Microsoft Windows Sysmon 로그 수집
이 문서:
- 배포 아키텍처와 설치 단계 그리고 Microsoft Windows Sysmon 이벤트용 Google Security Operations 파서에서 지원하는 로그를 생성하는 데 필요한 구성을 설명합니다. Google Security Operations 데이터 수집에 대한 개요는 Google Security Operations에 데이터 수집을 참조하세요.
- 파서에서 원래 로그의 필드를 Google Security Operations 통합 데이터 모델 필드에 매핑하는 방식에 대한 정보가 포함됩니다.
이 문서의 정보는 WINDOWS_SYSMON 수집 라벨이 있는 파서에 적용됩니다. 수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다.
시작하기 전에
권장 배포 아키텍처 검토
이 다이어그램은 Microsoft Windows Sysmon 데이터를 수집하고 Google Security Operations로 전송하기 위해 배포 아키텍처에서 권장되는 핵심 구성요소를 나타냅니다. 이 정보를 사용자 환경과 비교하여 이러한 구성요소가 설치되어 있는지 확인합니다. 각 고객 배포는 이 표현과 다르며, 더 복잡할 수 있습니다. 다음은 필수 항목입니다.
- 배포 아키텍처의 시스템은 UTC 시간대로 구성됩니다.
- Sysmon은 서버, 엔드포인트, 도메인 컨트롤러에 설치됩니다.
- 수집기 Microsoft Windows 서버는 서버, 엔드포인트, 도메인 컨트롤러에서 로그를 수신합니다.
- 배포 아키텍처의 Microsoft Windows 시스템은 다음을 사용합니다. - 여러 기기에서 이벤트를 수집하기 위해 소스 시작 구독
- 원격 시스템 관리를 위한 WinRM 서비스
 
- NXLog는 Google Security Operations 전달자로 로그를 전달하기 위해 수집기 창 서버에 설치됩니다. 
- Google Security Operations 전달자는 중앙 Microsoft Windows 서버 또는 Linux 서버에 설치됩니다.  
지원되는 기기 및 버전 검토
Google Security Operations 파서는 다음 Microsoft Windows 서버 버전에서 생성된 로그를 지원합니다. Microsoft Windows Server는 Foundation, Essentials, Standard, Datacenter 버전으로 출시됩니다. 각 버전에서 생성된 로그의 이벤트 스키마는 다르지 않습니다.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Google Security Operations 파서는 다음으로 생성된 로그를 지원합니다.
- Microsoft Windows 7 이상 클라이언트 시스템
- Sysmon 버전 13.24
Google Security Operations 파서는 NXLog Community 또는 Enterprise Edition에서 수집되는 로그를 지원합니다.
지원되는 로그 유형 검토
Google Security Operations 파서는 Microsoft Windows Sysmon에서 생성되는 다음 로그 유형을 지원합니다. 이러한 로그 유형에 대한 자세한 내용은 Microsoft Windows Sysmon 문서를 참조하세요. 영어 텍스트로 생성된 로그를 지원하며 영어가 아닌 언어로 생성된 로그에서는 지원되지 않습니다.
| 로그 유형 | 설명 | 
|---|---|
| Sysmon 로그 | Sysmon 채널에는 27개의 이벤트 ID가 있습니다. (이벤트 ID: 1~26, 255) 이 로그 유형에 대한 설명은 Microsoft Windows Sysmon Events 문서를 참조하세요. | 
Microsoft Windows 서버, 엔드포인트, 도메인 컨트롤러 구성
- 서버, 엔드포인트, 도메인 컨트롤러를 설치하고 구성합니다. 자세한 내용은 Microsoft Windows Sysmon Configuration 문서를 참조하세요.
- 수집기 Microsoft Windows 서버를 설정하여 여러 시스템에서 수집된 로그를 파싱합니다.
- 중앙 Microsoft Windows 또는 Linux 서버 설정
- UTC 시간대로 모든 시스템을 구성합니다.
- 수집기 Microsoft Windows 서버로 로그를 전달하도록 기기를 구성합니다.
- Microsoft Windows 시스템에서 소스 시작 구독을 구성합니다. 자세한 내용은 소스 시작 구독 설정을 참조하세요.
- Microsoft Windows 서버 및 클라이언트에서 WinRM을 사용 설정합니다. 자세한 내용은 Microsoft Windows 원격 관리 설치 및 구성을 참조하세요.
 
Bindplane 에이전트 구성
Bindplane 에이전트를 사용하여 Windows Sysmon 로그를 수집합니다.
설치 후 Bindplane Agent 서비스가 Windows 서비스 목록에 observerIQ 서비스로 표시됩니다.
- 수집기를 실행하는 Windows 서버에 Bindplane 에이전트를 설치합니다. Bindplane 에이전트 설치에 대한 자세한 내용은 Bindplane 에이전트 설치 안내를 참고하세요.
- 다음 콘텐츠로 Bindplane 에이전트의 구성 파일을 만듭니다. - receivers: windowseventlog/sysmon: channel: Microsoft-Windows-Sysmon/Operational raw: true processors: batch: exporters: chronicle/winsysmon: endpoint: https://malachiteingestion-pa.googleapis.com creds: '{ "type": "service_account", "project_id": "malachite-projectname", "private_key_id": `PRIVATE_KEY_ID`, "private_key": `PRIVATE_KEY`, "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com", "client_id": `CLIENT_ID`, "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com", "universe_domain": "googleapis.com" }' log_type: 'WINDOWS_SYSMON' override_log_type: false raw_log_field: body customer_id: `CUSTOMER_ID` service: pipelines: logs/winsysmon: receivers: - windowseventlog/sysmon processors: [batch] exporters: [chronicle/winsysmon]
- PRIVATE_KEY_ID,- PRIVATE_KEY,- SERVICSERVICE_ACCOUNT_NAME,- PROJECT_ID,- CLIENT_ID,- CUSTOMER_ID를 Google Cloud 플랫폼에서 다운로드할 수 있는 서비스 계정 JSON 파일의 각 값으로 바꿉니다. 서비스 계정 키에 대한 자세한 내용은 서비스 계정 키 만들기 및 삭제 문서를 참조하세요.
- observerIQ 에이전트 서비스를 시작하려면 서비스 > 확장 > observerIQ 서비스 > 시작을 선택합니다. 
NXLog 및 Google Security Operations 전달자 구성
- Windows 서버에서 실행되는 수집기에 NXLog를 설치합니다. Sysmon에서 로그를 수집하도록 NXLog 구성에 대한 정보를 포함한 NXLog 문서를 따르세요.
- NXLog용 구성 파일을 만듭니다. im_mscreationlog 입력 모듈을 사용합니다. 다음은 NXLog 구성의 예입니다. - HOSTNAME및- PORT값을 대상 중앙 Microsoft Windows 또는 Linux 서버에 대한 정보로 바꿉니다. 자세한 내용은 om_tcp 모듈에 대한 NXLog 문서를 참조하세요.- define ROOT C:\Program Files\nxlog define SYSMON_OUTPUT_DESTINATION_ADDRESS HOSTNAME define SYSMON_OUTPUT_DESTINATION_PORT PORT define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_sysmon_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input> <Output out_chronicle_sysmon> Module om_tcp Host %SYSMON_OUTPUT_DESTINATION_ADDRESS% Port %SYSMON_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_sysmon_eventlog => out_chronicle_sysmon </Route>
- 중앙 Microsoft Windows 또는 Linux 서버에 Google Security Operations 전달자를 설치합니다. 전달자 설치 및 구성에 대한 자세한 내용은 Linux에서 전달자 설치 및 구성 또는 Microsoft Windows에서 전달자 설치 및 구성을 참조하세요. 
- Google Security Operations 전달자를 구성하여 로그를 Google Security Operations에 전송합니다. 다음은 전달자 구성의 예입니다. - - syslog: common: enabled: true data_type: WINDOWS_SYSMON Data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
- NXLog 서비스를 시작합니다. 
지원되는 Windows Sysmon 로그 형식
Windows Sysmon 파서는 JSON 및 XML 형식의 로그를 지원합니다.
지원되는 Windows Sysmon 샘플 로그
- JSON: - { "EventTime": 1611175283, "Hostname": "dummy10-1.user12.local", "Keywords": -9223372036854775808, "EventType": "INFO", "SeverityValue": 2, "Severity": "INFO", "EventID": 1, "SourceName": "Microsoft-Windows-Sysmon", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Version": 5, "Task": 1, "OpcodeValue": 0, "RecordNumber": 8846, "ProcessID": 1184, "ThreadID": 2568, "Channel": "Microsoft-Windows-Sysmon/Operational", "Domain": "NT AUTHORITY", "AccountName": "SYSTEM", "UserID": "S-1-2-3", "AccountType": "User", "Message": "Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2021-09-13 06:34:03.015\\r\\nProcessGuid: {de2dee9a-f0db-613e-7017-000000001100}\\r\\nProcessId: 5440\\r\\nImage: C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\Calculator.exe\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nCommandLine: \\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\Calculator.exe\\" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca\\r\\nCurrentDirectory: C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\\\r\\nUser: DUMMY10-1\\\\admin\\r\\nLogonGuid: {de2dee9a-8d8d-6138-3c16-120000000000}\\r\\nLogonId: 0x12163C\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: AppContainer\\r\\nHashes: SHA256=1BE51B1664853ACCA05B402FBB441456D0A6FA57D70BAED476434CF8F686E15F\\r\\nParentProcessGuid: {de2dee9a-8a98-6138-0d00-000000001100}\\r\\nParentProcessId: 924\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nParentCommandLine: C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p", "Category": "Process Create (rule: ProcessCreate)", "Opcode": "Info", "RuleName": "-", "UtcTime": "2021-09-13 06:34:03.015", "ProcessGuid": "{de2dee9a-f0db-613e-7017-000000001100}", "Image": "C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\Calculator.exe", "FileVersion": "-", "Description": "-", "Product": "-", "Company": "-", "OriginalFileName": "-", "CommandLine": "\\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\Calculator.exe\\" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca", "CurrentDirectory": "C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\", "User": "DUMMY10-1\\\\admin", "LogonGuid": "{de2dee9a-8d8d-6138-3c16-120000000000}", "LogonId": "0x12163c", "TerminalSessionId": "1", "IntegrityLevel": "AppContainer", "Hashes": "SHA256=1BE51B1664853ACCA05B402FBB441456D0A6FA57D70BAED476434CF8F686E15F", "ParentProcessGuid": "{de2dee9a-8a98-6138-0d00-000000001100}", "ParentProcessId": "924", "ParentImage": "C:\\\\Windows\\\\System32\\\\svchost.exe", "ParentCommandLine": "C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p", "EventReceivedTime": 1611175286, "SourceModuleName": "windows_sysmon_eventlog", "SourceModuleType": "im_msvistalog" }
- XML: - <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/> <EventID>7</EventID> <Version>3</Version> <Level>4</Level> <Task>7</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime='2024-11-14T15:41:55.9275040Z'/> <EventRecordID>15560430</EventRecordID> <Correlation/> <Execution ProcessID='2124' ThreadID='6004'/> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>testcomputer.example.org</Computer> <Security UserID='S-1-5-18'/> </System> <EventData> <Data Name='RuleName'>technique_id=T1047,technique_name=Windows Management Instrumentation</Data> <Data Name='UtcTime'>2024-11-14 15:41:55.918</Data> <Data Name='ProcessGuid'>{de61df1c-1a43-6736-a863-00000000ad00}</Data> <Data Name='ProcessId'>20728</Data> <Data Name='Image'>C:\\Program Files\\SourceFile\\SourceFile.exe</Data> <Data Name='ImageLoaded'>C:\\Windows\\System32\\wbem\\imagename.dll</Data> <Data Name='FileVersion'>10.0.22621.3672 (WinBuild.160101.0800)</Data> <Data Name='Description'>WMI</Data> <Data Name='Product'>Microsoft® Windows® Operating System</Data> <Data Name='Company'>Microsoft Corporation</Data> <Data Name='OriginalFileName'>originalimagename.dll</Data> <Data Name='Hashes'>SHA1=AB20D0B71E38A3BF130100BE2F85D32F29D04697,MD5=2C6D07DCF4CDD6177B67F210019D5C61,SHA256=413CDAACD75C19725591059F70CB7F1C0C1AEAA6E1D43C70A687310859C1813F,IMPHASH=472A202488B9A8A8072E75ADE4EC1496</Data> <Data Name='Signed'>true</Data> <Data Name='Signature'>Microsoft Windows</Data> <Data Name='SignatureStatus'>Valid</Data> <Data Name='User'>Test\\TestUser</Data> </EventData> </Event>
필드 매핑 참조: 기기 이벤트 필드에서 UDM 필드로
이 섹션에서는 파서가 원래 통합 로그 모델을 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다. 필드 매핑은 이벤트 ID별로 다를 수 있습니다.
필드 매핑 참조: 이벤트 식별자에서 이벤트 유형으로
다음 표에는WINDOWS_SYSMON 로그 유형과 해당 UDM 이벤트 유형이 나와 있습니다.
| Event Identifier | Event Type | Security Category | 
|---|---|---|
| 1 | PROCESS_LAUNCH |  | 
| 2 | FILE_MODIFICATION |  | 
| 3 | NETWORK_CONNECTION |  | 
| 4 | SETTING_MODIFICATION |  | 
| 5 | PROCESS_TERMINATION |  | 
| 6 | PROCESS_MODULE_LOAD |  | 
| 7 | PROCESS_MODULE_LOAD |  | 
| 8 | PROCESS_MODULE_LOAD |  | 
| 9 | FILE_READ |  | 
| 10 | PROCESS_OPEN |  | 
| 11 | FILE_CREATION |  | 
| 12 | If the Messagelog field value matches the regular expression patternCreateKey|CreateValuethen, themetadata.event_typeUDM field is set toREGISTRY_CREATION.Else if the Messagelog field value matches the regular expression patternDeleteKey|DeleteValuethen, the target.resource.nameUDM field is set toREGISTRY_DELETION.Else, the  target.resource.nameUDM field is set toREGISTRY_MODIFICATION. |  | 
| 13 | REGISTRY_MODIFICATION |  | 
| 14 | REGISTRY_MODIFICATION |  | 
| 15 | FILE_CREATION |  | 
| 16 | SETTING_MODIFICATION |  | 
| 17 | PROCESS_UNCATEGORIZED |  | 
| 18 | PROCESS_UNCATEGORIZED |  | 
| 19 | USER_RESOURCE_ACCESS |  | 
| 20 | USER_RESOURCE_ACCESS |  | 
| 21 | USER_RESOURCE_ACCESS |  | 
| 22 | NETWORK_DNS |  | 
| 23 | FILE_DELETION |  | 
| 24 | RESOURCE_READ |  | 
| 25 | PROCESS_LAUNCH |  | 
| 26 | FILE_DELETION |  | 
| 255 | SERVICE_UNSPECIFIED |  | 
필드 매핑 참조: WINDOWS_SYSMON
다음 표에는 WINDOWS_SYSMON 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
| Log field | UDM mapping | Logic | 
|---|---|---|
| SourceName |   | |
|  | metadata.vendor_name | The metadata.vendor_nameUDM field is set toMicrosoft. | 
|  | metadata.product_name | The metadata.product_nameUDM field is set toMicrosoft-Windows-Sysmon. | 
| UtcTime | metadata.event_timestamp | |
| EventID | metadata.product_event_type | If the EventIDlog field value is equal to255then, themetadata.product_event_typeUDM field is set toError - [255].Else EventIDlog field is mapped to themetadata.product_event_typeUDM field. | 
| RecordNumber | metadata.product_log_id | |
| EventRecordID | metadata.product_log_id | |
| Version | metadata.product_version | If the EventIDlog field value is equal to4then,Versionlog field is mapped to themetadata.product_versionUDM field. | 
| QueryResults | network.dns.answers.data | The type_valueanddata_valuefields are extracted fromQueryResultslog field using the Grok pattern. If theEventIDlog field value is equal to22then, thedata_valuelog field is mapped to thenetwork.dns.answers.dataUDM field. | 
| QueryResults | network.dns.answers.type | The type_valueanddata_valuefields are extracted fromQueryResultslog field using the Grok pattern. If theEventIDlog field value is equal to22then, thetype_valuelog field is mapped to thenetwork.dns.answers.typeUDM field. | 
| QueryName | network.dns.questions.name | If the EventIDlog field value is equal to22then,QueryNamelog field is mapped to thenetwork.dns.questions.nameUDM field. | 
| Protocol | network.ip_protocol | If the EventIDlog field value is equal to3then,Protocollog field is mapped to thenetwork.ip_protocolUDM field. | 
| ParentCommandLine | principal.process.command_line | If the EventIDlog field value is equal to1then,ParentCommandLinelog field is mapped to theprincipal.process.command_lineUDM field. | 
| User | principal.administrative_domain | The principal_user_useridandprincipal_administrative_domainfields are extracted fromUserlog field using the Grok pattern. If theprincipal_administrative_domainlog field value is not empty and theUserlog field value is not empty then,principal_administrative_domainextracted field is mapped to theprincipal.administrative_domainUDM field.Else Domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| Domain | principal.administrative_domain | The principal_user_useridandprincipal_administrative_domainfields are extracted fromUserlog field using the Grok pattern. If theprincipal_administrative_domainlog field value is not empty and theUserlog field value is not empty then,principal_administrative_domainextracted field is mapped to theprincipal.administrative_domainUDM field.Else Domainlog field is mapped to theprincipal.administrative_domainUDM field. | 
| HostName | principal.hostname | If the Hostnamelog field value is empty then,Computerlog field is mapped to theprincipal.hostnameUDM field.Else HostNamelog field is mapped to theprincipal.hostnameUDM field andHostnamelog field is mapped to theprincipal.hostnameUDM field. | 
| Computer | principal.hostname | If the Hostnamelog field value is empty then,Computerlog field is mapped to theprincipal.hostnameUDM field.Else HostNamelog field is mapped to theprincipal.hostnameUDM field andHostnamelog field is mapped to theprincipal.hostnameUDM field. | 
| HostName | principal.asset.hostname | If the Hostnamelog field value is empty then,Computerlog field is mapped to theprincipal.asset.hostnameUDM field.Else HostNamelog field is mapped to theprincipal.asset.hostnameUDM field andHostnamelog field is mapped to theprincipal.asset.hostnameUDM field. | 
| Computer | principal.asset.hostname | If the Hostnamelog field value is empty then,Computerlog field is mapped to theprincipal.asset.hostnameUDM field.Else HostNamelog field is mapped to theprincipal.asset.hostnameUDM field andHostnamelog field is mapped to theprincipal.asset.hostnameUDM field. | 
| SourceIp | principal.ip | If the EventIDlog field value is equal to3then,SourceIplog field is mapped to theprincipal.ipUDM field. | 
| SourcePort | principal.port | If the EventIDlog field value is equal to3then,SourcePortlog field is mapped to theprincipal.portUDM field. | 
| ImageLoaded | principal.process.file.full_path | If the EventIDlog field value is equal to6then,ImageLoadedlog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| Image | principal.process.file.full_path | If the EventIDlog field value contain one of the following values:
 Imagelog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| SourceImage | principal.process.file.full_path | If the EventIDlog field value contain one of the following values:
 SourceImagelog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| ParentImage | principal.process.file.full_path | If the EventIDlog field value is equal to1then,ParentImagelog field is mapped to theprincipal.process.file.full_pathUDM field. | 
| ProcessId | principal.process.pid | If the EventIDlog field value contain one of the following values:
 ExecutionProcessIDlog field value is not empty then,ExecutionProcessIDlog field is mapped to theprincipal.process.pidUDM field.Else ProcessIdlog field is mapped to theprincipal.process.pidUDM field. | 
| SourceProcessId | principal.process.pid | If the EventIDlog field value is equal to8then,SourceProcessIdlog field is mapped to theprincipal.process.pidUDM field. | 
| ParentProcessId | principal.process.pid | If the EventIDlog field value is equal to1then,ParentProcessIdlog field is mapped to theprincipal.process.pidUDM field. | 
| ProcessID | observer.process.pid | |
| ProcessGuid | principal.process.product_specific_process_id | If the EventIDlog field value contain one of the following values:
 principal.process.product_specific_process_idUDM field is set toSYSMON:%{ProcessGuid}. | 
| ParentProcessGuid | principal.process.product_specific_process_id | If the EventIDlog field value is equal to1then,principal.process.product_specific_process_idUDM field is set toSYSMON:%{ParentProcessGuid}. | 
| SourceProcessGuid | principal.process.product_specific_process_id | If the EventIDlog field value is equal to8then,principal.process.product_specific_process_idUDM field is set toSYSMON:%{SourceProcessGuid}. | 
| SourceProcessGUID | principal.process.product_specific_process_id | If the EventIDlog field value is equal to10then,principal.process.product_specific_process_idUDM field is set toSYSMON:%{SourceProcessGUID}. | 
| User | principal.user.userid | The principal_user_useridandprincipal_administrative_domainfields are extracted fromUserlog field using the Grok pattern. If theEventIDlog field value is not equal to24and if theprincipal_user_useridlog field value is not empty and theUserlog field value is not empty then,principal_user_useridextracted field is mapped to the principal.user.useridUDM field. | 
| ClientInfo | principal.user.userid | The hostanduser_idfields are extracted fromClientInfolog field using the Grok pattern. If theEventIDlog field value is equal to24and if theuser_idlog field value is not empty and theClientInfolog field value is not empty then,user_idextracted field is mapped to theprincipal.user.useridUDM field.Else ClientInfolog field is mapped to theprincipal.user.useridUDM field. | 
| AccountName | principal.user.userid | The principal_user_useridandprincipal_administrative_domainfields are extracted fromUserlog field using the Grok pattern. If theEventIDlog field value is not equal to24and if theprincipal_user_useridlog field value is not empty and theUserlog field value is not empty then,principal_user_useridextracted field is mapped to the principal.user.useridUDM field.Else AccountNamelog field is mapped to the principal.user.useridUDM field. | 
| SourceUser | principal.user.userid | |
| UserID | principal.user.windows_sid | If the UserIDlog field value matches the regular expression patternS-\d-(\d+-){1,14}\d+, then theUserIDlog field is mapped to theprincipal.user.windows_sidUDM field.Else, if the UserIDlog field value not equal to theUserlog field value, then theUserIDlog field is mapped to theprincipal.user.attribute.labels[user_id]UDM field. | 
| Description | security_result.description | If the EventIDlog field value is equal to255and if theDescriptionlog field value is not equal to-then,Descriptionlog field is mapped to thesecurity_result.descriptionUDM field. | 
| RuleName | security_result.rule_name | |
| EventID | security_result.rule_name | The security_result.rule_nameUDM field is set toEventID: %{EventID}. | 
|  | security_result.severity | If the Levellog field value contain one of the following values:
 Levellog field value is equal toInformationthen, the    security_result.severityUDM field is set toINFORMATIONAL.Else, If Levellog field value is equal to2or theLevellog field value is equal toErrorthen, the    security_result.severityUDM field is set toERROR. If theSeverityValuelog field value does not contain one of the following values:
 SeverityValuelog field value contain one of the following values:
     security_result.severityUDM field is set toINFORMATIONAL. Else, ifSeverityValuelog field value is equal to4then, the    security_result.severityUDM field is set toERROR. Else, ifSeverityValuelog field value is equal to5then, the    security_result.severityUDM field is set toCRITICAL. | 
| Category | about.labels[Category ID] | The category_idandcategory_tagfields are extracted fromCategorylog field using the Grok pattern.category_idextracted field is mapped to theabout.labels.Category IDUDM field. | 
| QueryStatus | security_result.summary | If the EventIDlog field value is equal to22then, thesecurity_result.summaryUDM field is set toQueryStatus: %{QueryStatus}. | 
| ID | security_result.summary | If the EventIDlog field value is equal to255then,IDlog field is mapped to thesecurity_result.summaryUDM field. | 
| Category | security_result.summary | The category_idandcategory_tagfields are extracted fromCategorylog field using the Grok pattern. If thecategory_idlog field value is not empty then,category_tagextracted field is mapped to thesecurity_result.summaryUDM field.Else Categorylog field is mapped to thesecurity_result.summaryUDM field. | 
| CurrentDirectory | additional.fields[current_directory] | If the EventIDlog field value is equal to1then,CurrentDirectorylog field is mapped to theadditional.fields.current_directoryUDM field. | 
| OriginalFileName  |  src.file.full_path | If the EventIDlog field value is equal to1then,OriginalFileName log field is mapped to the src.file.full_pathUDM field. | 
| TargetObject | src.registry.registry_key | If the EventIDlog field value is equal to14then,TargetObjectlog field is mapped to thesrc.registry.registry_keyUDM field. | 
| Name | target.application | If the EventIDlog field value is equal to19then,Namelog field is mapped to thetarget.applicationUDM field. If theEventIDlog field value is equal to255then, thetarget.applicationUDM field is set toMicrosoft Sysmon. | 
| Description | target.asset.software.description | If the EventIDlog field value contain one of the following values:
 Descriptionlog field value is not equal to-then,Descriptionlog field is mapped to thetarget.asset.software.descriptionUDM field. | 
| Product | target.asset.software.name | If the EventIDlog field value contain one of the following values:
 Productlog field value is not equal to-then,Productlog field is mapped to thetarget.asset.software.nameUDM field. | 
| Company | target.asset.software.vendor_name | If the EventIDlog field value contain one of the following values:
 Companylog field value is not equal to-then,Companylog field is mapped to thetarget.asset.software.vendor_nameUDM field. | 
| FileVersion | target.asset.software.version | If the EventIDlog field value contain one of the following values:
 FileVersionlog field value is not equal to-then,FileVersionlog field is mapped to thetarget.asset.software.versionUDM field. | 
| EventNamespace | target.file.full_path | If the EventIDlog field value is equal to19then,EventNamespacelog field is mapped to thetarget.file.full_pathUDM field. | 
| Device | target.file.full_path | If the EventIDlog field value is equal to9then,Devicelog field is mapped to thetarget.file.full_pathUDM field. | 
| TargetFilename | target.file.full_path | If the EventIDlog field value contain one of the following values:
 TargetFilenamelog field is mapped to thetarget.file.full_pathUDM field. | 
| DestinationHostname | target.asset.hostname | If the EventIDlog field value is equal to3then,DestinationHostnamelog field is mapped to thetarget.asset.hostnameUDM field. | 
| ClientInfo | target.asset.hostname | The hostanduser_idfields are extracted fromClientInfolog field using the Grok pattern. Thetarget_ipandhostfields are extracted fromClientInfolog field using the Grok pattern. If theEventIDlog field value is equal to24then,hostextracted field is mapped to thetarget.asset.hostnameUDM field. | 
| DestinationHostname | target.hostname | If the EventIDlog field value is equal to3then,DestinationHostnamelog field is mapped to thetarget.hostnameUDM field. | 
| ClientInfo | target.hostname | The hostanduser_idfields are extracted fromClientInfolog field using the Grok pattern. Thetarget_ipandhostfields are extracted fromClientInfolog field using the Grok pattern. If theEventIDlog field value is equal to24then,hostextracted field is mapped to thetarget.hostnameUDM field. | 
| ClientInfo | target.ip | The target_ipandhostfields are extracted fromClientInfolog field using the Grok pattern. If theEventIDlog field value is equal to24then,target_ipextracted field is mapped to thetarget.ipUDM field. | 
| DestinationIp | target.ip | If the EventIDlog field value is equal to3then,DestinationIplog field is mapped to thetarget.ipUDM field. | 
| DestinationPort | target.port | If the EventIDlog field value is equal to3then,DestinationPortlog field is mapped to thetarget.portUDM field. | 
| CommandLine | target.process.command_line | If the EventIDlog field value is equal to1then,CommandLinelog field is mapped to thetarget.process.command_lineUDM field. | 
| Configuration | target.process.command_line | If the EventIDlog field value is equal to16and if theConfigurationFileHashlog field value contain one of the following values:
 Configurationlog field is mapped to thetarget.process.command_lineUDM field. | 
| ImageLoaded | target.process.file.full_path | If the EventIDlog field value is equal to7then,ImageLoadedlog field is mapped to thetarget.process.file.full_pathUDM field. | 
| TargetImage | target.process.file.full_path | If the EventIDlog field value contain one of the following values:
 TargetImagelog field is mapped to thetarget.process.file.full_pathUDM field. | 
| Image | target.process.file.full_path | If the EventIDlog field value contain one of the following values:
 Imagelog field is mapped to thetarget.process.file.full_pathUDM field. | 
| Configuration | target.process.file.full_path | If the EventIDlog field value is equal to16and if theConfigurationFileHashlog field value does not contain one of the following values:
 Configurationlog field is mapped to thetarget.process.file.full_pathUDM field. | 
| Hashes | target.process.file.md5 | The KV filter is used to extract the MD5from theHasheslog field.If the EventIDlog field value contain one of the following values:
 MD5extracted field is mapped to thetarget.process.file.md5UDM field. | 
| Hash | target.process.file.md5 | The KV filter is used to extract the MD5from theHashelog field.If the EventIDlog field value contain one of the following values:
 MD5extracted field is mapped to thetarget.process.file.md5UDM field. | 
| ConfigurationFileHash | target.process.file.md5 | The KV filter is used to extract the MD5from theConfigurationFileHashlog field.If the EventIDlog field value contain one of the following values:
 MD5extracted field is mapped to thetarget.process.file.md5UDM field. | 
| Hashes | target.process.file.sha1 | The KV filter is used to extract the SHA1from theHasheslog field.If the EventIDlog field value contain one of the following values:
 SHA1extracted field is mapped to thetarget.process.file.sha1UDM field. | 
| Hash | target.process.file.sha1 | The KV filter is used to extract the SHA1from theHashlog field.If the EventIDlog field value contain one of the following values:
 SHA1extracted field is mapped to thetarget.process.file.sha1UDM field. | 
| ConfigurationFileHash | target.process.file.sha1 | The KV filter is used to extract the SHA1from theConfigurationFileHashlog field.If the EventIDlog field value contain one of the following values:
 SHA1extracted field is mapped to thetarget.process.file.sha1UDM field. | 
| Hashes | target.process.file.sha256 | The KV filter is used to extract the SHA256from theHasheslog field.If the EventIDlog field value contain one of the following values:
 SHA256extracted field is mapped to thetarget.process.file.sha256UDM field. | 
| Hash | target.process.file.sha256 | The KV filter is used to extract the SHA256from theHashlog field.If the EventIDlog field value contain one of the following values:
 SHA256extracted field is mapped to thetarget.process.file.sha256UDM field. | 
| ConfigurationFileHash | target.process.file.sha256 | The KV filter is used to extract the SHA256from theConfigurationFileHashlog field.If the EventIDlog field value contain one of the following values:
 SHA256extracted field is mapped to thetarget.process.file.sha256UDM field. | 
| Hashes | target.process.file.file_metadata.pe.import_hash | The KV filter is used to extract the IMPHASHfrom theHasheslog field.IMPHASHextracted field is mapped to thetarget.process.file.file_metadata.pe.import_hashUDM field. | 
| Hash | target.process.file.file_metadata.pe.import_hash | The KV filter is used to extract the IMPHASHfrom theHashlog field.IMPHASHextracted field is mapped to thetarget.process.file.file_metadata.pe.import_hashUDM field. | 
| ConfigurationFileHash | target.process.file.file_metadata.pe.import_hash | The KV filter is used to extract the IMPHASHfrom theConfigurationFileHashlog field.IMPHASHextracted field is mapped to thetarget.process.file.file_metadata.pe.import_hashUDM field. | 
| TargetProcessId | target.process.pid | If the EventIDlog field value contain one of the following values:
 TargetProcessIdlog field is mapped to thetarget.process.pidUDM field. | 
| ProcessId | target.process.pid | If the EventIDlog field value contain one of the following values:
 ExecutionProcessIDlog field value is not empty then,ExecutionProcessIDlog field is mapped to thetarget.process.pidUDM field.Else ProcessIdlog field is mapped to thetarget.process.pidUDM field. | 
| ProcessID | target.process.pid | If the EventIDlog field value contain one of the following values:
 ExecutionProcessIDlog field value is not empty then,ExecutionProcessIDlog field is mapped to thetarget.process.pidUDM field.Else ProcessIDlog field is mapped to thetarget.process.pidUDM field. | 
| TargetProcessGuid | target.process.product_specific_process_id | If the EventIDlog field value is equal to8then, thetarget.process.product_specific_process_idUDM field is set toSYSMON:%{TargetProcessGuid}. | 
| TargetProcessGUID | target.process.product_specific_process_id | If the EventIDlog field value is equal to10then, thetarget.process.product_specific_process_idUDM field is set toSYSMON:%{TargetProcessGUID}. | 
| ProcessGuid | target.process.product_specific_process_id | If the EventIDlog field value contain one of the following values:
 target.process.product_specific_process_idUDM field is set toSYSMON:%{ProcessGuid}. | 
| NewName | target.registry.registry_key | If the EventIDlog field value is equal to14then,NewNamelog field is mapped to thetarget.registry.registry_keyUDM field. | 
| TargetObject | target.registry.registry_key | If the EventIDlog field value contain one of the following values:
 TargetObjectlog field is mapped to thetarget.registry.registry_keyUDM field. | 
| Details | target.registry.registry_value_data | If the EventIDlog field value is equal to13then,Detailslog field is mapped to thetarget.registry.registry_value_dataUDM field. | 
| PreviousCreationUtcTime | target.resource.attribute.labels.key[PreviousCreationUtcTime] | If the EventIDlog field value is equal to2then,PreviousCreationUtcTimelog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| Archived | target.resource.attribute.labels[Archived] | If the EventIDlog field value contain one of the following values:
 Archivedlog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| Consumer | target.resource.attribute.labels[Consumer] | If the EventIDlog field value is equal to21then,Consumerlog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| CreationUtcTime | target.resource.attribute.labels[CreationUtcTime] | If the EventIDlog field value contain one of the following values:
 CreationUtcTimelog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| IsExecutable | target.resource.attribute.labels[IsExecutable] | If the EventIDlog field value contain one of the following values:
 IsExecutablelog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| Name | target.resource.attribute.labels[Name] | If the EventIDlog field value is equal to20then,Namelog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| Operation | target.resource.attribute.labels[Operation] | If the EventIDlog field value contain one of the following values:
 Operationlog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| Signature | target.resource.attribute.labels[Signature] | If the EventIDlog field value contain one of the following values:
 Signaturelog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| SignatureStatus | target.resource.attribute.labels[SignatureStatus] | If the EventIDlog field value contain one of the following values:
 SignatureStatuslog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| Signed | target.resource.attribute.labels[Signed] | If the EventIDlog field value contain one of the following values:
 Signedlog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| Type | target.resource.attribute.labels[Type] | If the EventIDlog field value is equal to20then,Typelog field is mapped to thetarget.resource.attribute.labelsUDM field. | 
| Type | additional.fields[Type] | If the EventIDlog field value is equal to25then,Typelog field is mapped to theadditional.fieldsUDM field. | 
| State | target.resource.name | If the EventIDlog field value is equal to4then,Statelog field is mapped to thetarget.resource.nameUDM field. | 
| CreationUtcTime | target.resource.name | If the EventIDlog field value is equal to11then,CreationUtcTimelog field is mapped to thetarget.resource.nameUDM field. | 
| PipeName | target.resource.name | If the EventIDlog field value contain one of the following values:
 PipeNamelog field is mapped to thetarget.resource.nameUDM field. | 
| Filter | target.resource.name | If the EventIDlog field value is equal to21then,Filterlog field is mapped to thetarget.resource.nameUDM field. | 
| Destination | target.resource.name | If the EventIDlog field value is equal to20then,Destinationlog field is mapped to thetarget.resource.nameUDM field. | 
| Query | target.resource.name | If the EventIDlog field value is equal to19then,Querylog field is mapped to thetarget.resource.nameUDM field. | 
| GrantedAccess | target.resource.name | If the EventIDlog field value is equal to10and if theGrantedAccesslog field value matches the regular expression pattern^0x0080$then, the target.resource.nameUDM field is set toPROCESS_CREATE_PROCESS.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x0002$then, the target.resource.nameUDM field is set toPROCESS_CREATE_THREAD.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x0040$then, the target.resource.nameUDM field is set toPROCESS_DUP_HANDLE.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x0400$then, the target.resource.nameUDM field is set toPROCESS_QUERY_INFORMATION.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x1000$then, the target.resource.nameUDM field is set toPROCESS_QUERY_LIMITED_INFORMATION.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x0200$then, the target.resource.nameUDM field is set toPROCESS_SET_INFORMATION.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x0100$then, the target.resource.nameUDM field is set toPROCESS_SET_QUOTA.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x0800$and if theGrantedAccesslog field value matches the regular expression pattern^0x0001$then, the target.resource.nameUDM field is set toPROCESS_TERMINATE.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x0008$then, the target.resource.nameUDM field is set toPROCESS_VM_OPERATION.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x0010$then, the target.resource.nameUDM field is set toPROCESS_VM_READ.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x0020$then, the target.resource.nameUDM field is set toPROCESS_VM_WRITE.Else, If the GrantedAccesslog field value matches the regular expression pattern^0x00100000L$then, the target.resource.nameUDM field is set toSYNCHRONIZE. | 
|  | target.resource.resource_type | If the EventIDlog field value contain one of the following values:
 target.resource.resource_typeUDM field is set toSETTING.Else, If EventIDlog field value contain one of the following values:
 target.resource.resource_typeUDM field is set toPIPE. | 
|  | target.resource.resource_subtype | If the EventIDlog field value is equal to11then, thetarget.resource.resource_subtypeUDM field is set toCreationUtcTime.Else, If EventIDlog field value is equal to10then, thetarget.resource.resource_subtypeUDM field is set toGrantedAccess.Else, If EventIDlog field value is equal to4then, thetarget.resource.resource_subtypeUDM field is set toState. | 
| TargetUser | target.user.userid | |
|  | network.direction | If the EventIDlog field value is equal to3then, thenetwork.directionUDM field is set toOUTBOUND. | 
|  | security_result.action | If the EventIDlog field value is equal to3then, thesecurity_result.actionUDM field is set toALLOW. | 
| ProviderGuid | observer.asset_id | ProviderGuidlog field is mapped to theobserver.asset_idUDM field. | 
| Keywords | additional.fields[Keywords] | |
| ThreadID | additional.fields[thread_id] | |
| ThreadID | additional.fields[ThreadID] | |
| Channel | additional.fields[channel] | |
| Opcode | additional.fields[Opcode] | |
| LogonId | principal.network.session_id | |
| LogonGuid | additional.fields[LogonGuid] | |
| TerminalSessionId | additional.fields[TerminalSessionId] | |
| SourcePortName | additional.fields[SourcePortName] | |
| SourceIsIpv6 | additional.fields[SourceIsIpv6] | |
| DestinationPortName | additional.fields[DestinationPortName] | |
| DestinationIsIpv6 | additional.fields[DestinationIsIpv6] | |
| Initiated | additional.fields[Initiated] | |
| SchemaVersion | additional.fields[SchemaVersion] | |
| CallTrace | additional.fields[CallTrace] | |
|  | network.application_protocol | If the EventIDlog field value is equal to22then, thenetwork.application_protocolUDM field is set toDNS. | 
| NewThreadId | additional.fields[NewThreadId] | |
| StartAddress | additional.fields[StartAddress] | |
| StartFunction | additional.fields[StartFunction] | |
| StartModule | additional.fields[StartModule] | |
| ParentUser | additional.fields[ParentUser] | |
| IntegrityLevel | target.process.integrity_level_rid | If the EventIDlog field value contain one of the following values:
 IntegrityLevellog field value matches the regular expression pattern(?i)(Untrusted)then, the   target.process.integrity_level_ridUDM field is set to0.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(Low)then, the   target.process.integrity_level_ridUDM field is set to4096.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(Medium)then, the   target.process.integrity_level_ridUDM field is set to8192.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(High)then, the   target.process.integrity_level_ridUDM field is set to12288.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(System)then, the   target.process.integrity_level_ridUDM field is set to16384.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(Protected)then, the   target.process.integrity_level_ridUDM field is set to20480. | 
| IntegrityLevel | principal.process.integrity_level_rid | If the EventIDlog field value does not contain one of the following values:
 IntegrityLevellog field value matches the regular expression pattern(?i)(Untrusted)then, the   principal.process.integrity_level_ridUDM field is set to0.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(Low)then, the   principal.process.integrity_level_ridUDM field is set to4096.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(Medium)then, the   principal.process.integrity_level_ridUDM field is set to8192.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(High)then, the   principal.process.integrity_level_ridUDM field is set to12288.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(System)then, the   principal.process.integrity_level_ridUDM field is set to16384.Else, if IntegrityLevellog field value matches the regular expression pattern(?i)(Protected)then, the   principal.process.integrity_level_ridUDM field is set to20480. | 
| Computer | additional.fields[Computer] | If the HostNamelog field value is not empty or theHostnamelog field value is not empty then,Computerlog field is mapped to theadditional.fields.ComputerUDM field. | 
| Task | security_result.summary | 
도움이 더 필요하신가요? 커뮤니티 회원 및 Google SecOps 전문가로부터 답변을 받으세요.