon service state changed" version="3"> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="State" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Version" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SchemaVersion" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_PROCESS_TERMINATE" value="5" level="Informational" template="Process terminated" rulename="ProcessTerminate" ruledefault="include" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_DRIVER_LOAD" value="6" level="Informational" template="Driver loaded" rulename="DriverLoad" version="4"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ImageLoaded" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Signed" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Signature" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SignatureStatus" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_IMAGE_LOAD" value="7" level="Informational" template="Image loaded" rulename="ImageLoad" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ImageLoaded" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Description" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Product" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Company" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Signed" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Signature" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SignatureStatus" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CREATE_REMOTE_THREAD" value="8" level="Informational" template="CreateRemoteThread detected" rulename="CreateRemoteThread" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourceProcessGuid" inType="win:GUID" /> | |
| <data name="SourceProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="SourceImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetProcessGuid" inType="win:GUID" /> | |
| <data name="TargetProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="TargetImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="NewThreadId" inType="win:UInt32" /> | |
| <data name="StartAddress" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="StartModule" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="StartFunction" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_RAWACCESS_READ" value="9" level="Informational" template="RawAccessRead detected" rulename="RawAccessRead" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Device" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_ACCESS_PROCESS" value="10" level="Informational" template="Process accessed" rulename="ProcessAccess" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="SourceProcessGUID" inType="win:GUID" /> | |
| <data name="SourceProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="SourceThreadId" inType="win:UInt32" /> | |
| <data name="SourceImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetProcessGUID" inType="win:GUID" /> | |
| <data name="TargetProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="TargetImage" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="GrantedAccess" inType="win:HexInt32" /> | |
| <data name="CallTrace" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_CREATE" value="11" level="Informational" template="File created" rulename="FileCreate" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_REG_KEY" value="12" level="Informational" template="Registry object added or deleted" rulename="RegistryEvent" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_REG_SETVALUE" value="13" level="Informational" template="Registry value set" rulename="RegistryEvent" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Details" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_REG_NAME" value="14" level="Informational" template="Registry object renamed" rulename="RegistryEvent" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="NewName" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_CREATE_STREAM_HASH" value="15" level="Informational" template="File stream created" rulename="FileCreateStreamHash" ruledefault="exclude" version="2"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hash" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Contents" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE" value="16" level="Informational" template="Sysmon config state changed" version="3"> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Configuration" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ConfigurationFileHash" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CREATE_NAMEDPIPE" value="17" level="Informational" template="Pipe Created" rulename="PipeEvent" ruledefault="exclude" version="1"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="PipeName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CONNECT_NAMEDPIPE" value="18" level="Informational" template="Pipe Connected" rulename="PipeEvent" ruledefault="exclude" version="1"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="PipeName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_WMI_FILTER" value="19" level="Informational" template="WmiEventFilter activity detected" rulename="WmiEvent" ruledefault="exclude" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Operation" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventNamespace" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Name" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Query" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_WMI_CONSUMER" value="20" level="Informational" template="WmiEventConsumer activity detected" rulename="WmiEvent" ruledefault="exclude" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Operation" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Name" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Type" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Destination" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_WMI_BINDING" value="21" level="Informational" template="WmiEventConsumerToFilter activity detected" rulename="WmiEvent" ruledefault="exclude" version="3"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="EventType" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Operation" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Consumer" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Filter" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_DNS_QUERY" value="22" level="Informational" template="Dns query" rulename="DnsQuery" ruledefault="exclude" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="QueryName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="QueryStatus" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="QueryResults" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_DELETE" value="23" level="Informational" template="File Delete archived" rulename="FileDelete" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="IsExecutable" inType="win:Boolean" /> | |
| <data name="Archived" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_CLIPBOARD" value="24" level="Informational" template="Clipboard changed" rulename="ClipboardChange" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Session" inType="win:UInt32" /> | |
| <data name="ClientInfo" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Archived" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_PROCESS_IMAGE_TAMPERING" value="25" level="Informational" template="Process Tampering" rulename="ProcessTampering" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Type" inType="win:UnicodeString" outType="xs:string" /> | |
| </event> | |
| <event name="SYSMONEVENT_FILE_DELETE_DETECTED" value="26" level="Informational" template="File Delete logged" rulename="FileDeleteDetected" version="5"> | |
| <data name="RuleName" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="ProcessGuid" inType="win:GUID" /> | |
| <data name="ProcessId" inType="win:UInt32" outType="win:PID" /> | |
| <data name="User" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Image" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="Hashes" inType="win:UnicodeString" outType="xs:string" /> | |
| <data name="IsExecutable" inType="win:Boolean" /> | |
| </event> | |
| </events> | |
| </manifest> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment